本人系统是win7 64位，待调试程序是32位。这里使用的方法是真机配合虚拟机同时调试的方法来找出句柄泄露的源码位置。

如果真机直接使用X64版本的windbg侦测句柄泄露时显示：

0:000:x86> !htrace -diffHandle tracing information snapshot successfully taken.0x1 new stack traces since the previous snapshot.Ignoring handles that were already closed...Outstanding handles opened since the previous snapshot:--------------------------------------Handle = 0x0000000000000030 - OPENThread ID = 0x0000000000001240, Process ID = 0x00000000000010480x0000000076fcfc0a: ntdll!ZwCreateFile+0x000000000000000a0x000000007480bfe3: wow64!whNtCreateFile+0x000000000000010f0x00000000747fcf87: wow64!Wow64SystemServiceEx+0x00000000000000d70x000000007478276d: wow64cpu!ServiceNoTurbo+0x00000000000000240x00000000747fd07e: wow64!RunCpuSimulation+0x000000000000000a0x00000000747fc549: wow64!Wow64LdrpInitialize+0x00000000000004290x0000000076fcae27: ntdll!LdrpInitializeProcess+0x00000000000017800x0000000076fc72f8: ntdll! ?? ::FNODOBFM::`string'+0x000000000002af200x0000000076fb2ace: ntdll!LdrInitializeThunk+0x000000000000000e0x0000000077180056: ntdll32!ZwCreateFile+0x00000000000000120x000000007610bb7f: KERNELBASE!CreateFileW+0x000000000000035e0x0000000076892345: kernel32!CreateFileWImplementation+0x00000000000000690x000000007689caa4: kernel32!CreateFileA+0x0000000000000037--------------------------------------Displayed 0x1 stack traces for outstanding handles opened since the previous snapshot.

 

如果真机直接使用X86版本的windbg侦测句柄泄露时显示：

0:000> !htrace -diffHandle tracing information snapshot successfully taken.0x1 new stack traces since the previous snapshot.Ignoring handles that were already closed...Outstanding handles opened since the previous snapshot:--------------------------------------Handle = 0x00000030 - OPENThread ID = 0x00001058, Process ID = 0x000013780x047cf647: +0x047cf6470x047d9398: +0x047d93980x044cc813: +0x044cc8130x76fcfc0a: +0x76fcfc0a0x7480bfe3: +0x7480bfe30x747fcf87: +0x747fcf870x7478276d: +0x7478276d0x747fd07e: +0x747fd07e0x747fc549: +0x747fc5490x76fcae27: +0x76fcae270x76fc72f8: +0x76fc72f80x76fb2ace: +0x76fb2ace0x77180056: ntdll!ZwCreateFile+0x000000120x7610bb7f: KERNELBASE!CreateFileW+0x0000035e0x76892345: kernel32!CreateFileWImplementation+0x000000690x7689caa4: kernel32!CreateFileA+0x00000037--------------------------------------Displayed 0x1 stack traces for outstanding handles opened since the previous snapshot.

 

总之两个版本都不能有效的显示正确的堆栈，下面讲解一种方法：虚拟机XP SP3系统下侦测句柄泄露，真机下配合定位源码位置。

 

准备工作：

1.下载windbg，现在的windbg没有单独的下载地址了，而是和SDK一起打包发行的， 。

根据需要选择下载，下载或在线安装的时候选择“Debugging Tools for Windows”即可，下载的比较慢。

下载安装成功后配置符号路径：srv*c:\symbols*http://msdl.microsoft.com/download/symbols

 

2.在虚拟机里（本人虚拟机系统XP SP3）里进行句柄泄露的侦测。

首先用windbg载入目标程序，!htrace -enable开启句柄跟踪开关。

某个时刻创建一次句柄快照：!htrace -snapshot

继续运行后进行一次句柄快照对比：!htrace -diff

两次的句柄快照对比出期间打开或者关闭的句柄：

0:002> !htrace -diffHandle tracing information snapshot successfully taken.0x4 new stack traces since the previous snapshot.Ignoring handles that were already closed...Outstanding handles opened since the previous snapshot:--------------------------------------Handle = 0x000005a0 - OPENThread ID = 0x000001e4, Process ID = 0x000004e4--------------------------------------Displayed 0x1 stack traces for outstanding handles opened since the previous snapshot.

可以看到中间有句柄0x000005a0被打开了，可能是一次句柄泄露但是也不一定，需要继续分析，使用!htrace 0x000005a0命令显示创建该句柄的堆栈：

0:002> !htrace 0x000005a0 --------------------------------------Handle = 0x000005a0 - OPENThread ID = 0x00000290, Process ID = 0x000004e40x7606a0ee: SETUPAPI!EnablePnPPrivileges+0x0000008b0x76069ffd: SETUPAPI!PnPGetGlobalHandles+0x0000001d0x7606bcd6: SETUPAPI!CM_Locate_DevNode_ExW+0x000000780x7606befe: SETUPAPI!pSetupOpenAndAddNewDevInfoElem+0x000000450x7606b594: SETUPAPI!SetupDiGetClassDevsExW+0x000004590x7606d641: SETUPAPI!SetupDiGetClassDevsA+0x0000003d0x006fcf86: test!cclass1::func1+0x000000560x005e617f: test!cclass3::func2+0x0000018f0x005df7c6: test!cclass2::func3+0x000000560x005de4b9: test!Func+0x00000039--------------------------------------

句柄是在用户代码：test!cclass1::func1+0x00000056处创建的，使用lsa命令显示源码位置。

由于是在虚拟机中调试的没有源码，这个时候在真机中用X86版本的windbg载入目标程序，并使用lsa命令即可显示源码位置。

0:000> lsa test!cclass1::func1+0x00000056    64:     65:     hDevInfo = SetupDiGetClassDevs(NULL,    66:         0,    67:         0,>   68:         DIGCF_PRESENT|DIGCF_ALLCLASSES);    69:     70:     if(hDevInfo == INVALID_HANDLE_VALUE)    71:     {    72:         return FALSE;    73:     }

然后检查下这块代码有无释放句柄即可，经检查后面代码没有调用SetupDiDestroyDeviceInfoList释放句柄，故而造成句柄泄露。