focht
February 4th, 2003, 15:18
Greetings,
i got same problem as reported earlier by some people (LINK, locked exe) and spent some time investigating it.
First to detect kernel/user object handle leaks you should use decent utilities:
www.sysinternals.com ("http://www.sysinternals.com") -> ProcessViewer (the former HandleEx) or
www.smidgeonsoft.com ("http://www.smidgeonsoft.com") -> NTObjects
Both will show you that ollydbg leaks 2 handles, a file object and a thread object after you "close" the debuggee. (internally 2 more handles, unnamed objects, are leaked from the OS debug subsystem too but this not the case here).
Well i'd say both handles returned by CreateProcess( ... DEBUG_PROCESS) in the PROCESS_INFORMATION structure must be closed by the debugger, e.g.:
processInfo.hProcess
processInfo.hThread
Every handle delivered in the xxx_DEBUG_EVENT structures must be closed or it will leak too (will go away after debuggee terminates but its cleaner programming style). The only exception is the thread handle stored in CREATE_THREAD_DEBUG_EVENT (if i read guru Matt Pietrek right).
I hope this information helps ...
Regards,
Anastasius Focht.
i got same problem as reported earlier by some people (LINK, locked exe) and spent some time investigating it.
First to detect kernel/user object handle leaks you should use decent utilities:
www.sysinternals.com ("http://www.sysinternals.com") -> ProcessViewer (the former HandleEx) or
www.smidgeonsoft.com ("http://www.smidgeonsoft.com") -> NTObjects
Both will show you that ollydbg leaks 2 handles, a file object and a thread object after you "close" the debuggee. (internally 2 more handles, unnamed objects, are leaked from the OS debug subsystem too but this not the case here).
Well i'd say both handles returned by CreateProcess( ... DEBUG_PROCESS) in the PROCESS_INFORMATION structure must be closed by the debugger, e.g.:
processInfo.hProcess
processInfo.hThread
Every handle delivered in the xxx_DEBUG_EVENT structures must be closed or it will leak too (will go away after debuggee terminates but its cleaner programming style). The only exception is the thread handle stored in CREATE_THREAD_DEBUG_EVENT (if i read guru Matt Pietrek right).
I hope this information helps ...
Regards,
Anastasius Focht.
