Kernel Pool Monitor – the GUI Version

September 14, 2016

one comment

The Windows Driver Kit (WDK) comes with a well known and pretty old tool called PoolMon. PoolMon shows kernel allocations done with ExAllocatePoolWithTag, where the pool type is typically Paged or NonPaged and each allocations is attached by a ‘tag’ – a four byte value that should indicate the component making the allocation. This is useful for finding memory leaks, since kernel memory is never automatically freed (as opposed to user mode processes). If a kernel component or driver sees its tag with increasing memory consumption – that would indicate a leak (unless it’s a transient burst of allocations that are later freed).

Nowadays there are other ways to locate such leaks, mainly by using Driver Verifier, that can be configured with options such as Pool Tracking that can assist in finding leaks. However, Driver Verifier requires a reboot, so in some cases PoolMon would be easier to use.

Yet again, I thought that the existing console based UI of PoolMon is inconvenient and so I created a GUI version that allows sorting, periodic refresh and the use of green and red colors to easily indicate changes between refreshes. Here’s a screenshot:

image

The tag is usually expressed as 4 ASCII characters rather than just a number, so it’s easier to locate in PoolMon. In fact, the Debugging Tools for Windows provides a file called pooltag.txt (in the Triage subdirectory) that contains tags and descriptions for all Microsoft components and inbox drivers, and even some third party ones. This file is not currently integrated into the new tool, but I welcome pull requests!

How does one get the kernel pool information? Fortunately, it’s relatively easy and does not require writing a driver. PoolMon uses the native NtQuerySystemInformation to get the information and so does my version. NtQuerySystemInformation uses a SYSTEM_INFORMATION_CLASS enumeration to indicate what type of information is required. The list of information classes is mostly undocumented, but many information classes have been reverse engineered and can be found floating around on the web, or available through projects such as the NDK by Alex Ionescu.

The information class for getting kernel pool information is defined with this slimmed down version of the info class:

enum class SystemInformationClass {     
SystemPoolTagInformation = 22, };

The result of the query is the following data structures that returns all items, assuming a buffer has been pre-allocated to absorb the information:

struct SYSTEM_POOLTAG {     
union {        
UCHAR Tag[4];        
ULONG TagUlong;    
};    
ULONG PagedAllocs;    
ULONG PagedFrees;    
SIZE_T PagedUsed;    
ULONG NonPagedAllocs;    
ULONG NonPagedFrees;    
SIZE_T NonPagedUsed; }; struct SYSTEM_POOLTAG_INFORMATION {    
ULONG Count;    
SYSTEM_POOLTAG TagInfo[1]; };

The typical approach is to allocate something that would likely suffice, but if not, the function NtQuerySystemInformation returns STATUS_BUFFER_TOO_SMALL, with the required size in the last argument, so that the code can re-allocate to the required size.

For our case, a SYSTEM_POOLTAG_INFORMATION pointer is returned with an array of SYSTEM_POOL objects with the allocation tag information. All the tool does is present that information in a nice GUI.

Refreshing the display is a matter of reading everything again and comparing it to the previous tag list. The comparison sets green/red colors for cells that were changed. Note for you MFC developers, the relatively new CMFCListCtrl is used to easily configure a cell’s colors by overriding the OnGetCellBkColor method.

The source can be found on Github and a compiled executable can be downloaded from here.

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

one comment

  1. Pingback: Using (Modern) C++ in Driver Development | Pavel's Blog