Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential memory leak in WinVerifyTrust call #18

Open
JohnLaTwC opened this issue Feb 24, 2021 · 4 comments
Open

Potential memory leak in WinVerifyTrust call #18

JohnLaTwC opened this issue Feb 24, 2021 · 4 comments

Comments

@JohnLaTwC
Copy link

JohnLaTwC commented Feb 24, 2021
edited
Loading

Missing call to FreeHGlobal to free memory

    $Data.cbStruct = $WINTRUST_DATA::GetSize()
!    $Data.pData = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($Size)
    $Data.dwUIChoice = $WTD_UI::None
    [System.Runtime.InteropServices.Marshal]::StructureToPtr($Info, $Data.pData, $false)

    $SUCCESS = $wintrust::WinVerifyTrust($WindowHandle, [ref]$ActionID, [ref]$Data)

    if($SUCCESS -eq 0)
    {
        Write-Output $true
    }
    else
    {
        if(($SUCCESS -eq 0x80096010) -or ($SUCCESS -eq 0x800b0100))
        {
            Write-Output $false
        }
        else
        {
! no call to FreeHGlobal in exception path
            throw ([ComponentModel.Win32Exception]$SUCCESS).Message
        }
    }
! no call to FreeHGlobal

PSReflect-Functions/wintrust/WinVerifyTrust.ps1

Line 120 in 3bdfa4a

$Data.pData = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($Size)

Similar issue here with missing FreeHGlobal for AllocHGlobal call:

PSReflect-Functions/advapi32/LookupPrivilegeName.ps1

Line 54 in 3bdfa4a

$lpLuid = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($LUID::GetSize())

Ditto:

PSReflect-Functions/kernel32/GlobalGetAtomName.ps1

Line 45 in 3bdfa4a

$AtomName = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(1024)

Similar issue in the paths that throw exceptions in GetIpNetTable.ps1:

        elseif($SUCCESS -eq $ERROR_NO_DATA)
        {
            Write-Output $null
        }
        else
        {
            throw "[GetIpNetTable] Error: $($SUCCESS)"
! leak due to failure to call FreeHGlobal($pIpNetTable)
        }
    }
    else
    {
        throw "[GetIpNetTable] Error: $($SUCCESS)"
! leak due to failure to call FreeHGlobal($pIpNetTable)
    }

    [System.Runtime.InteropServices.Marshal]::FreeHGlobal($pIpNetTable)
}

PSReflect-Functions/iphlpapi/GetIpNetTable.ps1

Line 107 in 3bdfa4a

[System.Runtime.InteropServices.Marshal]::FreeHGlobal($pIpNetTable)

Might want to do a pass through the repo for these.
@jaredcatkinson
Copy link
Owner

Hey @JohnLaTwC! Nice catch! I'll take a look and see if I can get these fixed. Now I'm wondering if there are handles from win32 functions that aren't being closed as well.

@jaredcatkinson
Copy link
Owner

Yea a quick survey shows that I basically don't free any of the buffers created by AllocHGlobal :(

@JohnLaTwC
Copy link
Author

Also some paths that don't free memory:

PSReflect-Functions/wintrust/WinVerifyTrust.ps1

Line 138 in 3bdfa4a

throw ([ComponentModel.Win32Exception]$SUCCESS).Message 

            throw ([ComponentModel.Win32Exception]$SUCCESS).Message
! Leaks memory due to not calling [System.Runtime.InteropServices.Marshal]::FreeCoTaskMem($Info.pcwszFilePath)

@JohnLaTwC
Copy link
Author

Handle leak on error paths:

May want to move these CloseHandle calls to a finally block so they run in case an exception is raised.

                try
                {
...
-                    CloseHandle -Handle $hProcess
-                    CloseHandle -Handle $hToken
                }
                catch
                {
                    Write-Verbose "Process Token Query: $($proc.Id)"
                    Write-Verbose $_.Exception.Message
                }
+                finally
+                {
+                    CloseHandle -Handle $hProcess
+                    CloseHandle -Handle $hToken
+                }

PSReflect-Functions/Examples/Get-AccessToken.ps1

Line 105 in 3bdfa4a

catch

Similar handle leak in error path here:

-                        CloseHandle -Handle $hThread
-                        CloseHandle -Handle $hToken
                    }
                    catch
                    {
                        if($_.Exception.Message -ne 'OpenThreadToken Error: An attempt was made to reference a token that does not exist')
                        {
                            Write-Verbose "Thread Token Handle"
                            Write-Verbose $_.Exception.Message
                        }
                    }
+                    finally
+                    {
+                        CloseHandle -Handle $hThread
+                        CloseHandle -Handle $hToken
+                    }

PSReflect-Functions/Examples/Get-AccessToken.ps1

Line 175 in 3bdfa4a

catch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jaredcatkinson @JohnLaTwC