List of App Auditing Tools

Last update: December 30th, 2018

Windows Tools and Environment Setup

• VTune
• Debugging Tools for Windows Includes WinDBG
• Windows Performance Toolkit
• Symbols for Public MS APIs
• Leakdiag
• Process Explorer
• Dependency Walker
• Dependency Walker (OSS rewrite)
• VMMap - Process virtual and physical memory analysis utility.
• x64dbg - A new open source x64/x32 debugger for Windows.
• Mtuner - Leak and heap profiling

Linux Tools

• Valgrind
• Helgrind (A Valgrind tool. Specify --tool=helgrind). It will detect synchronisation errors.
• Clang analyzer Must be built from source. Includes clang-format which is useful.

Mac Tools

• OS X Graphics Tools (A separate download nowadays)
• Clang analyzer Includes other binaries including clang-format.

Thread Accounting

Windows Performance Toolkit can discover who owns a thread.

Process Explorer can be used to inspect threads. Use the stack button to see the thread stack update on sample interval.

LLDB has two commands which can be run at a breakpoint:

• thread list
• bt all

CPU Profiling

• win Perfmon how-to
• win VTune Sampling
• win VTune Call Graph
• mac Instruments Time Profiler how-to

Graphics Profiling

• mac OpenGL Driver Monitor (part of OS X graphics tools)
• win MSVCRT alloc check
• Texture usage
• OpenGL
  • win and linux GDebugger
  • mac OpenGL Profiler (does not sort by largest texture though)

Memory Leak

• linux Valgrind (also reportedly runs on Android)
• win MSVCRT alloc check
• win Leakdiag

Memory Alloc Tracing

• cocoa/OS X environment variables. Some notable ones:
  • NSDebugEnabled — turns on extra debug information in Foundation
  • NSZombieEnabled — notifies when messages are incorrectly sent to deallocated objects.
  • MallocStackLogging — Record all methods that call a specific variable as args. Using console, you can have a backtrace using command malloc_history.

Miscellaneous Accountability

• win Process Explorer functionality:
• Dump strings
• Review memory mapped files
• Confirm whether DEP is on by adding Data Execution Prevention column

DLL Associations

• win Dependency Walker. Some things to look for:
  • Confirm no non-Microsoft DLLs outside of executable cwd. (ex: python26.dll in system directory).
  • Confirm only one CRT dependency (no need for MSVCRT80 and MSVCRT90)
  • Profile and sort by file size
• llvm toolchain Some LLDB commands:
  • Get a list of all loaded modules. target modules list
  • Dump the symtable from all target modules. target modules dump symtab
  • Find out why a function is included - win Process Explorer functionality:
  • Dump strings
  • Review memory mapped files
  • Confirm whether DEP is on by adding Data Execution Prevention column

in the modules list. target modules lookup --address

Static Analyzers

• Visual Studio /analyze
• Clang --analyze
  • Use -Xanalyzer -analyzer-output=text to get an explanation of what’s actually going on.
• CPPCheck

Runtime Analyzers

• Mac and Linux Clang address sanitizer
• Linux Clang thread sanitizer Mac support coming
• Linux Clang memory sanitizer Warning: Full binary instrumentation needed (even LibC).

Gotchas and unexpected events

• Clang and GCC -Wall does NOT warn if a member variable is uninitialized in a constructor.
• As of late 2013, many of the -fsanitize options to Clang are not stable on the latest Xcode and OS X.

Materials

• book Advanced Windows Debugging book
• video The Care and Feeding of C++’s Dragons
• blog Bruce Dawson’s blog Bruce focuses on code correctness, efficiency and unicycles.