tools/win/trim_heap/trim_heap.cc - chromium/src - Git at Google

 // Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 // This is an experimental tool which will inject a thread into a Chrome
 // process (tested on the browser process) and run code to call
 // HeapSetInformation with HEAP_OPTIMIZE_RESOURCES_CURRENT_VERSION. This
 // tells Windows to trim unnecessary memory from the heaps in that process.
 //
 // This tool uses sketchy techniques such as copying memory from one
 // executable to another (only works if the code is relocatable and has no
 // external references), VirtualAllocEx, and CreateRemoteThread. This is not
 // for production use.
 //
 // The bitness of this tool (32/64) must match that of the target process.
 // This tool has only been tested on 64-bit processes. This tool only works
 // when compiled with optimizations.
 //
 // Some error handling and resource cleanup is omitted in order to keep things
 // simple.

 #include <Windows.h>

 // Psapi.h must come after Windows.h.
 #include <Psapi.h>

 #include <inttypes.h>
 #include <stdio.h>

 #include <vector>

 #ifdef _DEBUG
 #error This code only works in optimized (release) builds.
 // Non-optimized code may include references to global variables. The
 // "#pragma clang optimize on/off" directives do not work, by design, in debug
 // builds. They can only lower the optimization level, not raise it.
 #endif

 #define ADDRESS_COOKIE reinterpret_cast<void*>(0x123456789ABCDEF0)

 // Function suitable for copying into another process and invoking with
 // CreateRemoteThread. The function address is a placeholder.
 DWORD WINAPI ShrinkHeapThread(LPVOID) {
   auto pHeapSetInformation =
       reinterpret_cast<decltype(&::HeapSetInformation)>(ADDRESS_COOKIE);
   HEAP_OPTIMIZE_RESOURCES_INFORMATION info = {
       HEAP_OPTIMIZE_RESOURCES_CURRENT_VERSION, 0x0};
   pHeapSetInformation(nullptr, HeapOptimizeResources, &info, sizeof(info));
   return 0;
 }

 int main(int argc, char* argv[]) {
   const bool verbose = false;

   // Verify that we have the correct signature for ShrinkHeapThread.
   static_assert(
       std::is_same<decltype(ShrinkHeapThread)*, PTHREAD_START_ROUTINE>::value,
       "Callback function is wrong type.");

   // Copy the thread function's memory to a vector.
   std::vector<unsigned char> raw_bytes;
   auto* src = reinterpret_cast<uint8_t*>(&ShrinkHeapThread);
   // Assume that the only 0xc3 byte we will encounter will be the ret
   // instruction.
   uint8_t ret = 0xc3;
   while (*src != ret) {
     raw_bytes.push_back(*src++);
   }
   raw_bytes.push_back(ret);
   if (src[1] != 0xcc) {
     printf("Didn't find int 3 after ret. Exiting.\n");
     return 1;
   }
   // This can trigger if incremental linking is enabled since then the function
   // pointer will be to a JMP stub.
   if (raw_bytes.size() > 1000) {
     printf("Code size is suspiciously large - %zu bytes. Exiting.\n",
            raw_bytes.size());
     return 1;
   }

   // Update the function pointer address in the copy to match the current
   // address of HeapSetInformation. This assumes that the address will be the
   // same in all processes, which should be the case.
   for (auto* scan = &raw_bytes[0]; /**/; ++scan) {
     auto** scan_64 = reinterpret_cast<void**>(scan);
     if (*scan_64 == ADDRESS_COOKIE) {
       auto* pHeapSetInformation = reinterpret_cast<void*>(GetProcAddress(
           GetModuleHandleA("kernel32.dll"), "HeapSetInformation"));
       *scan_64 = pHeapSetInformation;
       if (verbose)
         printf("Found and updated HeapSetInformation.\n");
       break;
     }
   }

   if (argc < 2) {
     printf("Usage: %s PID.\n", argv[0]);
     printf(
         "Injects code into the target process to call HeapSetInformation with "
         "HEAP_OPTIMIZE_RESOURCES_CURRENT_VERSION.\n");
     printf(
         "May need to be run from an administrator command prompt for some "
         "processes.\n");
     return 1;
   }

   // Get the PIDs from the command line.
   for (int i = 1; i < argc; ++i) {
     int PID;
     if (sscanf(argv[i], "%d", &PID) != 1) {
       printf("Error getting PID.\n");
       return 1;
     }

     // Open the process. We'll leak the handle afterwards, but that's okay
     // because this is a short-lived tool.
     HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ |
                                       PROCESS_VM_WRITE | PROCESS_VM_OPERATION |
                                       PROCESS_CREATE_THREAD,
                                   false, PID);
     if (!hProcess) {
       printf("Error from OpenProcess is %lx.\n", GetLastError());
       return 1;
     }

 #ifdef _M_X64
     BOOL wow_64_process = FALSE;
     if (!IsWow64Process(hProcess, &wow_64_process) || wow_64_process) {
       printf("Specified process is 32-bit. Code injection will not work.\n");
       return 1;
     }
 #else
     // Update this with remote-process bitness tests if x86 works.
 #error This code is only tested on x64 and may cause failures on x86.
 #endif

     PROCESS_MEMORY_COUNTERS_EX memory_before = {sizeof(memory_before)};
     GetProcessMemoryInfo(
         hProcess, reinterpret_cast<PROCESS_MEMORY_COUNTERS*>(&memory_before),
         sizeof(memory_before));

     // Allocate memory in the other process.
     void* p = VirtualAllocEx(hProcess, nullptr, raw_bytes.size(),
                              MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

     if (verbose)
       printf("Writing %zd bytes to process %d at address 0x%p.\n",
              raw_bytes.size(), PID, p);
     // Write to the remotely allocated memory.
     SIZE_T bytes_written = 0;
     if (!WriteProcessMemory(hProcess, p, &raw_bytes[0], raw_bytes.size(),
                             &bytes_written)) {
       printf("Error is %lx.\n", GetLastError());
       return 1;
     }

     if (verbose)
       printf("Wrote %zd bytes.\n", bytes_written);
     HANDLE hRemoteThread = CreateRemoteThread(
         hProcess, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(p),
         nullptr, 0, nullptr);
     if (!hRemoteThread) {
       printf("Failed to inject thread in process %d. Error code is %lx.\n", PID,
              GetLastError());
       return 1;
     }

     if (verbose)
       printf("Successfully injected thread into process %d.\n", PID);
     WaitForSingleObject(hRemoteThread, INFINITE);
     // Clean up the allocated memory after the thread exits.
     VirtualFreeEx(hProcess, p, 0, MEM_RELEASE);

     PROCESS_MEMORY_COUNTERS_EX memory_after = {sizeof(memory_after)};
     GetProcessMemoryInfo(
         hProcess, reinterpret_cast<PROCESS_MEMORY_COUNTERS*>(&memory_after),
         sizeof(memory_after));

     double MiB = 1024.0 * 1024.0;
     printf(
         "  Commit for process %6d went from %8.3f MiB to %8.3f MiB (%7.3f MiB "
         "savings).\n",
         PID, memory_before.PrivateUsage / MiB, memory_after.PrivateUsage / MiB,
         (memory_before.PrivateUsage - memory_after.PrivateUsage) / MiB);
   }
   return 0;
 }
	// Copyright 2020 The Chromium Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	// This is an experimental tool which will inject a thread into a Chrome
	// process (tested on the browser process) and run code to call
	// HeapSetInformation with HEAP_OPTIMIZE_RESOURCES_CURRENT_VERSION. This
	// tells Windows to trim unnecessary memory from the heaps in that process.
	//
	// This tool uses sketchy techniques such as copying memory from one
	// executable to another (only works if the code is relocatable and has no
	// external references), VirtualAllocEx, and CreateRemoteThread. This is not
	// for production use.
	//
	// The bitness of this tool (32/64) must match that of the target process.
	// This tool has only been tested on 64-bit processes. This tool only works
	// when compiled with optimizations.
	//
	// Some error handling and resource cleanup is omitted in order to keep things
	// simple.

	#include <Windows.h>

	// Psapi.h must come after Windows.h.
	#include <Psapi.h>

	#include <inttypes.h>
	#include <stdio.h>

	#include <vector>

	#ifdef _DEBUG
	#error This code only works in optimized (release) builds.
	// Non-optimized code may include references to global variables. The
	// "#pragma clang optimize on/off" directives do not work, by design, in debug
	// builds. They can only lower the optimization level, not raise it.
	#endif

	#define ADDRESS_COOKIE reinterpret_cast<void*>(0x123456789ABCDEF0)

	// Function suitable for copying into another process and invoking with
	// CreateRemoteThread. The function address is a placeholder.
	DWORD WINAPI ShrinkHeapThread(LPVOID) {
	auto pHeapSetInformation =
	reinterpret_cast<decltype(&::HeapSetInformation)>(ADDRESS_COOKIE);
	HEAP_OPTIMIZE_RESOURCES_INFORMATION info = {
	HEAP_OPTIMIZE_RESOURCES_CURRENT_VERSION, 0x0};
	pHeapSetInformation(nullptr, HeapOptimizeResources, &info, sizeof(info));
	return 0;
	}

	int main(int argc, char* argv[]) {
	const bool verbose = false;

	// Verify that we have the correct signature for ShrinkHeapThread.
	static_assert(
	std::is_same<decltype(ShrinkHeapThread)*, PTHREAD_START_ROUTINE>::value,
	"Callback function is wrong type.");

	// Copy the thread function's memory to a vector.
	std::vector<unsigned char> raw_bytes;
	auto* src = reinterpret_cast<uint8_t*>(&ShrinkHeapThread);
	// Assume that the only 0xc3 byte we will encounter will be the ret
	// instruction.
	uint8_t ret = 0xc3;
	while (*src != ret) {
	raw_bytes.push_back(*src++);
	}
	raw_bytes.push_back(ret);
	if (src[1] != 0xcc) {
	printf("Didn't find int 3 after ret. Exiting.\n");
	return 1;
	}
	// This can trigger if incremental linking is enabled since then the function
	// pointer will be to a JMP stub.
	if (raw_bytes.size() > 1000) {
	printf("Code size is suspiciously large - %zu bytes. Exiting.\n",
	raw_bytes.size());
	return 1;
	}

	// Update the function pointer address in the copy to match the current
	// address of HeapSetInformation. This assumes that the address will be the
	// same in all processes, which should be the case.
	for (auto* scan = &raw_bytes[0]; /**/; ++scan) {
	auto scan_64 = reinterpret_cast<void>(scan);
	if (*scan_64 == ADDRESS_COOKIE) {
	auto* pHeapSetInformation = reinterpret_cast<void*>(GetProcAddress(
	GetModuleHandleA("kernel32.dll"), "HeapSetInformation"));
	*scan_64 = pHeapSetInformation;
	if (verbose)
	printf("Found and updated HeapSetInformation.\n");
	break;
	}
	}

	if (argc < 2) {
	printf("Usage: %s PID.\n", argv[0]);
	printf(
	"Injects code into the target process to call HeapSetInformation with "
	"HEAP_OPTIMIZE_RESOURCES_CURRENT_VERSION.\n");
	printf(
	"May need to be run from an administrator command prompt for some "
	"processes.\n");
	return 1;
	}

	// Get the PIDs from the command line.
	for (int i = 1; i < argc; ++i) {
	int PID;
	if (sscanf(argv[i], "%d", &PID) != 1) {
	printf("Error getting PID.\n");
	return 1;
	}

	// Open the process. We'll leak the handle afterwards, but that's okay
	// because this is a short-lived tool.
	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ \|
	PROCESS_VM_WRITE \| PROCESS_VM_OPERATION \|
	PROCESS_CREATE_THREAD,
	false, PID);
	if (!hProcess) {
	printf("Error from OpenProcess is %lx.\n", GetLastError());
	return 1;
	}

	#ifdef _M_X64
	BOOL wow_64_process = FALSE;
	if (!IsWow64Process(hProcess, &wow_64_process) \|\| wow_64_process) {
	printf("Specified process is 32-bit. Code injection will not work.\n");
	return 1;
	}
	#else
	// Update this with remote-process bitness tests if x86 works.
	#error This code is only tested on x64 and may cause failures on x86.
	#endif

	PROCESS_MEMORY_COUNTERS_EX memory_before = {sizeof(memory_before)};
	GetProcessMemoryInfo(
	hProcess, reinterpret_cast<PROCESS_MEMORY_COUNTERS*>(&memory_before),
	sizeof(memory_before));

	// Allocate memory in the other process.
	void* p = VirtualAllocEx(hProcess, nullptr, raw_bytes.size(),
	MEM_COMMIT \| MEM_RESERVE, PAGE_EXECUTE_READWRITE);

	if (verbose)
	printf("Writing %zd bytes to process %d at address 0x%p.\n",
	raw_bytes.size(), PID, p);
	// Write to the remotely allocated memory.
	SIZE_T bytes_written = 0;
	if (!WriteProcessMemory(hProcess, p, &raw_bytes[0], raw_bytes.size(),
	&bytes_written)) {
	printf("Error is %lx.\n", GetLastError());
	return 1;
	}

	if (verbose)
	printf("Wrote %zd bytes.\n", bytes_written);
	HANDLE hRemoteThread = CreateRemoteThread(
	hProcess, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(p),
	nullptr, 0, nullptr);
	if (!hRemoteThread) {
	printf("Failed to inject thread in process %d. Error code is %lx.\n", PID,
	GetLastError());
	return 1;
	}

	if (verbose)
	printf("Successfully injected thread into process %d.\n", PID);
	WaitForSingleObject(hRemoteThread, INFINITE);
	// Clean up the allocated memory after the thread exits.
	VirtualFreeEx(hProcess, p, 0, MEM_RELEASE);

	PROCESS_MEMORY_COUNTERS_EX memory_after = {sizeof(memory_after)};
	GetProcessMemoryInfo(
	hProcess, reinterpret_cast<PROCESS_MEMORY_COUNTERS*>(&memory_after),
	sizeof(memory_after));

	double MiB = 1024.0 * 1024.0;
	printf(
	" Commit for process %6d went from %8.3f MiB to %8.3f MiB (%7.3f MiB "
	"savings).\n",
	PID, memory_before.PrivateUsage / MiB, memory_after.PrivateUsage / MiB,
	(memory_before.PrivateUsage - memory_after.PrivateUsage) / MiB);
	}
	return 0;
	}