WinDbg How to find HeapAlloc or HeapAllocStub?

Question

I'm trying to find the address of the API HeapAlloc in Windbg using the following syntax u Kernel32!HeapAllocStub but windbg cannot resolve that. I have reloded the symbols and the error persist, for the Other api this method is working fine.

Can you point me what I'm doing wrong ?

Thanks in advance

Answer 1

why are you looking for HeapAllocStub ?
do you have any reason that it should exist ?
and in latest windows kernel32.dll does not have any implementation
most of the functions are implemented in kernelbase.dll

almost most of the heap functions are forwarded to ntdll.dll

HeapAlloc is implemented in ntdll as RtlAllocateHeap

windbg has a very powerful wild card Search

you can use a command like x *!*Heap*All*
which would look for any function that has the regex Heap.*All.*
in all the loaded Modules

kernel32 imports the function HeapAlloc as can be seen below

0:000> x *k*32*!*heap*all*
00007ffe`44eefb94 KERNEL32!`WerpHeapAlloc'::`1'::fin$0 (void)
00007ffe`44ea6330 KERNEL32!BasepJobObjectHeapAlloc (BasepJobObjectHeapAlloc)
00007ffe`44f023f8 KERNEL32!_imp_HeapAlloc = <no type information>
00007ffe`44f023e8 KERNEL32!_imp_HeapReAlloc = <no type information>
00007ffe`44eef90c KERNEL32!WerpHeapAlloc (void * __cdecl WerpHeapAlloc(struct _WER_HEAP_MAIN_HEADER *,unsigned __int64))

and the imported function is implemented in ntdll.dll

0:000> dps KERNEL32!_imp_HeapAlloc l1
00007ffe`44f023f8  00007ffe`460fa9a0 ntdll!RtlAllocateHeap
0:000> dps KERNEL32!_imp_HeapReAlloc l1
00007ffe`44f023e8  00007ffe`460f3640 ntdll!RtlReAllocateHeap
0:000>

0:000> u poi(KERNEL32!_imp_HeapAlloc) l5
ntdll!RtlAllocateHeap:
00007ffe`460fa9a0 48895c2408      mov     qword ptr [rsp+8],rbx
00007ffe`460fa9a5 4889742410      mov     qword ptr [rsp+10h],rsi
00007ffe`460fa9aa 57              push    rdi
00007ffe`460fa9ab 4883ec30        sub     rsp,30h
00007ffe`460fa9af 498bf8          mov     rdi,r8
0:000>