$$ cdb scripting template — attach to acclient.exe, set non-blocking $$ breakpoints on suspected allocator functions, count hits, auto-detach. $$ $$ Usage: $$ cdb.exe -pn acclient.exe -cf -logo $$ $$ Or attach by PID: $$ cdb.exe -p -cf -logo $$ $$ Tips: $$ - `gc` = "go conditional" — continue without breaking the debuggee $$ - `qd` = "quit detached" — leaves the debuggee running, exits cdb $$ - Counter $t0..$t19 are persistent across breakpoint hits $$ - Don't put `;` inside breakpoint action strings without escaping — $$ cdb's command parser splits on `;` even inside actions. .logopen /t leak-trace.log $$ Symbol path — local PDB only, no symbol server. .sympath C:\leak-hunt\pdb .symopt+ 0x40 .reload /f acclient.exe $$ Verify the symbol we care about resolves (replace as needed) $$ x acclient!CChatManager::AddLine $$ ============================================================ $$ Counters $$ ============================================================ r $t0 = 0 $$ alloc-site hits r $t1 = 0 $$ free-site hits r $t2 = 0 $$ unmatched (leak candidate) hits $$ ============================================================ $$ Breakpoint pattern: increment counter, log every Nth, auto-detach at M $$ ============================================================ $$ Replace and with the suspected function names. bp acclient! "r $t0 = @$t0 + 1; .if (@$t0 % 1000 == 0) { .printf \"alloc hits: %d\\n\", @$t0 }; .if (@$t0 >= 100000) { .printf \"AUTO-DETACH at %d\\n\", @$t0; qd } .else { gc }" bp acclient! "r $t1 = @$t1 + 1; .if (@$t1 % 1000 == 0) { .printf \"free hits: %d\\n\", @$t1 }; gc" $$ Optional: dump `this` struct on first hit $$ bp acclient! "r $t0 = @$t0 + 1; .if (@$t0 == 1) { dt acclient! @ecx }; gc" g .logclose