为什么 Process Explorer 需要调试符号来显示 kernel memory 限制?
[英]Why does Process Explorer require debug symbols to show kernel memory limits?
问题描述
Process Explorer (aka procexp ) require debug symbols to show kernel memory limits and a library that provide API for reading them. 
Process Explorer (又名procexp )需要调试符号来显示 kernel memory 限制和提供 API 以读取它们的库。 As I found, the symbols for currently running kernel ( ntoskrln* ) only are required, and the variables MmSizeOfPagedPoolInBytes and MmSizeOfNonPagedPoolInBytes are read from it.我发现,仅需要当前运行 kernel ( ntoskrln* ) 的符号,并从中读取变量MmSizeOfPagedPoolInBytes和MmSizeOfNonPagedPoolInBytes 。 It is possible to acquire them from the kernel directly.可以直接从 kernel 获取它们。
So why the debug symbols are required?那么为什么需要调试符号呢? Do they contain some information that impossible to get from the OS itself?它们是否包含一些无法从操作系统本身获得的信息?
1 个解决方案
解决方案1
2 已采纳 2020-08-19 20:42:55
Because Process Explorer needs to know where in kernel memory those variables are located and it can different between each version of windows so symbols are the correct way to get this location.因为 Process Explorer 需要知道 kernel memory 这些变量的位置,并且在 windows 的每个版本之间可能不同,所以符号是获取此位置的正确方法。 Microsoft publish public symbols. Microsoft 发布公共符号。
not all kernel information is easily access from User space.并非所有 kernel 信息都可以从用户空间轻松访问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.