Windows 进程的内存映射是什么样的?
[英]How does a memory map of a Windows process look like?
问题描述
This might be a duplicate question.
这可能是一个重复的问题。 I wish to know how the memory map of a windows process look like?我想知道windows进程的内存映射是什么样的? I am looking for details.我正在寻找详细信息。 Kindly provide links to blogs, articles and other relevant literature.请提供指向博客、文章和其他相关文献的链接。
1 个解决方案
解决方案1
11 已采纳
I always like to actually be able to see things, rather than just read theory.我总是喜欢实际能够看到事物,而不仅仅是阅读理论。 It turns out, according to this blog post , that if you open a program using windbg even when it isn't running it still gets mapped to an address space as if it were.事实证明,根据这篇博客文章,如果您使用 windbg 打开一个程序,即使它没有运行,它仍然会被映射到地址空间,就好像它是。 Thus, your disassembly window figuratively (not guaranteed to load your code at these exact addresses) shows you what is at those addresses in terms of code:因此,您的反汇编窗口形象地(不保证在这些确切地址加载您的代码)以代码的形式向您显示这些地址处的内容:
Of course, you can't guarantee those addresses thanks to ASLR, but it gives you an idea / gets you to think: memory addresses are also just code.当然,由于 ASLR,您无法保证这些地址,但它为您提供了一个想法/让您思考:内存地址也只是代码。 Code and memory is stored in the same (virtual) space, as per the Von Neumann architecture which most modern computers implement.根据大多数现代计算机实现的冯诺依曼架构,代码和内存存储在相同的(虚拟)空间中。 Unfortunately also as there's no stack, heap etc you can't move and look at those.不幸的是,由于没有堆栈、堆等,您无法移动并查看它们。
This blog post from Microsoft gives you a high level overview of the virtual address space. Microsoft 的这篇博文为您提供了虚拟地址空间的高级概述。 As you can see, half of it is reserved for use by the operating system and the other half you can fill with whatever you have (code, malloc calls, stack allocations etc).如您所见,其中一半保留供操作系统使用,另一半您可以填充任何您拥有的内容(代码、 malloc调用、堆栈分配等)。
In terms of how the address space works on the user side, this diagram helped me understand it.就地址空间在用户端的工作方式而言,这张图帮助我理解了它。 It's linked in this question which provides a series of decent links as to the varying possible maps.它在这个问题中链接,它提供了一系列关于不同可能地图的体面链接。 Remember though, that the layout in memory will differ in terms of the parts.但请记住,内存中的布局会因部件而异。
The important point to remember is that all of it, program, data, stack, heap, kernel stuff, is one big sequential series of memory addresses, although these may or may not actually translate to actual memory addresses.需要记住的重要一点是,所有这些,程序、数据、堆栈、堆、内核的东西,都是一个大的连续系列的内存地址,尽管这些可能会也可能不会真正转换为实际的内存地址。
Whilst you're at it, you might also be interested in how the executable appears on disk.当您在使用它时,您可能还对可执行文件在磁盘上的显示方式感兴趣。 This article and this article particularly provide some in depth analysis of the PE file format.这篇文章和这篇文章特别提供了一些对PE文件格式的深入分析。 The latter article also has a little diagram showing roughly how data is mmap'd.后一篇文章还有一个小图,大致显示了数据是如何映射的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.