Windows 进程的内存映射是什么样的?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5680766/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How does a memory map of a Windows process look like?
提问by Bruce
This might be a duplicate question. I wish to know how the memory map of a windows process look like? I am looking for details. Kindly provide links to blogs, articles and other relevant literature.
这可能是一个重复的问题。我想知道windows进程的内存映射是什么样的?我正在寻找详细信息。请提供指向博客、文章和其他相关文献的链接。
采纳答案by Bruce
I always like to actually be able to see things, rather than just read theory. It turns out, according to this blog post, that if you open a program using windbg even when it isn't running it still gets mapped to an address space as if it were. Thus, your disassembly window figuratively (not guaranteed to load your code at these exact addresses) shows you what is at those addresses in terms of code:
我总是喜欢实际能够看到事物,而不仅仅是阅读理论。事实证明,根据这篇博客文章,如果您使用 windbg 打开一个程序,即使它没有运行,它仍然会被映射到地址空间,就好像它是。因此,您的反汇编窗口形象地(不保证在这些确切地址加载您的代码)向您展示了这些地址的代码内容:
Of course, you can't guarantee those addresses thanks to ASLR, but it gives you an idea / gets you to think: memory addresses are also just code. Code and memory is stored in the same (virtual) space, as per the Von Neumannarchitecture which most modern computers implement. Unfortunately also as there's no stack, heap etc you can't move and look at those.
当然,由于 ASLR,您无法保证这些地址,但它为您提供了一个想法/让您思考:内存地址也只是代码。根据大多数现代计算机实现的冯诺依曼架构,代码和内存存储在相同的(虚拟)空间中。不幸的是,由于没有堆栈、堆等,您无法移动并查看它们。
This blog post from Microsoftgives you a high level overview of the virtual address space. As you can see, half of it is reserved for use by the operating system and the other half you can fill with whatever you have (code, malloccalls, stack allocations etc).
Microsoft 的这篇博文为您提供了虚拟地址空间的高级概述。如您所见,其中一半保留供操作系统使用,另一半您可以填充您拥有的任何内容(代码、malloc调用、堆栈分配等)。
In terms of how the address space works on the user side, this diagramhelped me understand it. It's linked in this questionwhich provides a series of decent links as to the varying possible maps. Remember though, that the layout in memory will differ in terms of the parts.
就地址空间在用户端的工作方式而言,这张图帮助我理解了它。它在这个问题中链接,它提供了一系列关于不同可能地图的体面链接。但请记住,内存中的布局会因部件而异。
The important point to remember is that all of it, program, data, stack, heap, kernel stuff, is one big sequential series of memory addresses, although these may or may not actually translate to actual memory addresses.
要记住的重要一点是,所有这些,程序、数据、堆栈、堆、内核的东西,都是一个大的连续系列的内存地址,尽管这些可能会也可能不会真正转换为实际的内存地址。
Whilst you're at it, you might also be interested in how the executable appears on disk. This articleand this article particularlyprovide some in depth analysis of the PE file format. The latter article also has a little diagram showing roughly how data is mmap'd.
当您在使用它时,您可能还对可执行文件在磁盘上的显示方式感兴趣。这篇文章和这篇文章特别提供了一些对PE文件格式的深入分析。后一篇文章还有一个小图,大致显示了数据是如何映射的。
