📄 jiurl玩玩win2k 地址空间的布局.htm
字号:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0067)http://jiurl.cosoft.org.cn/jiurl/document/JiurlPlayWin2k/Layout.htm -->
<HTML><HEAD><TITLE>JIURL玩玩Win2k 地址空间的布局</TITLE>
<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<STYLE type=text/css>.title {
FONT-FAMILY: "黑体", Arial, sans-serif; FONT-SIZE: 21px; FONT-WEIGHT: bold; LINE-HEIGHT: 48px; TEXT-DECORATION: none
}
.author {
FONT-FAMILY: "宋体"; FONT-SIZE: 12px; LINE-HEIGHT: 16px
}
.content {
FONT-SIZE: 14px; LINE-HEIGHT: 20px
}
</STYLE>
<META content="MSHTML 5.00.2614.3500" name=GENERATOR></HEAD>
<BODY bgColor=#f7f7f7 topMargin=5>
<DIV align=center>
<CENTER>
<TABLE border=0 cellPadding=0 cellSpacing=0 height=29 width="96%">
<TBODY>
<TR>
<TD class=title height=41 width="100%">
<P align=center><FONT face=宋体>JIURL玩玩Win2k </FONT><FONT
face=宋体>地址空间的布局</FONT></P></TD></TR></CENTER>
<TR>
<TD class=author height=9 width="100%">
<P align=center><FONT face=宋体>作者: <A
href="mailto:jiurl@mail.china.com">JIURL</A> </FONT></P></TD></TR>
<TR>
<TD class=author height=6 width="100%">
<P align=center><FONT
face=宋体>
主页: <A href="http://jiurl.yeah.net/">http://jiurl.yeah.net/</A>
</FONT></P></TD></TR>
<TR>
<TD class=author height=2 width="100%">
<P align=center><FONT face=宋体> 日期: 2003-7-30</FONT>
</P></TD></TR></TBODY></TABLE></DIV>
<DIV align=center>
<CENTER>
<TABLE border=0 cellPadding=0 cellSpacing=0 height=1 width="96%">
<TBODY>
<TR>
<TD height=1 width="100%">
<HR color=#396da5 SIZE=3>
</TD></TR></TBODY></TABLE></CENTER></DIV>
<DIV align=center>
<TABLE border=0 cellPadding=0 cellSpacing=0 class=content height=4300
width="96%">
<TBODY>
<TR>
<TD height=2132 vAlign=top width="131%">
<P>
地址空间的布局,每个进程有4G的地址空间,其中低2G是用户地址空间,高2G是系统地址空间。<BR><BR><B>用户地址空间的布局</B>
<P>
每个进程有自己的用户地址空间(低2G),在用户地址空间中有,进程的环境变量,进程的参数,进程的堆(Heap),进程载入的模组,进程PEB,线程的堆栈(Stack),线程TEB等等。我写了一个叫
<A
href="http://jiurl.cosoft.org.cn/jiurl/document/JiurlPlayWin2k/JiurlL2gLayoutSee.zip">JiurlL2gLayoutSee</A>
的程序,可以获得一个指定进程的用户地址空间布局情况。下面是使用 <A
href="http://jiurl.cosoft.org.cn/jiurl/document/JiurlPlayWin2k/JiurlL2gLayoutSee.zip">JiurlL2gLayoutSee</A>
获得的一个记事本的用户地址空间布局情况。<BR><BR>NOTEPAD.EXE:<BR><BR>//
通过进程的VAD我们可以了解到进程保留了哪些用户地址空间。<BR>VADs:<BR><BR>#define MEM_IMAGE
0x001<BR>#define MEM_PRIVATE 0x800<BR>#define PAGE_READONLY
0x010<BR>#define PAGE_READWRITE 0x040<BR>#define PAGE_WRITECOPY
0x050<BR>#define PAGE_EXECUTE 0x020<BR>#define PAGE_EXECUTE_READ
0x030<BR>#define PAGE_EXECUTE_READWRITE 0x060<BR>#define
PAGE_EXECUTE_WRITECOPY 0x070<BR><BR>0x00010000 - 0x00011000 Flags=
0xc40<BR>0x00020000 - 0x00021000 Flags= 0xc40<BR>0x00030000 - 0x00070000
Flags= 0x840<BR>0x00070000 - 0x00170000 Flags= 0x840<BR>0x00170000 -
0x00180000 Flags= 0x040<BR>0x00180000 - 0x00196000 Flags=
0x010<BR>0x001a0000 - 0x001cf000 Flags= 0x010<BR>0x001d0000 - 0x00211000
Flags= 0x010<BR>0x00220000 - 0x00224000 Flags= 0x010<BR>0x00230000 -
0x00271000 Flags= 0x010<BR>0x00280000 - 0x00348000 Flags=
0x034<BR>0x00350000 - 0x00393000 Flags= 0x014<BR>0x003a0000 - 0x006a0000
Flags= 0x034<BR>0x006a0000 - 0x006a1000 Flags= 0xc44<BR>0x006b0000 -
0x006b1000 Flags= 0xc44<BR>0x006c0000 - 0x006d0000 Flags=
0x840<BR>0x006d0000 - 0x006d2000 Flags= 0x010<BR>0x006e0000 - 0x006e1000
Flags= 0x040<BR>0x006f0000 - 0x00770000 Flags= 0x840<BR>0x00770000 -
0x00780000 Flags= 0x840<BR>0x00780000 - 0x00b80000 Flags=
0x840<BR>0x00b90000 - 0x00b91000 Flags= 0xc44<BR>0x00bb0000 - 0x00bc2000
Flags= 0xc44<BR>0x00bd0000 - 0x00bd5000 Flags= 0xc44<BR>0x00be0000 -
0x00be5000 Flags= 0x010<BR>0x00bf0000 - 0x00c30000 Flags=
0x840<BR>0x00d40000 - 0x00d5c000 Flags= 0x071<BR>0x00d60000 - 0x00d70000
Flags= 0x840<BR>0x00d70000 - 0x00dc3000 Flags= 0x071<BR>0x00dd0000 -
0x00de0000 Flags= 0x840<BR>0x00de0000 - 0x00f84000 Flags=
0x040<BR>0x01000000 - 0x01010000 Flags= 0x071<BR>0x01010000 - 0x011f0000
Flags= 0x010<BR>0x011f0000 - 0x01201000 Flags= 0x010<BR>0x01210000 -
0x01310000 Flags= 0x840<BR>0x10000000 - 0x10019000 Flags=
0x071<BR>0x6dd30000 - 0x6dd36000 Flags= 0x071<BR>0x75e00000 - 0x75e1a000
Flags= 0x071<BR>0x76af0000 - 0x76b2e000 Flags= 0x071<BR>0x77560000 -
0x777a0000 Flags= 0x071<BR>0x777c0000 - 0x777dd000 Flags=
0x071<BR>0x77990000 - 0x77a25000 Flags= 0x071<BR>0x77a30000 - 0x77b24000
Flags= 0x071<BR>0x77b30000 - 0x77bba000 Flags= 0x071<BR>0x77c50000 -
0x77c9a000 Flags= 0x071<BR>0x77ca0000 - 0x77d20000 Flags=
0x071<BR>0x77d20000 - 0x77d8f000 Flags= 0x071<BR>0x77d90000 - 0x77dea000
Flags= 0x071<BR>0x77df0000 - 0x77e54000 Flags= 0x071<BR>0x77e60000 -
0x77f35000 Flags= 0x071<BR>0x77f40000 - 0x77f7c000 Flags=
0x071<BR>0x77f80000 - 0x77ff9000 Flags= 0x071<BR>0x78000000 - 0x78046000
Flags= 0x071<BR>0x7f6f0000 - 0x7f7f0000 Flags= 0x034<BR>0x7ffa0000 -
0x7ffd3000 Flags= 0x014<BR>0x7ffdd000 - 0x7ffde000 Flags=
0xc64<BR>0x7ffde000 - 0x7ffdf000 Flags= 0xc64<BR>0x7ffdf000 - 0x7ffe0000
Flags= 0xc64<BR><BR>// 布局情况<BR>Layout:<BR><BR>// 环境变量<BR>0x00010000 -
0x00011000 Environment<BR><BR>// 进程参数<BR>0x00020000 - 0x00021000
ProcessParameters<BR><BR>// 进程堆<BR>0x00070000 - 0x00170000 ProcessHeap
0<BR>0x00170000 - 0x00270000 ProcessHeap 1<BR>0x006c0000 - 0x007c0000
ProcessHeap 2<BR>0x00770000 - 0x00870000 ProcessHeap 3<BR>0x00d60000 -
0x00e60000 ProcessHeap 4<BR>0x00dd0000 - 0x00ed0000 ProcessHeap
5<BR><BR>// 进程载入的模组,以及模组中的各节<BR>0x00d70000 - 0x00dc3000
upengine.dll<BR>0x00d71000 - 0x00d8b000 .text<BR>0x00d8b000 - 0x00da0000
.rdata<BR>0x00da0000 - 0x00db2000 .data<BR>0x00db2000 - 0x00db3000
.idata<BR>0x00db3000 - 0x00dbf000 .share_d<BR>0x00dbf000 - 0x00dc1000
.rsrc<BR>0x00dc1000 - 0x00dc3000 .reloc<BR><BR>0x00d40000 - 0x00d5c000
unispim.ime<BR>0x00d41000 - 0x00d4e000 .text<BR>0x00d4e000 - 0x00d51000
.rdata<BR>0x00d51000 - 0x00d55000 .data<BR>0x00d55000 - 0x00d56000
.SharedD<BR>0x00d56000 - 0x00d5a000 .rsrc<BR>0x00d5a000 - 0x00d5c000
.reloc<BR><BR>0x77ca0000 - 0x77d20000 CLBCATQ.DLL<BR>0x77ca1000 -
0x77d0f000 .text<BR>0x77d0f000 - 0x77d19000 .data<BR>0x77d19000 -
0x77d1b000 .rsrc<BR>0x77d1b000 - 0x77d20000 .reloc<BR><BR>0x77990000 -
0x77a25000 OLEAUT32.DLL<BR>0x77991000 - 0x77a16000 .text<BR>0x77a16000 -
0x77a1d000 .data<BR>0x77a1d000 - 0x77a1e000 .rsrc<BR>0x77a1e000 -
0x77a25000 .reloc<BR><BR>0x77a30000 - 0x77b24000 OLE32.DLL<BR>0x77a31000 -
0x77b08000 .text<BR>0x77b08000 - 0x77b11000 .orpc<BR>0x77b11000 -
0x77b17000 .data<BR>0x77b17000 - 0x77b19000 .rsrc<BR>0x77b19000 -
0x77b24000 .reloc<BR><BR>0x6dd30000 - 0x6dd36000
INDICDLL.dll<BR>0x6dd31000 - 0x6dd33000 .text<BR>0x6dd33000 - 0x6dd34000
.data<BR>0x6dd34000 - 0x6dd35000 .rsrc<BR>0x6dd35000 - 0x6dd36000
.reloc<BR><BR>0x10000000 - 0x10019000 NVDESK32.DLL<BR>0x10001000 -
0x1000f000 .text<BR>0x1000f000 - 0x10010000 .rdata<BR>0x10010000 -
0x10012000 .data<BR>0x10012000 - 0x10014000 .shared<BR>0x10014000 -
0x10015000 .notshar<BR>0x10015000 - 0x10017000 .rsrc<BR>0x10017000 -
0x10019000 .reloc<BR><BR>0x75e00000 - 0x75e1a000 IMM32.DLL<BR>0x75e01000 -
0x75e13000 .text<BR>0x75e13000 - 0x75e14000 .data<BR>0x75e14000 -
0x75e19000 .rsrc<BR>0x75e19000 - 0x75e1a000 .reloc<BR><BR>0x777c0000 -
0x777dd000 WINSPOOL.DRV<BR>0x777c1000 - 0x777d8000 .text<BR>0x777d8000 -
0x777db000 .data<BR>0x777db000 - 0x777dc000 .rsrc<BR>0x777dc000 -
0x777dd000 .reloc<BR><BR>0x78000000 - 0x78046000 MSVCRT.DLL<BR>0x78001000
- 0x78033000 .text<BR>0x78033000 - 0x7803b000 .rdata<BR>0x7803b000 -
0x78042000 .data<BR>0x78042000 - 0x78043000 .rsrc<BR>0x78043000 -
0x78046000 .reloc<BR><BR>0x77560000 - 0x777a0000 SHELL32.DLL<BR>0x77561000
- 0x7767c000 .text<BR>0x7767c000 - 0x77680000 .data<BR>0x77680000 -
0x77791000 .rsrc<BR>0x77791000 - 0x777a0000 .reloc<BR><BR>0x77b30000 -
0x77bba000 COMCTL32.DLL<BR>0x77b31000 - 0x77b96000 .text<BR>0x77b96000 -
0x77b97000 .data<BR>0x77b97000 - 0x77bb6000 .rsrc<BR>0x77bb6000 -
0x77bba000 .reloc<BR><BR>0x77d20000 - 0x77d8f000 RPCRT4.DLL<BR>0x77d21000
- 0x77d81000 .text<BR>0x77d81000 - 0x77d89000 .orpc<BR>0x77d89000 -
0x77d8a000 .data<BR>0x77d8a000 - 0x77d8b000 .rsrc<BR>0x77d8b000 -
0x77d8f000 .reloc<BR><BR>0x77d90000 - 0x77dea000
ADVAPI32.DLL<BR>0x77d91000 - 0x77de1000 .text<BR>0x77de1000 - 0x77de4000
.data<BR>0x77de4000 - 0x77de6000 .rsrc<BR>0x77de6000 - 0x77dea000
.reloc<BR><BR>0x77df0000 - 0x77e54000 USER32.DLL<BR>0x77df1000 -
0x77e48000 .text<BR>0x77e48000 - 0x77e49000 .data<BR>0x77e49000 -
0x77e51000 .rsrc<BR>0x77e51000 - 0x77e54000 .reloc<BR><BR>0x77e60000 -
0x77f35000 KERNEL32.DLL<BR>0x77e61000 - 0x77ebf000 .text<BR>0x77ebf000 -
0x77ec1000 .data<BR>0x77ec1000 - 0x77f31000 .rsrc<BR>0x77f31000 -
0x77f35000 .reloc<BR><BR>0x77f40000 - 0x77f7c000 GDI32.DLL<BR>0x77f41000 -
0x77f78000 .text<BR>0x77f78000 - 0x77f79000 .data<BR>0x77f79000 -
0x77f7a000 .rsrc<BR>0x77f7a000 - 0x77f7c000 .reloc<BR><BR>0x77c50000 -
0x77c9a000 SHLWAPI.DLL<BR>0x77c51000 - 0x77c94000 .text<BR>0x77c94000 -
0x77c95000 .data<BR>0x77c95000 - 0x77c97000 .rsrc<BR>0x77c97000 -
0x77c9a000 .reloc<BR><BR>0x76af0000 - 0x76b2e000
comdlg32.dll<BR>0x76af1000 - 0x76b1b000 .text<BR>0x76b1b000 - 0x76b1f000
.data<BR>0x76b1f000 - 0x76b2b000 .rsrc<BR>0x76b2b000 - 0x76b2e000
.reloc<BR><BR>0x77f80000 - 0x77ff9000 ntdll.dll<BR>0x77f81000 - 0x77fc4000
.text<BR>0x77fc4000 - 0x77fc9000 ECODE<BR>0x77fc9000 - 0x77fcd000
PAGE<BR>0x77fcd000 - 0x77fd0000 .data<BR>0x77fd0000 - 0x77ff7000
.rsrc<BR>0x77ff7000 - 0x77ff9000 .reloc<BR><BR>0x01000000 - 0x01010000
NOTEPAD.EXE<BR>0x01001000 - 0x01008000 .text<BR>0x01008000 - 0x0100a000
.data<BR>0x0100a000 - 0x01010000 .rsrc<BR><BR>// 进程PEB<BR>0x7ffdf000 -
0x7ffe0000 PEB<BR><BR>// 线程堆栈(Stack),以及线程TEB<BR>0x0006a000 - 0x00070000
Stack Thread 0x118<BR>0x7ffde000 - 0x7ffdf000 TEB Thread
0x118<BR><BR>0x00c2f000 - 0x00c30000 Stack Thread 0x2a8<BR>0x7ffdd000 -
0x7ffde000 TEB Thread 0x2a8<BR><BR><BR><B>系统地址空间的布局</B>
<P>
所有进程的系统地址空间中的内容,大部分是一样的。系统地址空间中有,系统代码,当前进程的页表,当前进程的页目录,当前进程的 Working
Set,Paged pool (可以被换出物理内存的系统堆),Nonpaged pool (不能被换出物理内存的系统堆,NonPagedPool
有两部分,一部分位于系统地址空间的低处,一部分位于系统地址空间的高处),驱动程序等等。<BR><BR>下面我们来看一看当前我的系统地址空间的大概布局<BR><BR>HAL.dll
0x80001000 - 0x80011220<BR><BR>ntoskrnl.exe 0x80400000 -
0x80590900<BR><BR>MmNonPagedPoolStart 8103e000<BR><BR>win32k.sys
0xa0000000 - 0xa01a6000<BR><BR>当前进程的页表,页目录 0xc0000000 -
0xc03fffff<BR><BR>MmSystemCacheStart c1000000<BR>MmSystemCacheEnd
e0ffffff<BR><BR>MmPagedPoolStart e1000000<BR>MmPagedPoolEnd
e77fffff<BR><BR>MmNonPagedSystemStart
e7800000<BR><BR>MmNonPagedPoolExpansionStart fcd6c000<BR>MmNonPagedPoolEnd
ffbe0000<BR><BR>其中
MmNonPagedPoolStart,MmSystemCacheStart,MmSystemCacheEnd,MmPagedPoolStart,MmPagedPoolEnd,MmNonPagedSystemStart,MmNonPagedPoolEnd
是全局变量,使用 kd 我们可以得到这些全局变量的值。<BR><BR>kd> dd MmNonPagedPoolStart l 1<BR>dd
MmNonPagedPoolStart l 1<BR>8047e750 8103e000<BR><BR>kd> dd
MmSystemCacheStart l 1<BR>dd MmSystemCacheStart l 1<BR>8046ac00
c1000000<BR><BR>kd> dd MmSystemCacheEnd l 1<BR>dd MmSystemCacheEnd l
1<BR>8047efd8 e0ffffff<BR><BR>kd> dd MmPagedPoolStart l 1<BR>dd
MmPagedPoolStart l 1<BR>80471038 e1000000<BR><BR>kd> dd MmPagedPoolEnd
l 1<BR>dd MmPagedPoolEnd l 1<BR>8047e738 e77fffff<BR><BR>kd> dd
MmNonPagedSystemStart l 1<BR>dd MmNonPagedSystemStart l 1<BR>8047f62c
e7800000<BR><BR>kd> dd MmNonPagedPoolExpansionStart l 1<BR>dd
MmNonPagedPoolExpansionStart l 1<BR>8047e8dc fcd6c000<BR><BR>kd> dd
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -