PE文件如何映射到内存中? [英] How does a PE file get mapped into memory?
问题描述
所以最近几天我一直在研究PE格式,但是我仍然有几个问题
So I have been reasearching the PE format for the last couple days, and I still have a couple of questions
-
是将数据段映射到进程的内存中,还是程序从磁盘读取了它?
Does the data section get mapped into the process' memory, or does the program read it from the disk?
如果确实将其映射到其内存中,则该过程如何获取节的偏移量? (以及其他部分)
If it does get mapped into its memory, how can the process aqquire the offset of the section? ( And other sections )
是否有任何方法可以获取已经映射到内存中的进程的入口点,而无需接触磁盘上的文件?
Is there any way the get the entry point of a process that has already been mapped into the memory, without touching the file on disk?
推荐答案
数据部分是否映射到进程的内存中
Does the data section get mapped into the process' memory
是的.这不太可能生存很长时间,该程序易于写入该部分.会触发写时复制页面副本,该页面副本将由页面文件而不是PE文件支持页面.
Yes. That's unlikely to survive for very long, the program is apt to write to that section. Which triggers a copy-on-write page copy that gets the page backed by the paging file instead of the PE file.
该过程如何获取节的偏移量?
how can the process aqquire the offset of the section?
链接器已经计算出该部分中变量的偏移量.对于具有笨拙基址的DLL,当它被加载时可能已经被重新定位.在这种情况下,加载程序使用PE文件中的重定位表来修补代码中的地址.包含此类修补代码的页面将与数据部分获得相同的处理,它们不再受PE文件支持,并且无法在进程之间共享.
The linker already calculated the offsets of variables in the section. It might be relocated, common for DLLs that have an awkward base address that's already in use when the DLL gets loaded. In which case the relocation table in the PE file is used by the loader to patch the addresses in the code. The pages that contain such patched code get the same treatment as the data section, they are no longer backed by the PE file and cannot be shared between processes.
有没有办法获取进程的入口点
Is there any way the get the entry point of a process
整个 PE文件已映射到内存,包括其标头.因此,您当然可以从内存中读取IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint,而无需读取文件.请记住,如果对另一个进程执行此操作会很痛苦,因为您无法直接访问其虚拟地址空间.您将不得不使用ReadProcessMemory(),这几乎没有什么乐趣,而且不可能比读取文件快.该文件很可能存在于文件系统缓存中.地址空间布局随机化功能容易使您头疼,旨在使您很难做这类事情.
The entire PE file gets mapped to memory, including its headers. So you can certainly read IMAGE_OPTIONAL_HEADER.AddressOfEntryPoint from memory without reading the file. Do keep in mind that it is painful if you do this for another process since you don't have direct access to its virtual address space. You'd have to use ReadProcessMemory(), that's fairly little joy and unlikely to be faster than reading the file. The file is pretty likely to be present in the file system cache. The Address Space Layout Randomization feature is apt to give you a headache, designed to make it hard to do these kind of things.
这篇关于PE文件如何映射到内存中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
