Windows进程的内存映射如何? [英] How does a memory map of a Windows process look like?

问题描述

这可能是一个重复的问题.我想知道Windows进程的内存映射如何?我正在寻找细节.请提供指向博客，文章和其他相关文献的链接.

This might be a duplicate question. I wish to know how the memory map of a windows process look like? I am looking for details. Kindly provide links to blogs, articles and other relevant literature.

推荐答案

我总是喜欢真正能够看到事物，而不仅仅是阅读理论.事实证明，根据此博客文章，即使您使用windbg打开程序，当它不运行时，它仍然像被映射到地址空间一样.因此，您的反汇编窗口以图形方式表示(不保证将代码加载到这些确切的地址上)，以代码的形式向您显示这些地址上的内容:

I always like to actually be able to see things, rather than just read theory. It turns out, according to this blog post, that if you open a program using windbg even when it isn't running it still gets mapped to an address space as if it were. Thus, your disassembly window figuratively (not guaranteed to load your code at these exact addresses) shows you what is at those addresses in terms of code:

当然，由于使用了ASLR，您不能保证这些地址，但是它给了您一个主意/让您思考:内存地址也只是代码.根据冯·诺依曼体系结构，代码和内存存储在相同的(虚拟)空间中.大多数现代计算机都实现了.不幸的是，由于没有堆栈，堆等，因此您无法移动并查看它们.

Of course, you can't guarantee those addresses thanks to ASLR, but it gives you an idea / gets you to think: memory addresses are also just code. Code and memory is stored in the same (virtual) space, as per the Von Neumann architecture which most modern computers implement. Unfortunately also as there's no stack, heap etc you can't move and look at those.

此

This blog post from Microsoft gives you a high level overview of the virtual address space. As you can see, half of it is reserved for use by the operating system and the other half you can fill with whatever you have (code, malloc calls, stack allocations etc).

关于地址空间在用户端的工作方式，此图帮助我理解了它.在此问题中，它已链接 ，它提供了一个关于各种可能地图的一系列体面链接.但是请记住，内存中的布局在部件方面会有所不同.

In terms of how the address space works on the user side, this diagram helped me understand it. It's linked in this question which provides a series of decent links as to the varying possible maps. Remember though, that the layout in memory will differ in terms of the parts.

要记住的重要一点是，所有这些内容(程序，数据，堆栈，堆，内核内容)都是一个大的连续序列的内存地址，尽管这些地址实际上可能会转换为实际的内存地址，也可能不会转换为实际的内存地址.

The important point to remember is that all of it, program, data, stack, heap, kernel stuff, is one big sequential series of memory addresses, although these may or may not actually translate to actual memory addresses.

在使用它时，您可能还对可执行文件在磁盘上的显示方式感兴趣. 本文和

Whilst you're at it, you might also be interested in how the executable appears on disk. This article and this article particularly provide some in depth analysis of the PE file format. The latter article also has a little diagram showing roughly how data is mmap'd.

这篇关于Windows进程的内存映射如何?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！