进程存储的开始是什么意思 [英] What does the beginning of process memory mean
问题描述
我正在尝试学习有关如何读取过程内存的更多信息.因此,我在WinHex中打开了Firefox进程的整个内存",并看到了以下以十六进制值10000开始的十六进制值.
I am trying to learn more about how to read process memory. So I opened the "entire memory" of the Firefox process in WinHex and saw the following hex values starting at offset 10000.
00 00 00 00 00 00 00 00 EC 6B 3F 80 0C 6D 00 01 EE FF EE FF 01 00 00 00
我的问题是 人类有可能在没有进一步知识的情况下对此进行解释吗?这些指针或值吗?除了像字节顺序之类的东西以外,还有什么东西对于使用不同的编译器创建的不同程序而言,在进程内存方面很常见?为什么它以很多零开始,这不是开始使用空间的一种很奇怪的方式吗?
My question is Is it possible for a human to interpret this without further knowledge? Are these pointers or values? Is there anything, which is common for different programs created with different compilers with regards to the process memory apart from things like endianness? Why does it start with lots of zeroes, isn't that a very odd way to start using space?
推荐答案
很显然,没有进一步的知识"您将无能为力.但是,从Windows的事实我们已经了解了很多.对于初学者,我们知道可执行文件具有其自己的内存视图,并且在该虚拟视图中,可执行文件已加载到其首选的起始地址(如EXE的PE标头中所述).
Obviously, you can't do anything "without further knowledge". But we already know a whole lot from the fact that it's Windows. For starters, we know that the executable gets its own view of memory, and in that virtual view the executable is loaded at its preferred starting address (as stated in the PE header of the EXE).
从0x00010000开始是与MS-DOS兼容的(是的,即16位OS)-前64KB保留,并且永远不是有效地址.最多保留0x00400000(4MB)的页面供操作系统使用,并且通常在操作系统版本之间有所不同.
The start at 0x00010000 is a compatibility thing with MS-DOS (yes, that 16 bit OS) - the first 64KB are reserved and are never valid addresses. The pages up to 0x00400000 (4MB) are reserved for the OS, and in general differ between OS versions.
该范围内的常见数据结构是过程环境块.使用WinDBG工具和Microsoft Symbol Server,您可以确定进程环境块是否确实位于偏移量0x10000处,以及它的内容是什么.
A common data structure in that range is the Process Environment Block. With the WinDBG tool, and the Microsoft Symbol Server, you can figure whether the Process Envirionment Block is indeed located at offset 0x10000, and what its contents mean.
这篇关于进程存储的开始是什么意思的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
