是否有任何工具可以知道Windows中正在运行的进程的布局(分段)? [英] Any tool(s) for knowing the layout (segments) of running process in Windows?

问题描述

我一直很好奇

1. 该过程在内存中的外观如何?
2. 其中有哪些不同的段(部分)?
3. 程序(在磁盘上)的精确度如何?过程(在内存中)是否相关?

我之前的问题:
_{(来源: microsoft.com )}

I've always been curious about

1. How exactly the process looks in memory?
2. What are the different segments(parts) in it?
3. How exactly will be the program (on the disk) & process (in the memory) are related?

My previous question: more info on Memory layout of an executable program (process)

In my quest, I finally found a answer. I found this excellent article that cleared most of my queries: http://www.linuxforums.org/articles/understanding-elf-using-readelf-and-objdump_125.html

In the above article, author shows how to get different segments of the process (LINUX) & he compares it with its corresponding ELF file. I'm quoting this section here:

Courious to see the real layout of process segment? We can use /proc//maps file to reveal it. is the PID of the process we want to observe. Before we move on, we have a small problem here. Our test program runs so fast that it ends before we can even dump the related /proc entry. I use gdb to solve this. You can use another trick such as inserting sleep() before it calls return().

In a console (or a terminal emulator such as xterm) do:

$ gdb test
(gdb) b main
Breakpoint 1 at 0x8048376
(gdb) r
Breakpoint 1, 0x08048376 in main ()

Hold right here, open another console and find out the PID of program "test". If you want the quick way, type:

$ cat /proc/`pgrep test`/maps

You will see an output like below (you might get different output):

[1]  0039d000-003b2000 r-xp 00000000 16:41 1080084  /lib/ld-2.3.3.so
[2]  003b2000-003b3000 r--p 00014000 16:41 1080084  /lib/ld-2.3.3.so
[3]  003b3000-003b4000 rw-p 00015000 16:41 1080084  /lib/ld-2.3.3.so
[4]  003b6000-004cb000 r-xp 00000000 16:41 1080085  /lib/tls/libc-2.3.3.so
[5]  004cb000-004cd000 r--p 00115000 16:41 1080085  /lib/tls/libc-2.3.3.so
[6]  004cd000-004cf000 rw-p 00117000 16:41 1080085  /lib/tls/libc-2.3.3.so
[7]  004cf000-004d1000 rw-p 004cf000 00:00 0
[8]  08048000-08049000 r-xp 00000000 16:06 66970    /tmp/test
[9]  08049000-0804a000 rw-p 00000000 16:06 66970    /tmp/test
[10] b7fec000-b7fed000 rw-p b7fec000 00:00 0
[11] bffeb000-c0000000 rw-p bffeb000 00:00 0
[12] ffffe000-fffff000 ---p 00000000 00:00 0

Note: I add number on each line as reference.

Back to gdb, type:

(gdb) q

So, in total, we see 12 segment (also known as Virtual Memory Area--VMA).

But I want to know about Windows Process & PE file format.

1. Any tool(s) for getting the layout (segments) of running process in Windows?
2. Any other good resources for learning more on this subject?

EDIT:

Are there any good articles which shows the mapping between PE file sections & VA segments?

解决方案

Sysinternals VMMap is also an excellent tool for visualizing the VA space of a process:

_{(source: microsoft.com)}

这篇关于是否有任何工具可以知道Windows中正在运行的进程的布局(分段)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！