在去除前面的部分後,看看內存裡還剩下什麼:
基址 分配基址 分配保護 大小 狀態 保護 類型 00010000 00010000 00000004
PAGE_READWRITE
00002000 00001000MEM_COMMIT
00000004PAGE_READWRITE
00020000MEM_PRIVATE
7ffdd000 7ffdd000 00000004PAGE_READWRITE
00001000 00001000MEM_COMMIT
00000004PAGE_READWRITE
00020000MEM_PRIVATE
7ffde000 7ffde000 00000004PAGE_READWRITE
00001000 00001000MEM_COMMIT
00000004PAGE_READWRITE
00020000MEM_PRIVATE
7ffdf000 7ffdf000 00000004PAGE_READWRITE
00001000 00001000MEM_COMMIT
00000004PAGE_READWRITE
00020000MEM_PRIVATE
7ffe0000 7ffe0000 00000002PAGE_READONLY
00001000 00001000MEM_COMMIT
00000002PAGE_READONLY
00020000MEM_PRIVATE
這些塊都比較小,究竟是什麼東西?
1.1 環境塊
在毛德操的《windows內核情境分析》裡提及 一個叫環境塊(好像是這個名字)的東西,且是在內存的最低的位置,咱看看它的內容:
0x00010000 3d 00 3a 00 3a 00 3d 00 3a 00 3a 00 5c 00 00 00 3d 00 45 00 =::=::\.=E
0x00010014 3a 00 3d 00 45 00 3a 00 5c 00 50 00 72 00 6f 00 67 00 72 00 :=E:\Progr
0x00010028 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 73 00 5c 00 4d 00 am Files\M
0x0001003C 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 56 00 icrosoft V
0x00010050 69 00 73 00 75 00 61 00 6c 00 20 00 53 00 74 00 75 00 64 00 isual Stud
0x00010064 69 00 6f 00 20 00 39 00 2e 00 30 00 5c 00 56 00 43 00 5c 00 io 9.0\VC\
0x00010078 76 00 63 00 70 00 61 00 63 00 6b 00 61 00 67 00 65 00 73 00 vcpackages
0x0001008C 00 00 3d 00 46 00 3a 00 3d 00 46 00 3a 00 5c 00 65 00 6d 00 .=F:=F:\em
0x000100A0 62 00 65 00 64 00 5c 00 65 00 74 00 6f 00 6f 00 6c 00 73 00 bed\etools
0x000100B4 00 00 41 00 4c 00 4c 00 55 00 53 00 45 00 52 00 53 00 50 00 .ALLUSERSP
0x000100C8 52 00 4f 00 46 00 49 00 4c 00 45 00 3d 00 45 00 3a 00 5c 00 ROFILE=E:\
0x000100DC 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 73 00 20 00 Documents
0x000100F0 61 00 6e 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6e 00 and Settin
0x00010104 67 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 gs\All Use
0x00010118 72 00 73 00 00 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 rs.APPDATA
0x0001012C 3d 00 45 00 3a 00 5c 00 44 00 6f 00 63 00 75 00 6d 00 65 00 =E:\Docume
0x00010140 6e 00 74 00 73 00 20 00 61 00 6e 00 64 00 20 00 53 00 65 00 nts and Se
0x00010154 74 00 74 00 69 00 6e 00 67 00 73 00 5c 00 00 5f d1 53 05 80 ttings\開發者
0x00010168 5c 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 \Applicati
0x0001017C 6f 00 6e 00 20 00 44 00 61 00 74 00 61 00 00 00 42 00 58 00 on Data.BX
0x00010190 53 00 48 00 41 00 52 00 45 00 3d 00 2e 00 00 00 43 00 44 00 SHARE=..CD
0x000101A4 53 00 52 00 4f 00 4f 00 54 00 3d 00 65 00 3a 00 5c 00 65 00 SROOT=e:\e
都是些unicode文本,把它的內容和系統環境變量進行比較,差別還是比較明顯的 ,但是系統環境變量和用戶環境變量在這塊內存區裡都可以找到相應的定義。嘗試在用戶環境變量裡添 加一個定義,再重新運行程序,果然在這塊區域裡找到了這個新的環境變量。
1.2 NT_TIB
每個線 程都有一塊地方記錄線程的基本信息,在程序裡有三個線程,想必應該有三塊空間,讀出fs的內容,可 以發現主線程的這個信息存放在0x7ffd f000,看下它的原始數據:
0x7FFDF000 a8 ff 12 00 00 00 13 00 00 10 0e 00 00 00 00 00 ................
0x7FFDF010 00 1e 00 00 00 00 00 00 00 f0 fd 7f 00 00 00 00 ................
0x7FFDF020 30 0e 00 00 d4 07 00 00 00 00 00 00 00 00 00 00 0...............
0x7FFDF030 00 d0 fd 7f b7 00 00 00 00 00 00 00 00 00 00 00 ................
0x7FFDF040 00 b3 6e e3 00 00 00 00 00 00 00 00 00 00 00 00 ..n.............
將之轉換為NT_TIB結構體:
ExceptionList 0x0012ffa8 _EXCEPTION_REGISTRATION_RECORD * StackBase 0x00130000 void * StackLimit 0x000e1000 void * SubSystemTib 0x00000000 void * FiberData 0x00001e00 void * Version 0x00000000 unsigned long ArbitraryUserPointer 0x7ffdf000 void *
使用同樣的方法,可以得到另一個線程的NT_TIB存放在0x7ffd e0000。
0x7FFDE000 dc ff cd 00 00 00 ce 00 00 a0 cd 00 00 00 00 00 ................
0x7FFDE010 00 1e 00 00 00 00 00 00 00 e0 fd 7f 00 00 00 00 ................
0x7FFDE020 30 0e 00 00 c4 09 00 00 00 00 00 00 00 00 00 00 0...............
0x7FFDE030 00 d0 fd 7f 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x7FFDE040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
將 之轉換為NT_TIB結構體:
ExceptionList 0x00cdffdc {Next=0xffffffff Handler=0x7c839ac0 } _EXCEPTION_REGISTRATION_RECORD * StackBase 0x00ce0000 void * StackLimit 0x00cda000 void * SubSystemTib 0x00000000 void * FiberData 0x00001e00 void * Version 0x00001e00 unsigned long ArbitraryUserPointer 0x00000000 void *
猜想應該是每建一個線程,其空間將往下增長一塊。
1.3 其它
還有0x7ffe0000,這一塊用途不 明,做個記號。