电脑基础操作系统办公应用程序设计网站开发数据库图形图像网络技术信息安全媒体制作认证考试硬件维修电脑综合
  
当前位置:主页   - 电脑 - 程序设计 - C/C++
xp下用户程序空间分配(8):MEM_MAPPED
来源:网络   作者:快乐虾   更新时间:2011-08-11
收藏此页】    【字号    】    【打印】    【关闭

  在去除前面的那些东西之后,我们的内存块里面还有一堆MEM_MAPPED的内容,就像这样的块:

  基址

  分配基址

  分配保护

  大小

  状态

  保护

  类型

  00140000

  00140000

  00000002

  PAGE_READONLY

  00001000

  00001000

  MEM_COMMIT

  00000002

  PAGE_READONLY

  00040000

  MEM_MAPPED

  MSDN里面这样解释MEM_MAPPED这种类型:

  Indicates that the memory pages within the region are mapped into the view of a section.

  很自然地我们想用GetMappedFileName来看看映射到这些内存区域的文件名,于是发现了下面几个块的确是做了文件映射:

  基址

  分配基址

  分配保护

  大小

  状态

  保护

  类型

  映射文件

  00270000

  00270000

  00000002

  PAGE_READONLY

  00016000

  00001000

  MEM_COMMIT

  00000002

  PAGE_READONLY

  00040000

  MEM_MAPPED

  DeviceHarddiskVolume3WINDOWSsystem32unicode.nls

  00290000

  00290000

  00000002

  PAGE_READONLY

  00041000

  00001000

  MEM_COMMIT

  00000002

  PAGE_READONLY

  00040000

  MEM_MAPPED

  DeviceHarddiskVolume3WINDOWSsystem32locale.nls

  002e0000

  002e0000

  00000002

  PAGE_READONLY

  00041000

  00001000

  MEM_COMMIT

  00000002

  PAGE_READONLY

  00040000

  MEM_MAPPED

  DeviceHarddiskVolume3WINDOWSsystem32sortkey.nls

  00330000

  00330000

  00000002

  PAGE_READONLY

  00006000

  00001000

  MEM_COMMIT

  00000002

  PAGE_READONLY

  00040000

  MEM_MAPPED

  DeviceHarddiskVolume3WINDOWSsystem32sorttbls.nls

  003b0000

  003b0000

  00000002

  PAGE_READONLY

  00003000

  00001000

  MEM_COMMIT

  00000002

  PAGE_READONLY

  00040000

  MEM_MAPPED

  DeviceHarddiskVolume3WINDOWSsystem32ctype.nls

  那么其它东西是哪里来的?

  使用GetLastError取错误信息:“error: 000003ee : 文件所在的卷已被外部改变,因此打开的文件不再有效。”,诡异得很!一怒之下使用UnmapViewOfFile将这些内存块给Unmap了,不幸的是程序就这样挂掉了!

  写段代码查询一下当前打开的句柄,看看有没有file mapping的内容:

void enum_handles(HANDLE hProcess)
{
     // 枚举已经打开的句柄,取其名称
     HMODULE hNtDll = NULL; // nt.dll句柄
     ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
     NTQUERYOBJECT NtQueryObject = NULL;
     SYSTEM_HANDLE_INFORMATION *hInfo = NULL;
     int nNumHandle = 0, i;      // 句柄数量
     NTSTATUS Status;
     ULONG nSize, nCount;
     char cBuffer[0x40000], cInfoBuffer[0x1000];
     OBJECT_ALL_INFORMATION *pInfo;
     OBJECT_NAME_INFORMATION* pName;
     DWORD nId = GetProcessId(hProcess);


     // 取导出函数
    hNtDll = GetModuleHandle( "ntdll.dll" );
    ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( hNtDll, "ZwQuerySystemInformation" );
    NtQueryObject = ( NTQUERYOBJECT )GetProcAddress( hNtDll, "NtQueryObject" );

     // 查询句柄信息
     Status = ZwQuerySystemInformation(SystemHandleInformation,
         cBuffer,
         0x40000,
         &nSize);

     if(NT_SUCCESS(Status))
     {
         nNumHandle = *(PULONG)cBuffer;
         hInfo = (SYSTEM_HANDLE_INFORMATION*)(cBuffer + 4);
         nCount = 0;
         for(i = 0; i < nNumHandle; i++)
         {
              if(hInfo[i].ProcessId != nId) continue;
              Status = NtQueryObject(hInfo[i].Handle, ObjectAllInformation, cInfoBuffer, 0x1000, &nSize);
              if(NT_SUCCESS(Status))
              {
                   pInfo = (OBJECT_ALL_INFORMATION*)cInfoBuffer;
                   nCount++;
……………………….
              }
         }
     }
}

  网上有资料说NtQueryObject会让程序挂掉,但是没有发现有此现象,奇怪!上面的代码可以得到下面的句柄列表:

  句柄

  名称

  类型

  0c

  DeviceHarddiskVolume5embedetoolsDebugbin

  File

  24c

  BaseNamedObjectsDBWinMutex

  Mutant

  e54

  (null)

  Section

  e60

  BaseNamedObjectsP???Lx.DAT!Memo

  Section

  e64

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGJ.IMD

  File

  e68

  (null)

  Section

  e94

  (null)

  Section

  e98

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGVR.IMD

  File

  e9c

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGID.IMD

  File

  ea0

  BaseNamedObjectsGlobalFileMappingIncmpIdxMSPYhld23qwe2527

  Section

  ea4

  (null)

  Section

  ea8

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGJ.IMD

  File

  eb4

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGC.IMD

  File

  ed0

  BaseNamedObjectsLocalMutex2341MSPYhld23qwe2527

  Mutant

  ee4

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGIX.IMD

  File

  ee8

  (null)

  Section

  eec

  (null)

  Section

  ef0

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGL.IMD

  File

  ef8

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGS.IMD

  File

  f0c

  (null)

  Section

  f10

  (null)

  Section

  f24

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGDX.IMD

  File

  f2c

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGJ.IMD

  File

  f30

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGCF.IMD

  File

  f38

  (null)

  Section

  f3c

  BaseNamedObjectsGlobalFileMappingIncmpIdxMSPYhld23qwe2527

  Section

  f44

  BaseNamedObjectsP???Sx.DAT!Memo

  Section

  f5c

  BaseNamedObjectsP???Lx.DAT!Memo

  Section

  f80

  BaseNamedObjectsP???Lx.DAT!Memo

  Section

  f8c

  BaseNamedObjectsGlobalFileMappingIncmpIdxMSPYhld23qwe2527

  Section

  f9c

  BaseNamedObjectsGlobalFileMappingTrigramMSPYhld23qwe2527

  Section

  fb8

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGI.IMD

  File

  fc0

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGR.IMD

  File

  fc4

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGD.IMD

  File

  fd4

  BaseNamedObjectsP???Sx.DAT!Memo

  Section

  fe4

  BaseNamedObjectsP???Lx.DAT!Memo

  Section

  ff0

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGT.IMD

  File

  ff4

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGJ.IMD

  File

  ff8

  (null)

  Section

  1004

  BaseNamedObjectsCfgMappingMSPYqeuir9hj

  Section

  100c

  BaseNamedObjectsP???Lx.DAT!Memo

  Section

  1024

  BaseNamedObjectsGlobalFileMappingIncmpIdxMSPYhld23qwe2527

  Section

  1028

  (null)

  Section

  103c

  BaseNamedObjectsP???Sx.DAT!Memo

  Section

  1048

  BaseNamedObjectsP???Lx.DAT!Memo

  Section

  1050

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGJ.IMD

  File

  1054

  BaseNamedObjectsP???Sx.DAT!Memo

  Section

  1064

  (null)

  Section

  106c

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGJ.IMD

  File

  1070

  BaseNamedObjectsGlobalFileMappingIncmpIdxMSPYhld23qwe2527

  Section

  107c

  BaseNamedObjectsP???Sx.DAT!Memo

  Section

  1094

  BaseNamedObjectsGlobalFileMappingIncmpIdxMSPYhld23qwe2527

  Section

  109c

  DeviceHarddiskVolume3Program FilesCommon FilesMicrosoft SharedIMEIMSC40APINTLGDM.IMD

  File

  10a0

  BaseNamedObjectsP???Sx.DAT!Memo

  Section

  1214

  BaseNamedObjectsmixercallback

  Event

  122c

  BaseNamedObjectshardwaremixercallback

  Event

  1724

  DeviceHarddiskVolume5embedetoolsDebugbinhandle.htm

  File

  1728

  (null)

  Event

  172c

  BaseNamedObjectstty_list::mutex.0

  Mutant

  1730

  (null)

  Event

  1734

  (null)

  Event

  1738

  (null)

  Semaphore

  173c

  (null)

  Semaphore

  1740

  BaseNamedObjectsS-1-5-21-1390067357-839522115-1343024091-1011.1

  Section

  1744

  BaseNamedObjectscygwin.dll

  Directory

  1748

  (null)

  Semaphore

  174c

  REGISTRYUSER

  Key

  1750

  BaseNamedObjectsshared.5

  Section

  1754

  (null)

  Port

  1758

  (null)

  Event

  175c

  (null)

  Token

  1760

  (null)

  Thread

  1764

  (null)

  Process

  1768

  (null)

  Event

  176c

  (null)

  Event

  1770

  (null)

  Event

  1774

  (null)

  Semaphore

  1778

  (null)

  Semaphore

  177c

  (null)

  Semaphore

  1780

  (null)

  Semaphore

  1784

  (null)

  Semaphore

  1788

  (null)

  Semaphore

  178c

  (null)

  Semaphore

  1790

  (null)

  Event

  1794

  REGISTRYMACHINESYSTEMControlSet001ServicesWinSock2ParametersNameSpace_Catalog5

  Key

  1798

  (null)

  Event

  179c

  REGISTRYMACHINESYSTEMControlSet001ServicesWinSock2ParametersProtocol_Catalog9

  Key

  17a0

  (null)

  Event

  17a4

  (null)

  Thread

  17a8

  DeviceHarddiskVolume3WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83

  File

  17ac

  DeviceKsecDD

  File

  17b0

  BaseNamedObjects

  Directory

  17b4

  BaseNamedObjectsshell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}

  Semaphore

  17b8

  REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionDrivers32

  Key

  17bc

  (null)

  Semaphore

  17c0

  (null)

  Semaphore

  17c4

  (null)

  Event

  17c8

  Default

  Desktop

  17cc

  (null)

  Event

  17d0

  WindowsWindowStationsWinSta0

  WindowStation

  17d4

  REGISTRYMACHINE

  Key

  17d8

  (null)

  Semaphore

  17dc

  (null)

  Semaphore

  17e0

  WindowsWindowStationsWinSta0

  WindowStation

  17e4

  (null)

  Event

  17e8

  DeviceHarddiskVolume3WINDOWSWinSxSx86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_597c3456

  File

  17ec

  (null)

  Port

  17f0

  Windows

  Directory

  17f4

  DeviceHarddiskVolume3WINDOWSWinSxSx86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_597c3456

  File

  17f8

  KnownDlls

  Directory

  17fc

  KernelObjectsCritSecOutOfMemoryEvent

  KeyedEvent

  可以看到,系统映射过来的section对象着实不少!至于这些section对象与内存块的对应关系,限于水平,感觉无从下手,暂且做个记号。

编缉推荐阅读以下文章

  • xp下用户程序空间分配(9):还剩下什么?
  • xp下用户程序空间分配(7):Heap
  • xp下用户程序空间分配(6):加载用户DLL
  • xp下用户程序空间分配(5):加载系统DLL
  • xp下用户程序空间分配(4):加载主程序
  • xp下用户程序空间分配(3):加载文件
  • xp下用户程序空间分配(2):栈
  • xp下用户程序空间分配(1):大致框架
其它资源
本类热门
热门排行
来源声明

版权与免责声明
1、本站所发布的文章仅供技术交流参考,本站不主张将其做为决策的依据,浏览者可自愿选择采信与否,本站不对因采信这些信息所产生的任何问题负责。
2、本站部分文章来源于网络,其版权为原权利人所有。由于来源之故,有的文章未能获得作者姓名,署“未知”或“佚名”。对于这些文章,有知悉作者姓名的请告知本站,以便及时署名。如果作者要求删除,我们将予以删除。除此之外本站不再承担其它责任。
3、本站部分文章来源于本站原创,本站拥有所有权利。
4、如对本站发布的信息有异议,请联系我们,经本站确认后,将在三个工作日内做出修改或删除处理。
请参阅权责声明