在本项目里使用了自行编译的一个DLL—cywin.dll,这个DLL占用的内存块出奇的多:
基址 | 分配基址 | 分配保护 | 大小 | 状态 | 保护 | 类型 |
10000000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00001000 | 00001000 MEM_COMMIT | 00000002 PAGE_READONLY | 01000000 MEM_IMAGE |
10001000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 000a5000 | 00001000 MEM_COMMIT | 00000020 PAGE_EXECUTE_READ | 01000000 MEM_IMAGE |
100a6000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00038000 | 00001000 MEM_COMMIT | 00000002 PAGE_READONLY | 01000000 MEM_IMAGE |
100de000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00082000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
10160000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 0007f000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
101df000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00002000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
101e1000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 0000f000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
101f0000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00001000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
101f1000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00010000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
10201000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00001000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
10202000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00007000 | 00001000 MEM_COMMIT<�/p> | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
10209000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00001000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
1020a000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00007000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
10211000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00002000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
10213000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00007000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
1021a000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00002000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
1021c000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00001000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
1021d000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00001000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
1021e000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00011000 | 00001000 MEM_COMMIT | 00000002 PAGE_READONLY | 01000000 MEM_IMAGE |
1022f000 | 00000000 | 00000000 | 00251000 | 00010000 MEM_FREE | 00000001 PAGE_NOACCESS | 00000000 |
同样把文件里的内容dump出来进行比较。
1.1 文件头
通过DUMP出来的文件头,可以发现它的Directory比其它的DLL要多,不知道是不是也因此比前面加载的每一个系统DLL要多几个内存块。
OPTIONAL HEADER VALUES
10B magic # (PE32)
9.00 linker version
A5000 size of code
48A00 size of initialized data
0 size of uninitialized data
A17E0 entry point (100A17E0) __DllMainCRTStartup@12
1000 base of code
A6000 base of data
10000000 image base (10000000 to 1022EFFF)
1000 section alignment
200 file alignment
0.00 image version
5.00 subsystem version
0 Win32 version
22F000 size of image
400 size of headers
FDA97 checksum
2 subsystem (Windows GUI)
140 DLL characteristics
Dynamic base
NX compatible
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
DC130 [ 11AB] RVA [size] of Export Directory
D9B5C [ F0] RVA [size] of Import Directory
21E000 [ 2B4] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
21F000 [ E790] RVA [size] of Base Relocation Directory
A6630 [ 1C] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
D6DB0 [ 40] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
A6000 [ 56C] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
Windows一如既往地分配一块空间给它:
基址 | 分配基址 | 分配保护 | 大小 | 状态 | 保护 | 类型 |
10000000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00001000 | 00001000 MEM_COMMIT | 00000002 PAGE_READONLY | 01000000 MEM_IMAGE |
还是满足了此文件提出的空间请求。
1.2 代码段
从文件中DUMP出来的section head:
SECTION HEADER #1
.text name
A4E4C virtual size
1000 virtual address (10001000 to 100A5E4B)
A5000 size of raw data
400 file pointer to raw data (00000400 to 000A53FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
Windows分配的内存:
基址 | 分配基址 | 分配保护 | 大小 | 状态 | 保护 | 类型 |
10001000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 000a5000 | 00001000 MEM_COMMIT | 00000020 �PAGE_EXECUTE_READ | 01000000 MEM_IMAGE |
这个也没什么说的,原样地从文件里面把内容COPY出来。
1.3 只读数据段
这个段的section head:
SECTION HEADER #2
.rdata name
372DB virtual size
A6000 virtual address (100A6000 to 100DD2DA)
37400 size of raw data
A5400 file pointer to raw data (000A5400 to 000DC7FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
Windows为其分配的内存块:
基址 | 分配基址 | 分配保护 | 大小 | 状态 | 保护 | 类型 |
100a6000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00038000 | 00001000 MEM_COMMIT | 00000002 PAGE_READONLY | 01000000 MEM_IMAGE |
恰好满足文件提出的请求。
1.4 数据段
下面是文件中定义的section head:
SECTION HEADER #3
.data name
13FEBC virtual size
DE000 virtual address (100DE000 to 1021DEBB)
1C00 size of raw data
DC800 file pointer to raw data (000DC800 to 000DE3FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
看看windows为其分配的内存块:
基址 | 分配基址 | 分配保护 | 大小 | 状态 | 保护 | 类型 |
100de000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00082000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
10160000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 0007f000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
101df000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00002000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
101e1000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 0000f000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
101f0000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00001000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
101f1000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00010000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
10201000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00001000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
10202000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00007000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
10209000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00001000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
1020a000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00007000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
10211000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00002000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
10213000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00007000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
1021a000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00002000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
1021c000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00001000 | 00001000 MEM_COMMIT | 00000008 PAGE_WRITECOPY | 01000000 MEM_IMAGE |
1021d000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00001000 | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
从section head信息的这一行
1C00 size of raw data
及cygwin.dll里面的全局变量的地址可以知道,这个DLL里的全局变量应该只存在于这个内存块中:
基址 | 分配基址 | 分配保护 | 大小 | 状态 | 保护 | 类型 |
101df000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | <00002000 <�/td> | 00001000 MEM_COMMIT | 00000004 PAGE_READWRITE | 01000000 MEM_IMAGE |
至于其它的内存块,应该是和文件头里的Directory相关的,暂时先放过它。
1.5 .rsrc和.reloc
文件头里定义的section head:
SECTION HEADER #4
.rsrc name
2B4 virtual size
21E000 virtual address (1021E000 to 1021E2B3)
400 size of raw data
DE400 file pointer to raw data (000DE400 to 000DE7FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
SECTION HEADER #5
.reloc name
F5FA virtual size
21F000 virtual address (1021F000 to 1022E5F9)
F600 size of raw data
DE800 file pointer to raw data (000DE800 to 000EDDFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
Read Only
实际上windows让这两个section共用一个内存块:
基址 | 分配基址 | 分配保护 | 大小 | 状态 | 保护 | 类型 |
1021e000 | 10000000 | 00000080 PAGE_EXECUTE_WRITECOPY | 00011000 | 00001000 MEM_COMMIT | 00000002 PAGE_READONLY | 01000000 MEM_IMAGE |
编缉推荐阅读以下文章
版权与免责声明
1、本站所发布的文章仅供技术交流参考,本站不主张将其做为决策的依据,浏览者可自愿选择采信与否,本站不对因采信这些信息所产生的任何问题负责。
2、本站部分文章来源于网络,其版权为原权利人所有。由于来源之故,有的文章未能获得作者姓名,署“未知”或“佚名”。对于这些文章,有知悉作者姓名的请告知本站,以便及时署名。如果作者要求删除,我们将予以删除。除此之外本站不再承担其它责任。
3、本站部分文章来源于本站原创,本站拥有所有权利。
4、如对本站发布的信息有异议,请联系我们,经本站确认后,将在三个工作日内做出修改或删除处理。
请参阅权责声明!