具体来说,VMMap 如何知道给定的内存区域是线程堆栈?

发布于 2024-10-31 09:47:11 字数 334 浏览 3 评论 0原文

我一直在使用 Mark Russinovich 的 VMMap 来为我正在分析的进程映射虚拟内存。使用 VirtualQueryEx,我可以遍历外部进程的空间并获取有关进程地址空间内的内存区域的信息。当然,这些区域与 VMMap 匹配,但 VirtualQueryEx 只告诉我内存是否已提交/保留/空闲以及是否是私有/共享/映像。

我找不到任何其他记录的方法来查询进程虚拟内存。 VMMap 似乎知道一种查询内存的方法,以便了解它是“私有数据”还是“线程堆栈”。 VirtualQueryEx 将这两者标记为 MEM_PRIVATE。那么 VMMap 是如何进行区分的呢?

是否有其他 API 函数可以用来辨别这些细节?

I've been using Mark Russinovich's VMMap to map out the Virtual Memory for a process I'm analyzing. Using VirtualQueryEx, I can walk the space of an external process and get information on the memory regions within the process's address space. These regions match up with VMMap, sure, but VirtualQueryEx only tells me if memory is committed/reserved/free and whether it's private/shared/image.

I can't find any other documented ways to query process virtual memory. VMMap seems to know a a way to query the memory in such a way as to understand if it's "Private Data" or "Thread Stack". VirtualQueryEx labels both of those as MEM_PRIVATE. So how does VMMap make that distinction?

Is there another API function that I can use to discern those details?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

不语却知心 2024-11-07 09:47:11

马克·鲁西诺维奇从不分享他的秘密,他有很多秘密。我想它可以从未记录的线程环境块中找到,尽管我没有看到很好的候选者。更好的线索可能是页面属性。它使用 MEM_TOP_DOWN,只有堆栈才有(检查 VirtualAlloc)。与保护页面(触发 StackOverflowException 的保护页面)的组合将使其完全明确。无论如何我都会这样做。

Mark Russinovich never shares his secrets, he has many. I imagine it could be found from the undocumented thread environment block although I don't see great candidates. A better lead could be the page attributes. It uses MEM_TOP_DOWN, only stacks have that (check VirtualAlloc). And the combination with the guard page, the one that trips the StackOverflowException would make it completely unambiguous. That's the way I would do it anyway.

寻梦旅人 2024-11-07 09:47:11

我怀疑它只是去寻找所有的 TEB。请记住,ProcExp 有一个内核模式驱动程序,可以收集其大部分数据。从 EPROCESS 中,ThreadListHead 可以让您找到所有 ETHREAD/KTHREAD,并且 KTHREAD 具有 TEB 的地址。

I suspect it just goes and looks for all of the TEBs. Remember that ProcExp has a kernel mode driver that collects much of its data. From the EPROCESS the ThreadListHead lets you find all of the ETHREAD/KTHREADs and the KTHREAD has the address of the TEB.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文