xp下用户措施空间分派（9）：还剩下什么？

副标题#e#

在去除前面的部门后，看看内存里还剩下什么：

基址	分派基址	分派掩护	巨细	状态	掩护	范例
00010000	00010000	00000004 PAGE_READWRITE	00002000	00001000 MEM_COMMIT	00000004 PAGE_READWRITE	00020000 MEM_PRIVATE
7ffdd000	7ffdd000	00000004 PAGE_READWRITE	00001000	00001000 MEM_COMMIT	00000004 PAGE_READWRITE	00020000 MEM_PRIVATE
7ffde000	7ffde000	00000004 PAGE_READWRITE	00001000	00001000 MEM_COMMIT	00000004 PAGE_READWRITE	00020000 MEM_PRIVATE
7ffdf000	7ffdf000	00000004 PAGE_READWRITE	00001000	00001000 MEM_COMMIT	00000004 PAGE_READWRITE	00020000 MEM_PRIVATE
7ffe0000	7ffe0000	00000002 PAGE_READONLY	00001000	00001000 MEM_COMMIT	00000002 PAGE_READONLY	00020000 MEM_PRIVATE

这些块都较量小，毕竟是什么对象？

1.1 情况块

在毛德操的《windows内核情境阐明》里提及一个叫情况块（仿佛是这个名字）的对象，且是在内存的最低的位置，咱看看它的内容：

0x00010000 3d 00 3a 00 3a 00 3d 00 3a 00 3a 00 5c 00 00 00 3d 00 45 00 =::=::\.=E 0x00010014 3a 00 3d 00 45 00 3a 00 5c 00 50 00 72 00 6f 00 67 00 72 00 :=E:\Progr 0x00010028 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 73 00 5c 00 4d 00 am Files\M 0x0001003C 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 56 00 icrosoft V 0x00010050 69 00 73 00 75 00 61 00 6c 00 20 00 53 00 74 00 75 00 64 00 isual Stud 0x00010064 69 00 6f 00 20 00 39 00 2e 00 30 00 5c 00 56 00 43 00 5c 00 io 9.0\VC\ 0x00010078 76 00 63 00 70 00 61 00 63 00 6b 00 61 00 67 00 65 00 73 00 vcpackages 0x0001008C 00 00 3d 00 46 00 3a 00 3d 00 46 00 3a 00 5c 00 65 00 6d 00 .=F:=F:\em 0x000100A0 62 00 65 00 64 00 5c 00 65 00 74 00 6f 00 6f 00 6c 00 73 00 bed\etools 0x000100B4 00 00 41 00 4c 00 4c 00 55 00 53 00 45 00 52 00 53 00 50 00 .ALLUSERSP 0x000100C8 52 00 4f 00 46 00 49 00 4c 00 45 00 3d 00 45 00 3a 00 5c 00 ROFILE=E:\ 0x000100DC 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 73 00 20 00 Documents 0x000100F0 61 00 6e 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6e 00 and Settin 0x00010104 67 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 gs\All Use 0x00010118 72 00 73 00 00 00 41 00 50 00 50 00 44 00 41 00 54 00 41 00 rs.APPDATA 0x0001012C 3d 00 45 00 3a 00 5c 00 44 00 6f 00 63 00 75 00 6d 00 65 00 =E:\Docume 0x00010140 6e 00 74 00 73 00 20 00 61 00 6e 00 64 00 20 00 53 00 65 00 nts and Se 0x00010154 74 00 74 00 69 00 6e 00 67 00 73 00 5c 00 00 5f d1 53 05 80 ttings\开拓者 0x00010168 5c 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 \Applicati 0x0001017C 6f 00 6e 00 20 00 44 00 61 00 74 00 61 00 00 00 42 00 58 00 on Data.BX 0x00010190 53 00 48 00 41 00 52 00 45 00 3d 00 2e 00 00 00 43 00 44 00 SHARE=..CD 0x000101A4 53 00 52 00 4f 00 4f 00 54 00 3d 00 65 00 3a 00 5c 00 65 00 SROOT=e:\e

都是些unicode文本，把它的内容和系统情况变量举办较量，不同照旧较量明明的，可是系统情况变量和用户情况变量在这块内存区里都可以找到相应的界说。实验在用户情况变量里添加一个界说，再从头运行措施，公然在这块区域里找到了这个新的情况变量。

1.2 NT_TIB

每个线程都有一块处所记录线程的根基信息，在措施里有三个线程，想必应该有三块空间，读出fs的内容，可以发明主线程的这个信息存放在0x7ffd f000，看下它的原始数据：

#p#分页标题#e#

0x7FFDF000　 a8 ff 12 00 00 00 13 00 00 10 0e 00 00 00 00 00　 ................ 0x7FFDF010　 00 1e 00 00 00 00 00 00 00 f0 fd 7f 00 00 00 00　 ................ 0x7FFDF020　 30 0e 00 00 d4 07 00 00 00 00 00 00 00 00 00 00　 0............... 0x7FFDF030　 00 d0 fd 7f b7 00 00 00 00 00 00 00 00 00 00 00　 ................ 0x7FFDF040　 00 b3 6e e3 00 00 00 00 00 00 00 00 00 00 00 00　 ..n.............

#p#副标题#e#

将之转换为NT_TIB布局体：

ExceptionList	0x0012ffa8	_EXCEPTION_REGISTRATION_RECORD *
StackBase	0x00130000	void *
StackLimit	0x000e1000	void *
SubSystemTib	0x00000000	void *
FiberData	0x00001e00	void *
Version	0x00000000	unsigned long
ArbitraryUserPointer	0x7ffdf000	void *

利用同样的要领，可以获得另一个线程的NT_TIB存放在0x7ffd e0000。

0x7FFDE000　 dc ff cd 00 00 00 ce 00 00 a0 cd 00 00 00 00 00　 ................ 0x7FFDE010　 00 1e 00 00 00 00 00 00 00 e0 fd 7f 00 00 00 00　 ................ 0x7FFDE020　 30 0e 00 00 c4 09 00 00 00 00 00 00 00 00 00 00　 0............... 0x7FFDE030　 00 d0 fd 7f 00 00 00 00 00 00 00 00 00 00 00 00　 ................ 0x7FFDE040　 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00　 ................

将之转换为NT_TIB布局体：

ExceptionList	0x00cdffdc {Next=0xffffffff Handler=0x7c839ac0 }	_EXCEPTION_REGISTRATION_RECORD *
StackBase	0x00ce0000	void *
StackLimit	0x00cda000	void *
SubSystemTib	0x00000000	void *
FiberData	0x00001e00	void *
Version	0x00001e00	unsigned long
ArbitraryUserPointer	0x00000000	void *

意料应该是每建一个线程，其空间将往下增长一块。

1.3 其它

尚有0x7ffe0000，这一块用途不明，做个暗号。

当前位置：以往代写 > C/C++ 教程 >xp下用户措施空间分派（9）：还剩下什么？