xp下用户措施空间分派(6):加载用户DLL
副标题#e#
在本项目里利用了自行编译的一个DLL—cywin.dll,这个DLL占用的内存块出奇的多:
同样把文件里的内容dump出来举办较量。
#p#副标题#e#
1.1 文件头
通过DUMP出来的文件头,可以发明它的Directory比其它的DLL要多,不知道是不是也因此比前面加载 的每一个系统DLL要多几个内存块。
OPTIONAL HEADER VALUES
10B magic # (PE32)
9.00 linker version
A5000 size of code
48A00 size of initialized data
0 size of uninitialized data
A17E0 entry point (100A17E0) [email protected]
1000 base of code
A6000 base of data
10000000 image base (10000000 to 1022EFFF)
1000 section alignment
200 file alignment
5.00 operating system version
0.00 image version
5.00 subsystem version
0 Win32 version
22F000 size of image
400 size of headers
FDA97 checksum
2 subsystem (Windows GUI)
140 DLL characteristics
Dynamic base
NX compatible
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
DC130 [ 11AB] RVA [size] of Export Directory
D9B5C [ F0] RVA [size] of Import Directory
21E000 [ 2B4] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
21F000 [ E790] RVA [size] of Base Relocation Directory
A6630 [ 1C] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
D6DB0 [ 40] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
A6000 [ 56C] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
Windows一如既往地分派一块空间给它:
照旧满意了此文件提出的空间请求。
1.2 代码段
从文件中DUMP出来的section head:
SECTION HEADER #1
.text name
A4E4C virtual size
1000 virtual address (10001000 to 100A5E4B)
A5000 size of raw data
400 file pointer to raw data (00000400 to 000A53FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
Windows分派的内存:
这个也没什么说的,原样地从文件内里把内容COPY出来。
1.3 只读数据段
这个段的section head:
#p#分页标题#e#
SECTION HEADER #2
.rdata name
372DB virtual size
A6000 virtual address (100A6000 to 100DD2DA)
37400 size of raw data
A5400 file pointer to raw data (000A5400 to 000DC7FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
Windows为其分派的内存块:
刚好满意文件提出的请求。
1.4 数据段
下面是文件中界说的section head:
SECTION HEADER #3
.data name
13FEBC virtual size
DE000 virtual address (100DE000 to 1021DEBB)
1C00 size of raw data
DC800 file pointer to raw data (000DC800 to 000DE3FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
看看windows为其分派的内存块:
从section head信息的这一行
1C00 size of raw data
及cygwin.dll内里的全局变量的地点可 以知道,这个DLL里的全局变量应该只存在于这个内存块中:
至于其它的内存块,应该是和文件头里的Directory相关的,临时先放过它。
1.5 .rsrc和.reloc
文件头里界说的section head:
SECTION HEADER #4
.rsrc name
2B4 virtual size
21E000 virtual address (1021E000 to 1021E2B3)
400 size of raw data
DE400 file pointer to raw data (000DE400 to 000DE7FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
SECTION HEADER #5
.reloc name
F5FA virtual size
21F000 virtual address (1021F000 to 1022E5F9)
F600 size of raw data
DE800 file pointer to raw data (000DE800 to 000EDDFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
Read Only
实际上windows让这两个section共用一个内存块:
