Any tool(s) for knowing the layout (segments) of running process in Windows?
- by claws
I've always been curious about
How exactly the process looks in memory?
What are the different segments(parts) in it?
How exactly will be the program (on the disk) & process (in the memory) are related?
My previous question: http://stackoverflow.com/questions/1966920/more-info-on-memory-layout-of-an-executable-program-process
In my quest, I finally found a answer. I found this excellent article that cleared most of my queries: http://www.linuxforums.org/articles/understanding-elf-using-readelf-and-objdump_125.html
In the above article, author shows how to get different segments of the process (LINUX) & he compares it with its corresponding ELF file. I'm quoting this section here:
Courious to see the real layout of
process segment? We can use
/proc//maps file to reveal it.
is the PID of the process we
want to observe. Before we move on, we
have a small problem here. Our test
program runs so fast that it ends
before we can even dump the related
/proc entry. I use gdb to solve this.
You can use another trick such as
inserting sleep() before it calls
return().
In a console (or a terminal emulator
such as xterm) do:
$ gdb test
(gdb) b main
Breakpoint 1 at 0x8048376
(gdb) r
Breakpoint 1, 0x08048376 in main ()
Hold right here, open another console
and find out the PID of program
"test". If you want the quick way,
type:
$ cat /proc/`pgrep test`/maps
You will see an output like below (you
might get different output):
[1] 0039d000-003b2000 r-xp 00000000 16:41 1080084 /lib/ld-2.3.3.so
[2] 003b2000-003b3000 r--p 00014000 16:41 1080084 /lib/ld-2.3.3.so
[3] 003b3000-003b4000 rw-p 00015000 16:41 1080084 /lib/ld-2.3.3.so
[4] 003b6000-004cb000 r-xp 00000000 16:41 1080085 /lib/tls/libc-2.3.3.so
[5] 004cb000-004cd000 r--p 00115000 16:41 1080085 /lib/tls/libc-2.3.3.so
[6] 004cd000-004cf000 rw-p 00117000 16:41 1080085 /lib/tls/libc-2.3.3.so
[7] 004cf000-004d1000 rw-p 004cf000 00:00 0
[8] 08048000-08049000 r-xp 00000000 16:06 66970 /tmp/test
[9] 08049000-0804a000 rw-p 00000000 16:06 66970 /tmp/test
[10] b7fec000-b7fed000 rw-p b7fec000 00:00 0
[11] bffeb000-c0000000 rw-p bffeb000 00:00 0
[12] ffffe000-fffff000 ---p 00000000 00:00 0
Note: I add number on each line as reference.
Back to gdb, type:
(gdb) q
So, in total, we see 12 segment (also known as Virtual Memory Area--VMA).
But I want to know about Windows Process & PE file format.
Any tool(s) for getting the layout (segments) of running process in Windows?
Any other good resources for learning more on this subject?
EDIT:
Are there any good articles which shows the mapping between PE file sections & VA segments?
