Hacking/Windows internals/Process/Memory
From Skypher
|
▼Main Page |
|
Process memory
When a program runs in Windows, a process is created for the program. Each process has virtual memory assigned to it and each byte of that memory has an address. Because IA-32 is 32 bit, the addresses range from 0x00000000-0xFFFFFFFF. This means that each process cannot access more than 4Gb of memory. The address space is divided in two between kernel land and user land; the user land memory uses the lower addresses (normally 0x00000000-0x7FFFFFFF) and the kernel land memory uses the higher addresses (0x80000000-0xFFFFFFFF). A process cannot access the kernel land memory directly; this is for internal use by the Windows kernel only. The remaining address space contains regions, each consisting of at least one page. On Windows, each page is 0x10000 bytes. Regions are used for loading (parts of) the executable, libraries, heap, stacks, etc... Any part of the address space that is not in a region is not in use and can therefore not be read.
PEB and TEB
The location of various regions of memory loaded into memory can be found using the TEBs and PEB. Each TEB contains the location of the PEB as well as the location of the stack for the thread it belongs to. The PEB contains the location of the main executable, a pointer to loader data (which can be used to find all library modules loaded into the process) as well as a pointer to a list that contains information about all the heaps.
Viewing a process' memory using OllyDbg
- (The following content was included from OllyDbg/Memory map)
The memory map in OllyDbg display a list of all allocated regions in the user land memory of the running process.
Example
If you start OllyDbg and open "C:\windows\cmd.exe" you can see the state of userland memory in the Memory map:
Memory map Address |Size |Owner |Section|Contains |Type|Access |Initial access|Mapped as 00010000|00010000| 00010000 (self)| | |Map |RW |RW | 00040000|00004000| 00040000 (self)| | |Map |R |R | 00050000|00001000| 00050000 (self)| | |Map |R |R | 00229000|00007000| 001F0000 | | |Priv|RW Guarded |RW Guarded | 00241000|00002000| 00240000 | | |Priv|RW Guarded |RW Guarded | 00243000|000FD000| 00240000 | |Stack of main thread |Priv|RW |RW | 00530000|00004000| 00530000 (self)| | |Priv|RW |RW | 007A0000|00006000| 007A0000 (self)| | |Priv|RW |RW | 008A0000|0037F000| 008A0000 (self)| | |Map |R |R |\Device\... 00E10000|00003000| 00E10000 (self)| | |Priv|RW |RW | 4AAE0000|00001000|cmd 4AAE0000 (self)| |PE header |Img |R |RWE CopyOnWr | 4AAE1000|00023000|cmd 4AAE0000 |.text |Code,imports |Img |R E |RWE CopyOnWr | 4AB04000|0001D000|cmd 4AAE0000 |.data |Data |Img |RW CopyOnWr|RWE CopyOnWr | 4AB21000|0000D000|cmd 4AAE0000 |.rsrc |Resources |Img |R |RWE CopyOnWr | 4AB2E000|00002000|cmd 4AAE0000 |.reloc |Relocations |Img |R |RWE CopyOnWr | 75B60000|00001000| 75B60000 (self)| | |Img |R |RWE CopyOnWr | 75B61000|00004000| 75B60000 | | |Img |R E |RWE CopyOnWr | 75B65000|00001000| 75B60000 | | |Img |RW |RWE CopyOnWr | 75B66000|00003000| 75B60000 | | |Img |R |RWE CopyOnWr | 75D00000|00001000| 75D00000 (self)| | |Img |R |RWE CopyOnWr | 75D01000|0003F000| 75D00000 | | |Img |R E |RWE CopyOnWr | 75D40000|00006000| 75D00000 | | |Img |RW CopyOnWr|RWE CopyOnWr | 75D46000|00008000| 75D00000 | | |Img |R |RWE CopyOnWr | 75D50000|00001000| 75D50000 (self)| | |Img |R |RWE CopyOnWr | 75D51000|0002F000| 75D50000 | | |Img |R E |RWE CopyOnWr | 75D80000|00011000| 75D50000 | | |Img |RW CopyOnWr|RWE CopyOnWr | 75D91000|00004000| 75D50000 | | |Img |R |RWE CopyOnWr | 75DB0000|00001000|Secur32 75DB0000 (self)| |PE header |Img |R |RWE CopyOnWr | 75DC0000|00011000|Secur32 75DB0000 |.text |Code,imports,exports |Img |R E |RWE CopyOnWr | 75DE0000|00001000|Secur32 75DB0000 |.data |Data |Img |RW |RWE CopyOnWr | 75DF0000|00001000|Secur32 75DB0000 |.rsrc |Resources |Img |R |RWE CopyOnWr | 75E00000|00001000|Secur32 75DB0000 |.reloc |Relocations |Img |R |RWE CopyOnWr | 76340000|00001000|kernel32 76340000 (self)| |PE header |Img |R |RWE CopyOnWr | 76350000|000C5000|kernel32 76340000 |.text |Code,imports,exports |Img |R E |RWE CopyOnWr | 76420000|00003000|kernel32 76340000 |.data |Data |Img |RW |RWE CopyOnWr | 76430000|00001000|kernel32 76340000 |.rsrc |Resources |Img |R |RWE CopyOnWr | 76440000|0000A000|kernel32 76340000 |.reloc |Relocations |Img |R |RWE CopyOnWr | 772A0000|00001000|RPCRT4 772A0000 (self)| |PE header |Img |R |RWE CopyOnWr | 772B0000|00096000|RPCRT4 772A0000 |.text |Code,imports,exports |Img |R E |RWE CopyOnWr | 77350000|00007000|RPCRT4 772A0000 |.orpc | |Img |R E |RWE CopyOnWr | 77360000|00001000|RPCRT4 772A0000 |.data |Data |Img |RW |RWE CopyOnWr | 77370000|00003000|RPCRT4 772A0000 |.rsrc |Resources |Img |R |RWE CopyOnWr | 77380000|00006000|RPCRT4 772A0000 |.reloc |Relocations |Img |R |RWE CopyOnWr | 773F0000|00001000|ADVAPI32 773F0000 (self)| |PE header |Img |R |RWE CopyOnWr | 773F1000|00099000|ADVAPI32 773F0000 |.text |Code,imports,exports |Img |R E |RWE CopyOnWr | 7748A000|0000F000|ADVAPI32 773F0000 |.data |Data |Img |RW CopyOnWr|RWE CopyOnWr | 77499000|00017000|ADVAPI32 773F0000 |.rsrc |Resources |Img |R |RWE CopyOnWr | 774B0000|00006000|ADVAPI32 773F0000 |.reloc |Relocations |Img |R |RWE CopyOnWr | 77760000|00001000|msvcrt 77760000 (self)| |PE header |Img |R |RWE CopyOnWr | 77761000|0009D000|msvcrt 77760000 |.text |Code,imports,exports |Img |R E |RWE CopyOnWr | 777FE000|00007000|msvcrt 77760000 |.data |Data |Img |RW CopyOnWr|RWE CopyOnWr | 77805000|00001000|msvcrt 77760000 |.rsrc |Resources |Img |R |RWE CopyOnWr | 77806000|00004000|msvcrt 77760000 |.reloc |Relocations |Img |R |RWE CopyOnWr | 77A60000|00001000| 77A60000 (self)| | |Img |R |RWE CopyOnWr | 77A61000|000E0000| 77A60000 | | |Img |R E |RWE CopyOnWr | 77B41000|0002B000| 77A60000 | | |Img |R |RWE CopyOnWr | 77B6C000|0000F000| 77A60000 | | |Img |RW CopyOnWr|RWE CopyOnWr | 77B7B000|00065000| 77A60000 | | |Img |R |RWE CopyOnWr | 77C00000|00001000|ntdll 77C00000 (self)| |PE header |Img |R |RWE CopyOnWr | 77C10000|000BA000|ntdll 77C00000 |.text |Code,exports |Img |R E |RWE CopyOnWr | 77CD0000|00001000|ntdll 77C00000 |RT | |Img |R E |RWE CopyOnWr | 77CE0000|0000B000|ntdll 77C00000 |.data |Data |Img |RW CopyOnWr|RWE CopyOnWr | 77CF0000|00053000|ntdll 77C00000 |.rsrc |Resources |Img |R |RWE CopyOnWr | 77D50000|00005000|ntdll 77C00000 |.reloc |Relocations |Img |R |RWE CopyOnWr | 7EFB0000|00023000| 7EFB0000 (self)| |Code pages |Map |R |R | 7EFDB000|00002000| 7EFDB000 (self)| | |Priv|RW |RW | 7EFDD000|00001000| 7EFDB000 | |Data block of main thread|Priv|RW |RW | 7EFDE000|00001000| 7EFDE000 (self)| |Process Environment Block|Priv|RW |RW | 7EFDF000|00001000| 7EFDF000 (self)| | |Priv|RW |RW | 7EFE0000|00006000| 7EFE0000 (self)| | |Map |R |R | 7FFE0000|00001000| 7FFE0000 (self)| | |Priv|R |R |
(The exact memory map you see may be slightly different because of you have different software installed, a different version of Windows or a different Service Pack but it should still look very similar.)
Legend
Columns
The meaning of the interesting columns is as follows:
- Address: The start location of each region of memory. Notice how these addresses always end with "000" because they are all aligned to page borders (0x1000 bytes on Windows).
- Size: The size of the region. Notice how these is also always end with "000" because each region is made up of pages of 0x1000 bytes.
- Owner: The "owner" of the region describes where it comes from. This can be used to determine what a block is for.
- Section: If this region is used for a PE it indicates which section of the PE is loaded in this region.
- Contains: A description of the contents of this region. This can be used to determine what a block is for.
- Access: Flags that indicate the types of access that code running in the process currently has to this region. This includes Read, Wwrite and Execute. Notice that none of the pages have the W and E, which means you cannot modify memory that can be executed and you cannot execute memory that can be modified. This is called Data Execution Prevention.
The columns Type, Initial access and Mapped as do not contain very relevant information to understanding the process.
Lines
Each line represents a region of memory. I find it most useful to sort them by Address, so you can see the regions in the order in which they are found in memory.
Owner
If you look at the above example output, you can see there are 5 entries that have "cmd" as their Owner. If you are familiar with the PECOF Format, you will recognize these entries. If not, I will explain some of them to you. The PE "cmd.exe" has 5 sections, which have each been loaded into a region of memory. The first section is the header which contains information about the executable, such as how big it is, what sections it has, where these sections are found in the file and where they should go in memory. The second section, called ".text", contains the machine code for the executable as well as an import table, which helps the machine code find out how to call functions in .dll libraries by importing the addresses of these functions when the executable is loaded. The third section, called ".data", contains data for the executable, such as strings, icons, images, etc... The last two sections, ".rscs" and ".reloc" are not really important at this time.
Access
You may notice that the various regions of memory reserved for these sections have different Access flags. The ".text" section is loaded in a region that has the Read and Executable flags set. This is because it contains machine code that needs to be read and executed. It does not have the Write flag set, because the machine code never needs to be modified. In fact, before access flags were introduced, the code was often modified by an exploit to get it to do what the attacker wanted. These flags were introduced to prevent this. Similarly, the ".data" section is loaded in a region of memory that has the Read and Write flags set but not the Eexcutable flag because it contains data that may be read and modified, but it does not contain code and therefore should not be executed as code.
The region containing the ".data" section also has the CopyOnWrite flag set. In order to save memory, many things are shared between processes. So, in case you start cmd.exe, not every process gets a new copy of everything. If two processes use the same thing without modifying it, Windows just loads it once and reuses it. However, as soon as one of the processes starts to modify this, this should not affect the other processes. To make this possible, this memory is marked to be copied as soon as it is modified. In other words - as soon as a process wants to change it, a separate copy of the memory is made, which can then be modified without this affecting other processes.
