我试图对Windows进程内存有更好的了解,并且在VAD树,PTE和加载的模块之间的关系方面存在一些空白。
下面的输出是从内核调试会话中捕获的,但是是在一个运行简单的已编译的“ hello world” C程序的简单过程的上下文中。
lm时,列出了许多模块,但是当我执行!vad时,我只看到5个映射到其中(我自己的进程二进制文件和4个其他Windows DLL)。kd> lm
start end module name
00007ffd`ea8f0000 00007ffd`ea91b000 vertdll (deferred)
00007ffd`ea920000 00007ffd`eab00000 ntdll (pdb symbols) C:\ProgramData\Dbg\sym\ntdll.pdb\13B64B553003FA22AB7CCD36A3A5431F1\ntdll.pdb
fffff416`a3800000 fffff416`a3b94000 win32kfull (deferred)
fffff416`a3ba0000 fffff416`a3db2000 win32kbase (deferred)
fffff416`a3dc0000 fffff416`a3dca000 TSDDD (deferred)
fffff416`a3dd0000 fffff416`a3e11000 cdd (deferred)
fffff416`a4290000 fffff416`a4307000 win32k (deferred)
fffff800`a5c01000 fffff800`a64d3000 nt (pdb symbols) C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\31C51B7D1C2545A88F69E13FC73E68941\ntkrnlmp.pdb
fffff800`a64d3000 fffff800`a6552000 hal (deferred)
fffff800`a6600000 fffff800`a6647000 kd_02_8086 (deferred)
...
fffff80b`85960000 fffff80b`8597c000 disk (deferred)
...
kd> !vad
VAD Level Start End Commit
ffff8908f102b0c0 4 7ffe0 7ffe0 1 Private READONLY
ffff8908ef465290 3 7ffe1 7ffef -1 Private READONLY
ffff8908f169f100 4 fb63c20 fb63d1f 6 Private READWRITE
ffff8908ef4c86e0 2 fb63e00 fb63fff 3 Private READWRITE
ffff8908ef17e3b0 3 2e38e030 2e38e03f 0 Mapped READWRITE Pagefile section, shared commit 0x10
ffff8908ef592280 4 2e38e040 2e38e046 1 Private READWRITE
ffff8908f1873410 1 2e38e050 2e38e068 0 Mapped READONLY Pagefile section, shared commit 0x19
ffff8908ef106a00 3 2e38e070 2e38e073 0 Mapped READONLY Pagefile section, shared commit 0x4
ffff8908f19eea10 2 2e38e080 2e38e080 0 Mapped READONLY Pagefile section, shared commit 0x1
ffff8908f0fba340 3 2e38e090 2e38e090 1 Private READWRITE
ffff8908f0fdc980 0 2e38e0a0 2e3900a0 1 Private READWRITE
ffff8908ef215060 3 2e390130 2e39022f 17 Private READWRITE
ffff8908ef084860 2 2e390230 2e3902f4 0 Mapped READONLY \Windows\System32\locale.nls
ffff8908f14e3e90 3 7ff67f9a0 7ff67fa9f 0 Mapped READONLY Pagefile section, shared commit 0x5
ffff8908ef3025c0 1 7ff67faa0 7ff67fac2 0 Mapped READONLY Pagefile section, shared commit 0x23
ffff8908f0ef7c70 4 7ff67fe30 7ff67fe51 3 Mapped Exe EXECUTE_WRITECOPY \Users\user\Desktop\test\x64\Release\test.exe
ffff8908ef6ad770 3 7ffde5240 7ffde52c7 5 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\apphelp.dll
ffff8908ef1bcf70 4 7ffde7470 7ffde76d5 8 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\KernelBase.dll
ffff8908f16717a0 2 7ffde9270 7ffde931d 5 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\kernel32.dll
ffff8908f0e50c30 3 7ffdea920 7ffdeaaff 12 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ntdll.dll
当我!pte甚至db不在!vad输出中的一个模块(特别是disk模块)上时,它是有效的,映射的地址,我什至可以阅读其内容。
kd> !pte fffff80b`85960000
VA fffff80b85960000
PXE at FFFFFB7DBEDF6F80 PPE at FFFFFB7DBEDF0170 PDE at FFFFFB7DBE02E160 PTE at FFFFFB7C05C2CB00
contains 0000000001109063 contains 0A0000007E55D863 contains 0A00000002A81863 contains 890000007D044963
pfn 1109 ---DA--KWEV pfn 7e55d ---DA--KWEV pfn 2a81 ---DA--KWEV pfn 7d044 -G-DA--KW-V
kd> db fffff80b`85960000
fffff80b`85960000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
fffff80b`85960010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
fffff80b`85960020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
fffff80b`85960030 00 00 00 00 00 00 00 00-00 00 00 00 d8 00 00 00 ................
fffff80b`85960040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
fffff80b`85960050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
fffff80b`85960060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
fffff80b`85960070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
那为什么!vad不包含此项?
!dh在一个已加载的PE上,例如我自己的进程的EXE上时,我可以看到它由具有不同内存访问保护的不同部分组成。kd> !dh 7ff67fe30000
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
8664 machine (X64)
6 number of sections
5CA04653 time date stamp Sat Mar 30 21:47:15 2019
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
22 characteristics
Executable
App can handle >2gb addresses
...
SECTION HEADER #1
.text name
10FA0 virtual size
1000 virtual address
11000 size of raw data
...
60000020 flags
Code
(no align specified)
Execute Read
SECTION HEADER #2
.rdata name
96F6 virtual size
12000 virtual address
9800 size of raw data
11400 file pointer to raw data
...
40000040 flags
Initialized Data
(no align specified)
Read Only
...
SECTION HEADER #6
.reloc name
614 virtual size
21000 virtual address
800 size of raw data
...
42000040 flags
Initialized Data
Discardable
(no align specified)
Read Only
而且,根据Windows Internals的书
每个几乎连续的非自由虚拟地址都有一个VAD,这些虚拟地址都具有相同的特征(保留,提交,映射,内存访问保护,等等)。
因此,我希望每个加载的模块都由几个VAD条目表示,因为每个部分具有不同的内存访问保护。
但是!vad将每个加载的模块显示为具有权限EXECUTE_WRITECOPY的单个条目。
kd> !vad
VAD Level Start End Commit
...
ffff8908f0ef7c70 4 7ff67fe30 7ff67fe51 3 Mapped Exe EXECUTE_WRITECOPY \Users\user\Desktop\test\x64\Release\test.exe
ffff8908ef6ad770 3 7ffde5240 7ffde52c7 5 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\apphelp.dll
ffff8908ef1bcf70 4 7ffde7470 7ffde76d5 8 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\KernelBase.dll
ffff8908f16717a0 2 7ffde9270 7ffde931d 5 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\kernel32.dll
ffff8908f0e50c30 3 7ffdea920 7ffdeaaff 12 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ntdll.dll
为什么会这样?
!vad的输出,但似乎并没有给出完整的描述?这是否意味着我应该遍历!pte并在从0x0到0xFFFFFFFFFFFFFFFFFF的每个0x1000倍数上运行babel-node index.js?