Windows 虚拟地址 Space
Windows Virtual Address Space
正如我所读 here 32 位 Windows 应用程序的虚拟地址 space 有 2GB 的存储空间(从 0x00000000-0x7FFFFFFF)。其他 2GB 保留给系统地址 space.
但是,我在一个 32 位程序(使用 Cheat Engine)中发现了一个指针,它指向一个不在虚拟地址范围内的地址 space。我上次探索的地址是 0x301DDC3C -> 0x87F56190,如图所示:
(第一行的展开表示对指针0x301DDC3C的解引用,下一行可以看到RAM中解引用位置0x87F56190是什么)
取消对指针的引用后,有指向进程虚拟地址的指针 space。
用户模式应用程序怎么可能有指向系统地址 space 的有效指针?
这是否意味着位置 0x301DDC3C 中的指针指向系统地址中的某个位置 space?所以我正在检查的进程正在使用内核模式的东西?
ALL 您看到的地址是 虚拟 地址,进程(不是"physical" 个地址)。 user-space 进程可能使用恰好来自 "system space" 的指针,但这 NOT 意味着进程可以自由访问内核资源,也不意味着这些指针必须映射到 物理 地址。
这是另一个 Microsoft link,可能有助于澄清:
When a processor reads or writes to a memory location, it uses a
virtual address. As part of the read or write operation, the processor
translates the virtual address to a physical address.
...
The range of
virtual addresses that is available to a process is called the virtual
address space for the process. Each user-mode process has its own
private virtual address space. For a 32-bit process, the virtual
address space is usually the 2-gigabyte range 0x00000000 through
0x7FFFFFFF.
...
Processes like Notepad.exe and MyApp.exe run in user
mode. Core operating system components and many drivers run in the
more privileged kernel mode. For more information about processor
modes, see User mode and kernel mode. Each user-mode process has its
own private virtual address space, but all code that runs in kernel
mode shares a single virtual address space called system space. The
virtual address space for a user-mode process is called user space.
...
In 32-bit Windows, the total available virtual address space is
2^32 bytes (4 gigabytes). Usually the lower 2 gigabytes are used for
user space, and the upper 2 gigabytes are used for system space.
...
Code running in user mode has access to user space but does not have
access to system space. This restriction prevents user-mode code from
reading or altering protected operating system data structures. Code
running in kernel mode has access to both user space and system space.
That is, code running in kernel mode has access to system space and
the virtual address space of the current user-mode process.
...
还值得注意的是内核模式和用户模式之间的区别:
When you start a user-mode application, Windows creates a process for
the application. The process provides the application with a private
virtual address space and a private handle table. Because an
application's virtual address space is private, one application cannot
alter data that belongs to another application. Each application runs
in isolation, and if an application crashes, the crash is limited to
that one application. Other applications and the operating system are
not affected by the crash.
...
In addition to being private, the virtual address space of a user-mode application is limited. A processor running in user mode
cannot access virtual addresses that are reserved for the operating
system. Limiting the virtual address space of a user-mode application
prevents the application from altering, and possibly damaging,
critical operating system data.
...
来自 Memory and Address Space Limits
内存和地址限制 space 因平台、操作系统以及 IMAGE_FILE_HEADER.Characteristics. IMAGE_FILE_LARGE_ADDRESS_AWARE (The application can handle addresses larger than 2 GB) is set or cleared by using the /LARGEADDRESSAWARE 链接器选项中的 IMAGE_FILE_LARGE_ADDRESS_AWARE 标志是否不同而异。
默认情况下 IMAGE_FILE_LARGE_ADDRESS_AWARE 为 32 位 PE 清除并为 64 位 PE 设置,但我们可以覆盖默认值:
所以设置了 IMAGE_FILE_LARGE_ADDRESS_AWARE 标志的 32 位进程 - 最多 4Gb 内存可用。
当然 [0, 0x800000000000) (win8.1 +) 或 [0, 0x80000000000)(win 8.1 之前)内存 space 在 x64 windows 中的用户模式下可用。但是系统通过保留大范围的内存人为地限制了这一点(这个分配是受保护的,不能免费)
对于 32 位进程,此预留从 7FFF0000 或 FFFE0000 开始,直到 64 位 ntdll.dll。非常有趣的是,在 64 位进程中,IMAGE_FILE_LARGE_ADDRESS_AWARE 被清除 - 此类保留内存 space 从 0x80000000 开始。同样有趣的是,在这种情况下 kernel32.dll 被加载到另一个地址,比较通常的 64 位进程。所以 kernel32.dll 的基础在所有 64 位进程中通常都不相同。但是 ntdll.dll 无论如何都会在所有进程中加载到相同的地址。
x64 上的常规内存分配 windows:
- 32 位进程,
IMAGE_FILE_LARGE_ADDRESS_AWARE 清除(默认)
- 32 位进程,
IMAGE_FILE_LARGE_ADDRESS_AWARE 设置
- 64 位进程,
IMAGE_FILE_LARGE_ADDRESS_AWARE 已清除
- 64 位进程,
IMAGE_FILE_LARGE_ADDRESS_AWARE 设置(默认)
正如我所读 here 32 位 Windows 应用程序的虚拟地址 space 有 2GB 的存储空间(从 0x00000000-0x7FFFFFFF)。其他 2GB 保留给系统地址 space.
但是,我在一个 32 位程序(使用 Cheat Engine)中发现了一个指针,它指向一个不在虚拟地址范围内的地址 space。我上次探索的地址是 0x301DDC3C -> 0x87F56190,如图所示:
(第一行的展开表示对指针0x301DDC3C的解引用,下一行可以看到RAM中解引用位置0x87F56190是什么)
取消对指针的引用后,有指向进程虚拟地址的指针 space。
用户模式应用程序怎么可能有指向系统地址 space 的有效指针?
这是否意味着位置 0x301DDC3C 中的指针指向系统地址中的某个位置 space?所以我正在检查的进程正在使用内核模式的东西?
ALL 您看到的地址是 虚拟 地址,进程(不是"physical" 个地址)。 user-space 进程可能使用恰好来自 "system space" 的指针,但这 NOT 意味着进程可以自由访问内核资源,也不意味着这些指针必须映射到 物理 地址。
这是另一个 Microsoft link,可能有助于澄清:
When a processor reads or writes to a memory location, it uses a virtual address. As part of the read or write operation, the processor translates the virtual address to a physical address.
...
The range of virtual addresses that is available to a process is called the virtual address space for the process. Each user-mode process has its own private virtual address space. For a 32-bit process, the virtual address space is usually the 2-gigabyte range 0x00000000 through 0x7FFFFFFF.
...
Processes like Notepad.exe and MyApp.exe run in user mode. Core operating system components and many drivers run in the more privileged kernel mode. For more information about processor modes, see User mode and kernel mode. Each user-mode process has its own private virtual address space, but all code that runs in kernel mode shares a single virtual address space called system space. The virtual address space for a user-mode process is called user space.
...
In 32-bit Windows, the total available virtual address space is 2^32 bytes (4 gigabytes). Usually the lower 2 gigabytes are used for user space, and the upper 2 gigabytes are used for system space.
...
Code running in user mode has access to user space but does not have access to system space. This restriction prevents user-mode code from reading or altering protected operating system data structures. Code running in kernel mode has access to both user space and system space. That is, code running in kernel mode has access to system space and the virtual address space of the current user-mode process.
...
还值得注意的是内核模式和用户模式之间的区别:
When you start a user-mode application, Windows creates a process for the application. The process provides the application with a private virtual address space and a private handle table. Because an application's virtual address space is private, one application cannot alter data that belongs to another application. Each application runs in isolation, and if an application crashes, the crash is limited to that one application. Other applications and the operating system are not affected by the crash.
... In addition to being private, the virtual address space of a user-mode application is limited. A processor running in user mode cannot access virtual addresses that are reserved for the operating system. Limiting the virtual address space of a user-mode application prevents the application from altering, and possibly damaging, critical operating system data.
...
来自 Memory and Address Space Limits
内存和地址限制 space 因平台、操作系统以及 IMAGE_FILE_HEADER.Characteristics. IMAGE_FILE_LARGE_ADDRESS_AWARE (The application can handle addresses larger than 2 GB) is set or cleared by using the /LARGEADDRESSAWARE 链接器选项中的 IMAGE_FILE_LARGE_ADDRESS_AWARE 标志是否不同而异。
默认情况下 IMAGE_FILE_LARGE_ADDRESS_AWARE 为 32 位 PE 清除并为 64 位 PE 设置,但我们可以覆盖默认值:
所以设置了 IMAGE_FILE_LARGE_ADDRESS_AWARE 标志的 32 位进程 - 最多 4Gb 内存可用。
当然 [0, 0x800000000000) (win8.1 +) 或 [0, 0x80000000000)(win 8.1 之前)内存 space 在 x64 windows 中的用户模式下可用。但是系统通过保留大范围的内存人为地限制了这一点(这个分配是受保护的,不能免费)
对于 32 位进程,此预留从 7FFF0000 或 FFFE0000 开始,直到 64 位 ntdll.dll。非常有趣的是,在 64 位进程中,IMAGE_FILE_LARGE_ADDRESS_AWARE 被清除 - 此类保留内存 space 从 0x80000000 开始。同样有趣的是,在这种情况下 kernel32.dll 被加载到另一个地址,比较通常的 64 位进程。所以 kernel32.dll 的基础在所有 64 位进程中通常都不相同。但是 ntdll.dll 无论如何都会在所有进程中加载到相同的地址。
x64 上的常规内存分配 windows:
- 32 位进程,
IMAGE_FILE_LARGE_ADDRESS_AWARE清除(默认) - 32 位进程,
IMAGE_FILE_LARGE_ADDRESS_AWARE设置 - 64 位进程,
IMAGE_FILE_LARGE_ADDRESS_AWARE已清除 - 64 位进程,
IMAGE_FILE_LARGE_ADDRESS_AWARE设置(默认)