问题描述
我一直在使用Mark Russinovich的VMMap为我正在分析的进程映射虚拟内存.使用VirtualQueryEx,我可以遍历外部进程的空间,并获取有关进程地址空间内的内存区域的信息.当然,这些区域与VMMap匹配,但是VirtualQueryEx仅告诉我内存是否已提交/保留/空闲以及它是否是私有/共享/映像.
I've been using Mark Russinovich's VMMap to map out the Virtual Memory for a process I'm analyzing. Using VirtualQueryEx, I can walk the space of an external process and get information on the memory regions within the process's address space. These regions match up with VMMap, sure, but VirtualQueryEx only tells me if memory is committed/reserved/free and whether it's private/shared/image.
我找不到其他记录的方法来查询进程虚拟内存. VMMap似乎知道一种查询内存的方式,以了解它是私有数据"还是线程堆栈". VirtualQueryEx将这两个标签都标记为MEM_PRIVATE.那么,VMMap如何区分?
I can't find any other documented ways to query process virtual memory. VMMap seems to know a a way to query the memory in such a way as to understand if it's "Private Data" or "Thread Stack". VirtualQueryEx labels both of those as MEM_PRIVATE. So how does VMMap make that distinction?
还有另一个API函数可用来识别这些细节吗?
Is there another API function that I can use to discern those details?
推荐答案
马克·鲁西诺维奇(Mark Russinovich)从不分享他的秘密,他有很多秘密.我想可以从未记录的线程环境块中找到它,尽管我看不到很好的候选对象.更好的线索可能是页面属性.它使用MEM_TOP_DOWN,只有堆栈具有MEM_TOP_DOWN(检查VirtualAlloc).加上与保护页面的结合,使StackOverflowException跳闸的保护页面将使其完全明确.无论如何,这就是我要这样做的方式.
Mark Russinovich never shares his secrets, he has many. I imagine it could be found from the undocumented thread environment block although I don't see great candidates. A better lead could be the page attributes. It uses MEM_TOP_DOWN, only stacks have that (check VirtualAlloc). And the combination with the guard page, the one that trips the StackOverflowException would make it completely unambiguous. That's the way I would do it anyway.
这篇关于具体来说,VMMap如何知道给定的内存区域是线程堆栈?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!