xp下用户程序空间分配（6）：加载用户DLL

快乐虾

http://blog.csdn.net/lights_joy/

[email protected]

本文适用于

Xp sp3

vs2008

欢迎转载，但请保留作者信息

在本项目里使用了自行编译的一个DLL—cywin.dll，这个DLL占用的内存块出奇的多：

基址	分配基址	分配保护	大小	状态	保护	类型
10000000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00001000	00001000 MEM_COMMIT	00000002 PAGE_READONLY	01000000 MEM_IMAGE
10001000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	000a5000	00001000 MEM_COMMIT	00000020 PAGE_EXECUTE_READ	01000000 MEM_IMAGE
100a6000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00038000	00001000 MEM_COMMIT	00000002 PAGE_READONLY	01000000 MEM_IMAGE
100de000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00082000	00001000 MEM_COMMIT	00000004 PAGE_READWRITE	01000000 MEM_IMAGE
10160000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	0007f000	00001000 MEM_COMMIT	00000008 PAGE_WRITECOPY	01000000 MEM_IMAGE
101df000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00002000	00001000 MEM_COMMIT	00000004 PAGE_READWRITE	01000000 MEM_IMAGE
101e1000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	0000f000	00001000 MEM_COMMIT	00000008 PAGE_WRITECOPY	01000000 MEM_IMAGE
101f0000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00001000	00001000 MEM_COMMIT	00000004 PAGE_READWRITE	01000000 MEM_IMAGE
101f1000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00010000	00001000 MEM_COMMIT	00000008 PAGE_WRITECOPY	01000000 MEM_IMAGE
10201000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00001000	00001000 MEM_COMMIT	00000004 PAGE_READWRITE	01000000 MEM_IMAGE
10202000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00007000	00001000 MEM_COMMIT	00000008 PAGE_WRITECOPY	01000000 MEM_IMAGE
10209000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00001000	00001000 MEM_COMMIT	00000004 PAGE_READWRITE	01000000 MEM_IMAGE
1020a000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00007000	00001000 MEM_COMMIT	00000008 PAGE_WRITECOPY	01000000 MEM_IMAGE
10211000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00002000	00001000 MEM_COMMIT	00000004 PAGE_READWRITE	01000000 MEM_IMAGE
10213000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00007000	00001000 MEM_COMMIT	00000008 PAGE_WRITECOPY	01000000 MEM_IMAGE
1021a000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00002000	00001000 MEM_COMMIT	00000004 PAGE_READWRITE	01000000 MEM_IMAGE
1021c000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00001000	00001000 MEM_COMMIT	00000008 PAGE_WRITECOPY	01000000 MEM_IMAGE
1021d000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00001000	00001000 MEM_COMMIT	00000004 PAGE_READWRITE	01000000 MEM_IMAGE
1021e000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00011000	00001000 MEM_COMMIT	00000002 PAGE_READONLY	01000000 MEM_IMAGE
1022f000	00000000	00000000	00251000	00010000 MEM_FREE	00000001 PAGE_NOACCESS	00000000

同样把文件里的内容dump出来进行比较。

1.1 文件头

通过DUMP出来的文件头，可以发现它的Directory比其它的DLL要多，不知道是不是也因此比前面加载的每一个系统DLL要多几个内存块。

OPTIONAL HEADER VALUES

10B magic # (PE32)

9.00 linker version

A5000 size of code

48A00 size of initialized data

0 size of uninitialized data

A17E0 entry point (100A17E0) __DllMainCRTStartup@12

1000 base of code

A6000 base of data

10000000 image base (10000000 to 1022EFFF)

1000 section alignment

200 file alignment

5.00 operating system version

0.00 image version

5.00 subsystem version

0 Win32 version

22F000 size of image

400 size of headers

FDA97 checksum

2 subsystem (Windows GUI)

140 DLL characteristics

Dynamic base

NX compatible

100000 size of stack reserve

1000 size of stack commit

100000 size of heap reserve

1000 size of heap commit

0 loader flags

10 number of directories

DC130 [ 11AB] RVA [size] of Export Directory

D9B5C [ F0] RVA [size] of Import Directory

21E000 [ 2B4] RVA [size] of Resource Directory

0 [ 0] RVA [size] of Exception Directory

0 [ 0] RVA [size] of Certificates Directory

21F000 [ E790] RVA [size] of Base Relocation Directory

A6630 [ 1C] RVA [size] of Debug Directory

0 [ 0] RVA [size] of Architecture Directory

0 [ 0] RVA [size] of Global Pointer Directory

0 [ 0] RVA [size] of Thread Storage Directory

D6DB0 [ 40] RVA [size] of Load Configuration Directory

0 [ 0] RVA [size] of Bound Import Directory

A6000 [ 56C] RVA [size] of Import Address Table Directory

0 [ 0] RVA [size] of Delay Import Directory

0 [ 0] RVA [size] of COM Descriptor Directory

0 [ 0] RVA [size] of Reserved Directory

Windows一如既往地分配一块空间给它：

基址	分配基址	分配保护	大小	状态	保护	类型
10000000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	00001000	00001000 MEM_COMMIT	00000002 PAGE_READONLY	01000000 MEM_IMAGE

还是满足了此文件提出的空间请求。

1.2 代码段

从文件中DUMP出来的section head：

SECTION HEADER #1

.text name

A4E4C virtual size

1000 virtual address (10001000 to 100A5E4B)

A5000 size of raw data

400 file pointer to raw data (00000400 to 000A53FF)

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

60000020 flags

Code

Execute Read

Windows分配的内存：

基址	分配基址	分配保护	大小	状态	保护	类型
10001000	10000000	00000080 PAGE_EXECUTE_WRITECOPY	000a5000	00001000 MEM_COMMIT	00000020 PAGE_EXECUTE_READ	01000000 MEM_IMAGE

这个也没什么说的，原样地从文件里面把内容COPY出来。

1.3 只读数据段

这个段的section head：

SECTION HEADER #2

.rdata name

372DB virtual size

A6000 virtual address (100A6000 to 100DD2DA)

37400 size of raw data

A5400 file pointer to raw data (000A5400 to 000DC7FF)

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

40000040 flags

Initialized Data