Memory Stack Flashcards
0xFFFFFFFF to 0x7FFFFFFF
Kernel Land, no User access, drivers, system cache, paged/no-paged etc.
PEB
Process Environment block, windbg can easily examing contents of the PEB by issuing the !peb command. PEB resides in user access space
TEB
Thread Environment block, stores context information for the image loader and various windows dlls, as well as the location for the exception handler list. Resides in user space since user-mode components require writable access.
Program Image
The Program Image portion of memory is where the executable resides. This includes the .text section (containing the executable code/CPU instructions) the .data section (containing the program’s global data) and the .rsrc section (contains non-executable resources, including icons, images, and strings).
HEAP
The heap is the dynamically allocated (e.g. malloc( )) portion of memory a program uses to store global variables. Unlike the stack, heap memory allocation must be managed by the application. In other words, that memory will remain allocated until it is freed by the program or the program itself terminates. You can think of the heap as a shared pool of memory whereas the stack, which we’ll cover next, is more organized and compartmentalized.
The Stack
, the stack is used to allocate short-term storage for local (function/method) variables in an ordered manner and that memory is subsequently freed at the termination of the given function. Recall how a given process can have multiple threads. Each thread/function is allocated its own stack frame. The size of that stack frame is fixed after creation and the stack frame is deleted at the conclusion of the function.
How does data get in out of the stack?
LIFO - Last-in, first out.
