Windows Memory Flashcards
Kernel Land
This portion of memory is reserved by the OS for device drivers, system cache, paged/non-paged pool, HAL, etc.
PEB
the Process Environment Block (PEB) resides in user-accessible memory. The PEB contains various user-mode parameters about a running process.
the PEB includes information such as the base address of the image (executable), the location of the heap, the loaded modules (DLLs), and Environment variables (Operating system, relevant paths, etc).
TEB
Just like each program/process has a PEB, each thread has a Thread Environment Block (TEB). The TEB stores context information for the image loader and various Windows DLLs, as well as the location for the exception handler list (which we’ll cover in detail in a later post). Like the PEB, the TEB resides in the process address space since user-mode components require writable access.
DLLs
Windows programs take advantage of shared code libraries called Dynamic Link Libraries (DLLs) which allows for efficient code reuse and memory allocation
Program Image
The Program Image portion of memory is where the executable resides. This includes the .text section (containing the executable code/CPU instructions) the .data section (containing the program’s global data) and the .rsrc section (contains non-executable resources, including icons, images, and strings).
Heap
The heap is the dynamically allocated (e.g. malloc( )) portion of memory a program uses to store global variables.
Stack
Unlike the heap, where memory allocation for global variables is relative arbitrary and persistent, the stack is used to allocate short-term storage for local (function/method) variables in an ordered manner and that memory is subsequently freed at the termination of the given function.
