Windows Memory Layout

Question 1

Kernel land

Answer 1

0x7fffffff to 0xffffffff

Question 2

Peb range

Answer 2

0x7ffdf000 and higher

Question 3

Userland

Answer 3

0x00000000 to 0x7fffffff

Question 4

Win32 layout

Answer 4

0x00000000
                                Stack [grows to lower address]
                                Heap [grows to higher address]
0x00400000  Program image
                                DLL
                                TEB
0x7ffdf0000   PEB
============
0x7fffffff to 0xffffffff Kernel land

Question 5

Executive process is?

Answer 5

Structure containing process attributes and pointers to related data structures

Question 6

Process Environment Block

Answer 6

EPROCESS structure inside user land

Question 7

Thread

Answer 7

Threads serve as the basic unit to which OS allocates processor time

Question 8

TEB

Answer 8

Thread env block stores

1. context information for image loader and various windows dll
2. location of exception handler list

Question 9

DLL

Answer 9

Shared code libraries which allow for efficient code reuse and memory allocation

Question 10

Program Image

Answer 10

This memory location is where executable resides.
.text contains executable code
.data contains global variables
.rsrc non exec resources such as icons, text and strings

Question 11

Heap

Answer 11

Arbitrary but persistent portion of memory used to store global variables.
The memory allocation at heap is managed by the application.
Memory is freed when program terminates or voluntarily frees itself.