Windows Memory Layout Flashcards
Understand the different sections of Windows x86 memory architecture.
What is the Kernel area of memory reserved for?
The memory range from 0xFFFFFFFF to 0x7FFFFFFF AKA ‘Kernel Land’ is the portion of memory reserved by the OS for device drivers, system cache, paged/non-paged pool and HAL. There is no user access to this portion of memory.
What does the Process Environment Block (PEB) contain?
The PEB contains various user-mode parameters about a running process instance of an application. This includes the base address of the image executable, the location of the heap, the loaded modules (DLLs) and Environment variables (Operating System, relevant paths, etc).
What does the Thread Environment Block (TEB) contain?
The TEB contains the context information for the image loader and various Windows DLLs, as well as the location for the exception handler.
What is a process?
Processes provide the resources needed to execute a program. Each process has a virtual address space, executable code, open handles to system objects, a security context, a unique process identifier (UID), environment variables, a priority class, minimum and maximum working set sizes, and at least one thread of execution. Each process starts with a single ‘primary’ thread, but additional threads may be spawned during execution.
What is a thread?
A thread is the entity within a process that can be scheduled for execution. All threads of a process share its virtual address space and system resources. Each thread maintains exception handlers, a scheduling priority, thread local storage, a unique thread identifier and a set of structures for saving the thread context until it is scheduled. The thread context includes the thread’s set of machine registers, the kernel stack, a thread environment block (TEB), and a user stack in the address space of thread’s process. Threads can also have their own security context, which can be used for impersonating clients.
What are DLLs?
DLLs (Dynamic Link Libraries) are shared code libraries or ‘modules’ used by Windows programs for efficient code reuse and memory allocation purposes. Additionally, there are OS/system modules (ntldd, user32, etc) as well as application-specific modules and the latter are often useful in crafting overflow exploits.
What is the Program Image?
The Program Image portion of memory is where the executable resides. This includes the .text section (containing the executable code/CPU instructions) the .data section (containing the program’s global data) and the .rsrc section (which contains the non-executable resources, including icons, images and strings).
What is the Heap?
The Heap is the dynamically allocated (e.g. malloc()) portion of memory a program uses to store global variables. Head memory allocation is managed by the application. As such, the memory is remain allocated until it is freed by the program, or the program itself terminates. The Heap is a shared pool of memory, whereas the stack is more compartmentalised and organised.
What are the 3 major components of process memory?
Code Segment - Instructions that the processor executes. The EIP (Extended Instruction Pointer) keeps track of the next instruction.
Data Segment - Variables, dynamic buffers
Stack Segment - Used to pass data and arguments to functions, and is used as space for variables. The stack starts (the bottom of the stack) from the very end of virtual memory of a page, and grows down (to a lower address). A PUSH adds something to the top of the stack, POP will remove one item (4 bytes) from the stack and puts it in a register.
What is the Stack Pointer?
The Stack Pointer, or ESP points to the top of the stack (the lowest memory address).
After a PUSH, ESP will point to a lower memory address (address is decremented with the size of the data that is pushed onto the stack, which is 4 bytes in case of addresses/pointers. Decrements usually happen before the item is placed on the stack depending upon implementation. If ESP already points to the next free location in the stack, then the decrement happens after placing data on the stack.
After a POP, ESP points to a higher address (address is incremented by 4 bytes in the case of addresses and pointers). Increments occur after an item is removed from the stack.
What are the CPU’s general purpose registers for Intel x86?
EAX: Accumulator - Used for performing calculations, and used to store return values from function calls. Basic operations such as add, subtract and compare use this general-purpose register.
EBX: base (not related to EBP) No general purpose, can be used to store data.
ECX: counter - used for iterations. ECX counts downward.
EDX: data - an extension of the EAX register. Allows for more complex calculations (multiply, divide) by allowing extra data to be stored to facilitation those calculations.
ESP: stack pointer
EBP: base pointer
ESI: source index - holds the locations of input data.
EDI: destination index - points to location of where result of data operation is stored
EIP: instruction pointer
What is the flat memory model?
Flat or ‘linear’ memory model refers to a memory addressing paradigm in which the CPU can access all areas of memory as if it were a single contiguous address space. This alleviates the need for memory segmentation or paging schemes.
What is the PEB?
The PEB (Process Execution Block) contains all user land parameters that are associated with the current process:
- Location of the main executable
- Pointer to loader data (can be used to list all dll’s / modules that are/can be loaded into the process)
- Pointer to information about the heap
What is the TEB?
The TEB (Thread Environment Block) describes the state of a thread, and includes:
- Location of the PEB in memory
- Location of the stack for the thread it belongs to
- Pointer to the first entry in the SEH chain
