在 Microsoft Windows 中,32 位进程calc.exe将0x0- 0x80000000(2GB) 保留为用户空间,其余为内核空间 (2GB)。因此,进程具有2+2 = 4GB虚拟空间。这个比例也可以是 3:1。
2GB的用户空间有PEB信息、堆、堆栈、可执行文件和exe使用的其他dll,如kernel32.dll、user32.dll等。
疑问 1> 2GB 内核空间本身包含什么?
是否有工具可以查看内核空间映射(对于我使用 OllyDbg 的用户空间映射)。
疑问 2>ntoskrnl.exe运行时会发生什么?它不使用本机 API(但通过 将这些本机 API 的实现导出到用户空间ntdll.dll。因此,本机应用程序可以在 win32 启动之前使用它)。因此,ntoskrnl.exe.
是否ntoskrnl.exe位于内核空间?
每个帖子只能问一个问题。这个答案是对你的两个问题中的第一个的回答。
是否有工具可以查看内核空间映射
是的,您可以使用LiveKd来检查内核空间的内容。
例如,我可以使用以下命令在内核空间中查看加载的模块及其地址lmvk:
kd> lmvk
start end module name
80bd5000 80bdd000 kdcom (pdb symbols) c:\symbols\kdcom.pdb\F48BD9BC030C43D89689518F892586901\kdcom.pdb
Loaded symbol image file: kdcom.dll
Image path: kdcom.dll
Image name: kdcom.dll
Timestamp: Mon Jul 13 20:08:58 2009 (4A5BDAAA)
CheckSum: 000138B1
ImageSize: 00008000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
82816000 82c28000 nt (pdb symbols) c:\symbols\ntkrpamp.pdb\CE18EBF87B6A4C5CBF77806534BD94782\ntkrpamp.pdb
Loaded symbol image file: ntkrpamp.exe
Image path: ntkrpamp.exe
Image name: ntkrpamp.exe
Timestamp: Sat Nov 19 05:51:44 2011 (4EC79850)
CheckSum: 003CAC28
ImageSize: 00412000
File version: 6.1.7601.17727
Product version: 6.1.7601.17727
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrpamp.exe
OriginalFilename: ntkrpamp.exe
ProductVersion: 6.1.7601.17727
FileVersion: 6.1.7601.17727 (win7sp1_gdr.111118-2330)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
82c28000 82c5f000 hal (pdb symbols) c:\symbols\halmacpi.pdb\AE605D6C59454802AE1D485E0B089A571\halmacpi.pdb
Loaded symbol image file: halmacpi.dll
Image path: halmacpi.dll
Image name: halmacpi.dll
Timestamp: Sat Nov 20 02:37:38 2010 (4CE788D2)
CheckSum: 00037FB1
ImageSize: 00037000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
82e09000 82e14000 mcupdate_AuthenticAMD (no symbols)
Loaded symbol image file: mcupdate_AuthenticAMD.dll
Image path: \SystemRoot\system32\mcupdate_AuthenticAMD.dll
Image name: mcupdate_AuthenticAMD.dll
Timestamp: Mon Jul 13 18:13:13 2009 (4A5BBF89)
CheckSum: 0000BD79
ImageSize: 0000B000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
82e14000 82e25000 PSHED (pdb symbols) c:\symbols\pshed.pdb\5ACEAFD8AD3A46FEAD083AFDF675DA391\pshed.pdb
Loaded symbol image file: PSHED.dll
Image path: \SystemRoot\system32\PSHED.dll
Image name: PSHED.dll
Timestamp: Mon Jul 13 20:09:36 2009 (4A5BDAD0)
CheckSum: 000108A2
ImageSize: 00011000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
82e25000 82e2d000 BOOTVID (pdb symbols) c:\symbols\bootvid.pdb\10C3ABD4165D4ED3A9493BB094B44AEA1\bootvid.pdb
Loaded symbol image file: BOOTVID.dll
Image path: \SystemRoot\system32\BOOTVID.dll
Image name: BOOTVID.dll
Timestamp: Mon Jul 13 20:04:34 2009 (4A5BD9A2)
CheckSum: 00010FF0
ImageSize: 00008000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
82e2d000 82e6f000 CLFS (pdb symbols) c:\symbols\clfs.pdb\04F22EAC7BD04A1BA81A6FB5D319649F1\clfs.pdb
Loaded symbol image file: CLFS.SYS
Image path: \SystemRoot\system32\CLFS.SYS
Image name: CLFS.SYS
Timestamp: Mon Jul 13 18:11:10 2009 (4A5BBF0E)
CheckSum: 000461C7
ImageSize: 00042000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
82e6f000 82f1a000 CI (pdb symbols) c:\symbols\ci.pdb\3358E6E48A5245F6AB97EA05356E020F1\ci.pdb
Loaded symbol image file: CI.dll
Image path: \SystemRoot\system32\CI.dll
Image name: CI.dll
Timestamp: Sat Nov 20 06:05:17 2010 (4CE7B97D)
CheckSum: 000ADFF9
ImageSize: 000AB000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
82f1a000 82f8b000 Wdf01000 (pdb symbols) c:\symbols\Wdf01000.pdb\A9E46808F4F748178D3071AA9EE76FB71\Wdf01000.pdb
Loaded symbol image file: Wdf01000.sys
Image path: \SystemRoot\system32\drivers\Wdf01000.sys
Image name: Wdf01000.sys
Timestamp: Mon Jul 13 18:11:36 2009 (4A5BBF28)
CheckSum: 000717B7
ImageSize: 00071000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
82f8b000 82f99000 WDFLDR (pdb symbols) c:\symbols\wdfldr.pdb\95D9DB57778548E6B6774520468479891\wdfldr.pdb
Loaded symbol image file: WDFLDR.SYS
Image path: \SystemRoot\system32\drivers\WDFLDR.SYS
Image name: WDFLDR.SYS
Timestamp: Mon Jul 13 18:11:25 2009 (4A5BBF1D)
CheckSum: 00009DF6
ImageSize: 0000E000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
82f99000 82fe1000 ACPI (pdb symbols) c:\symbols\acpi.pdb\E7300A0CC3524834A4E1E55773C1901E1\acpi.pdb
Loaded symbol image file: ACPI.sys
Image path: \SystemRoot\system32\drivers\ACPI.sys
Image name: ACPI.sys
Timestamp: Sat Nov 20 02:37:52 2010 (4CE788E0)
CheckSum: 0004F583
ImageSize: 00048000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
82fe1000 82fea000 WMILIB (pdb symbols) c:\symbols\wmilib.pdb\F52B38A4800849D48BFFD48715A446A51\wmilib.pdb
Loaded symbol image file: WMILIB.SYS
Image path: \SystemRoot\system32\drivers\WMILIB.SYS
Image name: WMILIB.SYS
Timestamp: Mon Jul 13 18:11:22 2009 (4A5BBF1A)
CheckSum: 0000B93D
ImageSize: 00009000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
82fea000 82ff2000 msisadrv (pdb symbols) c:\symbols\msisadrv.pdb\5D6926DA4AD1474BAE8CBDA5909F68201\msisadrv.pdb
Loaded symbol image file: msisadrv.sys
Image path: \SystemRoot\system32\drivers\msisadrv.sys
Image name: msisadrv.sys
Timestamp: Mon Jul 13 18:11:09 2009 (4A5BBF0D)
CheckSum: 0000CD81
ImageSize: 00008000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87800000 87811000 fileinfo (pdb symbols) c:\symbols\fileinfo.pdb\EBD1E885413A4242AA515F1B06BB564F1\fileinfo.pdb
Loaded symbol image file: fileinfo.sys
Image path: \SystemRoot\system32\drivers\fileinfo.sys
Image name: fileinfo.sys
Timestamp: Mon Jul 13 18:21:51 2009 (4A5BC18F)
CheckSum: 0001E423
ImageSize: 00011000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
8781a000 87844000 pci (pdb symbols) c:\symbols\pci.pdb\2E2A912260694615A7E97AFBA3FA934E1\pci.pdb
Loaded symbol image file: pci.sys
Image path: \SystemRoot\system32\drivers\pci.sys
Image name: pci.sys
Timestamp: Sat Nov 20 02:37:57 2010 (4CE788E5)
CheckSum: 0002B72C
ImageSize: 0002A000
File version: 6.1.7601.17514
Product version: 6.1.7601.17514
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: pci.sys
OriginalFilename: pci.sys
ProductVersion: 6.1.7601.17514
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
FileDescription: NT Plug and Play PCI Enumerator
LegalCopyright: © Microsoft Corporation. All rights reserved.
87844000 8784f000 vdrvroot (pdb symbols) c:\symbols\vdrvroot.pdb\3C9D6939EF564015B8D0728611C88C221\vdrvroot.pdb
Loaded symbol image file: vdrvroot.sys
Image path: \SystemRoot\system32\drivers\vdrvroot.sys
Image name: vdrvroot.sys
Timestamp: Mon Jul 13 18:46:19 2009 (4A5BC74B)
CheckSum: 00009326
ImageSize: 0000B000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
8784f000 87860000 partmgr (pdb symbols) c:\symbols\partmgr.pdb\7CA861FF7879483ABA38CE28186F293E2\partmgr.pdb
Loaded symbol image file: partmgr.sys
Image path: \SystemRoot\System32\drivers\partmgr.sys
Image name: partmgr.sys
Timestamp: Sat Nov 20 02:38:14 2010 (4CE788F6)
CheckSum: 0001BB55
ImageSize: 00011000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87860000 87868000 compbatt (pdb symbols) c:\symbols\compbatt.pdb\EE14F03B54BF49B4B62A0EF912A59C8F1\compbatt.pdb
Loaded symbol image file: compbatt.sys
Image path: \SystemRoot\system32\DRIVERS\compbatt.sys
Image name: compbatt.sys
Timestamp: Mon Jul 13 18:19:18 2009 (4A5BC0F6)
CheckSum: 00006941
ImageSize: 00008000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87868000 87873000 BATTC (pdb symbols) c:\symbols\battc.pdb\53C47BEA2F08470BB58DFD1566285EC71\battc.pdb
Loaded symbol image file: BATTC.SYS
Image path: \SystemRoot\system32\DRIVERS\BATTC.SYS
Image name: BATTC.SYS
Timestamp: Mon Jul 13 18:19:15 2009 (4A5BC0F3)
CheckSum: 0000B849
ImageSize: 0000B000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87873000 87883000 volmgr (pdb symbols) c:\symbols\volmgr.pdb\4AF04B598C494297B1C69F95823AA9F81\volmgr.pdb
Loaded symbol image file: volmgr.sys
Image path: \SystemRoot\system32\drivers\volmgr.sys
Image name: volmgr.sys
Timestamp: Sat Nov 20 02:38:06 2010 (4CE788EE)
CheckSum: 00016E1A
ImageSize: 00010000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87883000 878ce000 volmgrx (pdb symbols) c:\symbols\volmgrx.pdb\433F00DD3CC34DE8BC3F9E4BDDACA5EE1\volmgrx.pdb
Loaded symbol image file: volmgrx.sys
Image path: \SystemRoot\System32\drivers\volmgrx.sys
Image name: volmgrx.sys
Timestamp: Mon Jul 13 18:11:41 2009 (4A5BBF2D)
CheckSum: 0004A22A
ImageSize: 0004B000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
878ce000 878d5000 intelide (no symbols)
Loaded symbol image file: intelide.sys
Image path: \SystemRoot\system32\drivers\intelide.sys
Image name: intelide.sys
Timestamp: Mon Jul 13 18:11:19 2009 (4A5BBF17)
CheckSum: 00006324
ImageSize: 00007000
File version: 6.1.7600.16385
Product version: 6.1.7600.16385
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: intelide.sys
OriginalFilename: intelide.sys
ProductVersion: 6.1.7600.16385
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
FileDescription: Intel PCI IDE Driver
LegalCopyright: © Microsoft Corporation. All rights reserved.
878d5000 878e3000 PCIIDEX (pdb symbols) c:\symbols\pciidex.pdb\8B7BC6201128486CB5B03916EBD5FF8E1\pciidex.pdb
Loaded symbol image file: PCIIDEX.SYS
Image path: \SystemRoot\system32\drivers\PCIIDEX.SYS
Image name: PCIIDEX.SYS
Timestamp: Mon Jul 13 18:11:15 2009 (4A5BBF13)
CheckSum: 0000FC04
ImageSize: 0000E000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
878e3000 878f9000 mountmgr (pdb symbols) c:\symbols\mountmgr.pdb\356DDF9839E040638E034EEA956C28F81\mountmgr.pdb
Loaded symbol image file: mountmgr.sys
Image path: \SystemRoot\System32\drivers\mountmgr.sys
Image name: mountmgr.sys
Timestamp: Sat Nov 20 02:38:09 2010 (4CE788F1)
CheckSum: 00014708
ImageSize: 00016000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
878f9000 87922180 vmbus (pdb symbols) c:\symbols\vmbus.pdb\35B5AB3E6BDF4D3FA0BDC6AC31AC97FC1\vmbus.pdb
Loaded symbol image file: vmbus.sys
Image path: \SystemRoot\system32\drivers\vmbus.sys
Image name: vmbus.sys
Timestamp: Sat Nov 20 03:14:58 2010 (4CE79192)
CheckSum: 0002F9E5
ImageSize: 00029180
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87923000 87935000 winhv (pdb symbols) c:\symbols\winhv.pdb\5B6B8428A8FA4152919E805179599ED31\winhv.pdb
Loaded symbol image file: winhv.sys
Image path: \SystemRoot\system32\drivers\winhv.sys
Image name: winhv.sys
Timestamp: Sat Nov 20 02:38:15 2010 (4CE788F7)
CheckSum: 00010243
ImageSize: 00012000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87935000 8793e000 atapi (pdb symbols) c:\symbols\atapi.pdb\EF544461A5D5482980C2CA01640A6D621\atapi.pdb
Loaded symbol image file: atapi.sys
Image path: \SystemRoot\system32\drivers\atapi.sys
Image name: atapi.sys
Timestamp: Mon Jul 13 18:11:15 2009 (4A5BBF13)
CheckSum: 00014C06
ImageSize: 00009000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
8793e000 87961000 ataport (pdb symbols) c:\symbols\ataport.pdb\C9AF9FE9166548FD86EFAC017F6023011\ataport.pdb
Loaded symbol image file: ataport.SYS
Image path: \SystemRoot\system32\drivers\ataport.SYS
Image name: ataport.SYS
Timestamp: Sat Nov 20 02:38:00 2010 (4CE788E8)
CheckSum: 0002B87F
ImageSize: 00023000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87961000 87979000 lsi_sas (pdb symbols) c:\symbols\lsi_sas.pdb\FCC2DAF36299423A9765B62D750A97461\lsi_sas.pdb
Loaded symbol image file: lsi_sas.sys
Image path: \SystemRoot\system32\DRIVERS\lsi_sas.sys
Image name: lsi_sas.sys
Timestamp: Mon May 18 19:19:55 2009 (4A11FB2B)
CheckSum: 00024959
ImageSize: 00018000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87979000 879c1000 storport (pdb symbols) c:\symbols\storport.pdb\1445D4DB7BA84A0081ABB729753A93942\storport.pdb
Loaded symbol image file: storport.sys
Image path: \SystemRoot\system32\DRIVERS\storport.sys
Image name: storport.sys
Timestamp: Thu Mar 10 21:56:00 2011 (4D799D50)
CheckSum: 000277A3
ImageSize: 00048000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
879c1000 879ca000 amdxata (pdb symbols) c:\symbols\amdxata.pdb\5E66F230920844408A1EE389D50B6B4A1\amdxata.pdb
Loaded symbol image file: amdxata.sys
Image path: \SystemRoot\system32\drivers\amdxata.sys
Image name: amdxata.sys
Timestamp: Fri Mar 19 11:19:01 2010 (4BA3A3F5)
CheckSum: 000147B2
ImageSize: 00009000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
879ca000 879fe000 fltmgr (pdb symbols) c:\symbols\fltMgr.pdb\E6CA9E082E70438988788CB58DB340B01\fltMgr.pdb
Loaded symbol image file: fltmgr.sys
Image path: \SystemRoot\system32\drivers\fltmgr.sys
Image name: fltmgr.sys
Timestamp: Mon Jul 13 18:11:13 2009 (4A5BBF11)
CheckSum: 000382A8
ImageSize: 00034000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87a00000 87a0e000 pcw (pdb symbols) c:\symbols\pcw.pdb\D368300F340A423EBBA32FBDDDEC24B91\pcw.pdb
Loaded symbol image file: pcw.sys
Image path: \SystemRoot\System32\drivers\pcw.sys
Image name: pcw.sys
Timestamp: Mon Jul 13 18:11:10 2009 (4A5BBF0E)
CheckSum: 000194CF
ImageSize: 0000E000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87a0e000 87a17000 Fs_Rec (pdb symbols) c:\symbols\fs_rec.pdb\3465ED05A901452FAD07E77351F094591\fs_rec.pdb
Loaded symbol image file: Fs_Rec.sys
Image path: \SystemRoot\System32\Drivers\Fs_Rec.sys
Image name: Fs_Rec.sys
Timestamp: Mon Jul 13 18:11:14 2009 (4A5BBF12)
CheckSum: 0000845A
ImageSize: 00009000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87a2a000 87b59000 Ntfs (pdb symbols) c:\symbols\ntfs.pdb\6D39EA084D324936A61D6DBDE4D1172B2\ntfs.pdb
Loaded symbol image file: Ntfs.sys
Image path: \SystemRoot\System32\Drivers\Ntfs.sys
Image name: Ntfs.sys
Timestamp: Thu Mar 10 21:21:11 2011 (4D799527)
CheckSum: 0012D977
ImageSize: 0012F000
File version: 6.1.7601.17577
Product version: 6.1.7601.17577
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntfs.sys
OriginalFilename: ntfs.sys
ProductVersion: 6.1.7601.17577
FileVersion: 6.1.7601.17577 (win7sp1_gdr.110310-1504)
FileDescription: NT File System Driver
LegalCopyright: © Microsoft Corporation. All rights reserved.
87b59000 87b84000 msrpc (pdb symbols) c:\symbols\msrpc.pdb\B4C428CFD1024C43BD3E2B10D1A8F0711\msrpc.pdb
Loaded symbol image file: msrpc.sys
Image path: \SystemRoot\System32\Drivers\msrpc.sys
Image name: msrpc.sys
Timestamp: Mon Jul 13 18:11:59 2009 (4A5BBF3F)
CheckSum: 00036B4F
ImageSize: 0002B000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87b84000 87b97000 ksecdd (pdb symbols) c:\symbols\ksecdd.pdb\A4060D19AD914446AB889720E6B7284C1\ksecdd.pdb
Loaded symbol image file: ksecdd.sys
Image path: \SystemRoot\System32\Drivers\ksecdd.sys
Image name: ksecdd.sys
Timestamp: Wed Nov 16 21:15:56 2011 (4EC47C6C)
CheckSum: 00015ED3
ImageSize: 00013000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87b97000 87bf4000 cng (pdb symbols) c:\symbols\cng.pdb\E729F2E7DC70413D986258B0E44C22CC1\cng.pdb
Loaded symbol image file: cng.sys
Image path: \SystemRoot\System32\Drivers\cng.sys
Image name: cng.sys
Timestamp: Wed Nov 16 21:36:35 2011 (4EC48143)
CheckSum: 00068127
ImageSize: 0005D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87c07000 87cbe000 ndis (pdb symbols) c:\symbols\ndis.pdb\4DAAA54E2C26455DB2471D696BC8E6A62\ndis.pdb
Loaded symbol image file: ndis.sys
Image path: \SystemRoot\system32\drivers\ndis.sys
Image name: ndis.sys
Timestamp: Sat Nov 20 02:39:19 2010 (4CE78937)
CheckSum: 000BD48D
ImageSize: 000B7000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87cbe000 87cfc000 NETIO (pdb symbols) c:\symbols\netio.pdb\7A33726ABE884384BFDFB951F05D13AC2\netio.pdb
Loaded symbol image file: NETIO.SYS
Image path: \SystemRoot\system32\drivers\NETIO.SYS
Image name: NETIO.SYS
Timestamp: Sat Nov 20 02:40:03 2010 (4CE78963)
CheckSum: 0003F253
ImageSize: 0003E000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87cfc000 87d21000 ksecpkg (pdb symbols) c:\symbols\ksecpkg.pdb\8C991B24F8F24A96B28B8268237920CF1\ksecpkg.pdb
Loaded symbol image file: ksecpkg.sys
Image path: \SystemRoot\System32\Drivers\ksecpkg.sys
Image name: ksecpkg.sys
Timestamp: Wed Nov 16 21:37:34 2011 (4EC4817E)
CheckSum: 0002C883
ImageSize: 00025000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87d21000 87d60000 volsnap (pdb symbols) c:\symbols\volsnap.pdb\1F66E7165E8F4BD982A34A9DFA1BBFD31\volsnap.pdb
Loaded symbol image file: volsnap.sys
Image path: \SystemRoot\system32\drivers\volsnap.sys
Image name: volsnap.sys
Timestamp: Sat Nov 20 02:38:13 2010 (4CE788F5)
CheckSum: 0003CA6D
ImageSize: 0003F000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87d60000 87d92000 fvevol (pdb symbols) c:\symbols\fvevol.pdb\DC4549C710EE425F8956C7D82BFE83651\fvevol.pdb
Loaded symbol image file: fvevol.sys
Image path: \SystemRoot\System32\DRIVERS\fvevol.sys
Image name: fvevol.sys
Timestamp: Sat Nov 20 02:40:22 2010 (4CE78976)
CheckSum: 000390DC
ImageSize: 00032000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87d92000 87db7000 CLASSPNP (pdb symbols) c:\symbols\classpnp.pdb\64A86A6AD27D4730A78ECC25166E13562\classpnp.pdb
Loaded symbol image file: CLASSPNP.SYS
Image path: \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
Image name: CLASSPNP.SYS
Timestamp: Mon Jul 13 18:11:20 2009 (4A5BBF18)
CheckSum: 0002BBFE
ImageSize: 00025000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87e00000 87e10000 mup (pdb symbols) c:\symbols\mup.pdb\E96F69551E2447289250F71FB5AB6E0C2\mup.pdb
Loaded symbol image file: mup.sys
Image path: \SystemRoot\System32\Drivers\mup.sys
Image name: mup.sys
Timestamp: Mon Jul 13 18:14:14 2009 (4A5BBFC6)
CheckSum: 00014283
ImageSize: 00010000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87e10000 87e18000 hwpolicy (pdb symbols) c:\symbols\hwpolicy.pdb\0F041CEBADCA48F4BC65F68463272F1D1\hwpolicy.pdb
Loaded symbol image file: hwpolicy.sys
Image path: \SystemRoot\System32\drivers\hwpolicy.sys
Image name: hwpolicy.sys
Timestamp: Sat Nov 20 02:37:35 2010 (4CE788CF)
CheckSum: 0000B2B9
ImageSize: 00008000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87e18000 87e29000 disk (pdb symbols) c:\symbols\disk.pdb\D2AD04F7F4BF45C8A8F0E2BF689326F11\disk.pdb
Loaded symbol image file: disk.sys
Image path: \SystemRoot\system32\DRIVERS\disk.sys
Image name: disk.sys
Timestamp: Mon Jul 13 18:11:28 2009 (4A5BBF20)
CheckSum: 000152A4
ImageSize: 00011000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87e3e000 87f88000 tcpip (pdb symbols) c:\symbols\tcpip.pdb\676C275B8EAE4B50A19255B333A152BA2\tcpip.pdb
Loaded symbol image file: tcpip.sys
Image path: \SystemRoot\System32\drivers\tcpip.sys
Image name: tcpip.sys
Timestamp: Wed Sep 28 22:22:11 2011 (4E83E463)
CheckSum: 0013EA1F
ImageSize: 0014A000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87f88000 87fb9000 fwpkclnt (pdb symbols) c:\symbols\fwpkclnt.pdb\FDE8223F22C54AEA8061EE56EA16A0251\fwpkclnt.pdb
Loaded symbol image file: fwpkclnt.sys
Image path: \SystemRoot\System32\drivers\fwpkclnt.sys
Image name: fwpkclnt.sys
Timestamp: Sat Nov 20 02:39:08 2010 (4CE7892C)
CheckSum: 0003B983
ImageSize: 00031000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87fb9000 87fc1380 vmstorfl (pdb symbols) c:\symbols\vmstorfl.pdb\D7FD176CC0134139B2EE4BEAF352AEE41\vmstorfl.pdb
Loaded symbol image file: vmstorfl.sys
Image path: \SystemRoot\system32\drivers\vmstorfl.sys
Image name: vmstorfl.sys
Timestamp: Sat Nov 20 03:14:37 2010 (4CE7917D)
CheckSum: 000131D0
ImageSize: 00008380
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87fc2000 87fca000 spldr (no symbols)
Loaded symbol image file: spldr.sys
Image path: \SystemRoot\System32\Drivers\spldr.sys
Image name: spldr.sys
Timestamp: Mon May 11 11:13:47 2009 (4A084EBB)
CheckSum: 0000767D
ImageSize: 00008000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
87fca000 87ff7000 rdyboost (pdb symbols) c:\symbols\rdyboost.pdb\53BB42ABE1404332962CA2AEA8301D331\rdyboost.pdb
Loaded symbol image file: rdyboost.sys
Image path: \SystemRoot\System32\drivers\rdyboost.sys
Image name: rdyboost.sys
Timestamp: Sat Nov 20 03:00:07 2010 (4CE78E17)
CheckSum: 000394EA
ImageSize: 0002D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
8ca08000 8ca49000 rdbss (pdb symbols) c:\symbols\rdbss.pdb\A65B6296E0414A128A1951A1350D32C02\rdbss.pdb
Loaded symbol image file: rdbss.sys
Image path: \SystemRoot\system32\DRIVERS\rdbss.sys
Image name: rdbss.sys
Timestamp: Sat Nov 20 02:42:44 2010 (4CE78A04)
CheckSum: 000464DE
ImageSize: 00041000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
8ca49000 8ca53000 nsiproxy (pdb symbols) c:\symbols\nsiproxy.pdb\C05F47CD56124B77BD71E3DFB669D4FF1\nsiproxy.pdb
Loaded symbol image file: nsiproxy.sys
Image path: \SystemRoot\system32\drivers\nsiproxy.sys
Image name: nsiproxy.sys
Timestamp: Mon Jul 13 18:12:08 2009 (4A5BBF48)
CheckSum: 0000939B
ImageSize: 0000A000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
8ca53000 8ca5d000 mssmbios (pdb symbols) c:\symbols\mssmbios.pdb\B9453B9B745D45DE974BA45D910B78481\mssmbios.pdb
Loaded symbol image file: mssmbios.sys
Image path: \SystemRoot\system32\drivers\mssmbios.sys
Image name: mssmbios.sys
Timestamp: Mon Jul 13 18:19:25 2009 (4A5BC0FD)
CheckSum: 0000B8F6
ImageSize: 0000A000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
8ca5d000 8ca69000 discache (pdb symbols) c:\symbols\discache.pdb\1F3066C30EA34CC381D3006454C11BD11\discache.pdb
Loaded symbol image file: discache.sys
Image path: \SystemRoot\System32\drivers\discache.sys
Image name: discache.sys
Timestamp: Mon Jul 13 18:24:04 2009 (4A5BC214)
CheckSum: 0000EDA3
ImageSize: 0000C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
8ca69000 8cacd000 csc (pdb symbols) c:\symbols\csc.pdb\A6CAEC9D41C74DECA0E523C20AAB9A4F2\csc.pdb
Loaded symbol image file: csc.sys
Image path: \SystemRoot\system32\drivers\csc.sys
Image name: csc.sys
Timestamp: Sat Nov 20 02:44:32 2010 (4CE78A70)
CheckSum: 00065355
ImageSize: 00064000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
8cacd000 8cae5000 dfsc (pdb symbols) c:\symbols\dfsc.pdb\52BC36B80CED4847964EF156BC67E96E1\dfsc.pdb
Loaded symbol image file: dfsc.sys
Image path: \SystemRoot\System32\Drivers\dfsc.sys
Image name: dfsc.sys
Timestamp: Sat Nov 20 02:42:32 2010 (4CE789F8)
CheckSum: 00015073
ImageSize: 00018000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
...
如果您安装了windbg,请打开命令提示符并执行
C:>cdb -c "!address;.attach -k;g;!address;.detach;q" calc
0:000> cdb: Reading initial command '!address;.attach -k;g;!address;.detach;q'
BaseAddr EndAddr+1 RgnSize Type State Protect Usage
-------------------------------------------------------------------------------------------
* 0 10000 10000 MEM_FREE PAGE_NOACCESS Free
* 10000 12000 2000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE <unclassified>
* 12000 20000 e000 MEM_FREE PAGE_NOACCESS Free
* 20000 21000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE <unclassified>
snip--------------------------------
PAGE_NOACCESS Free
* 7ffb0000 7ffd4000 24000 MEM_MAPPED MEM_COMMIT PAGE_READONLY MemoryMappedFile "PageFile"
* 7ffd4000 7ffdc000 8000 MEM_FREE PAGE_NOACCESS Free
* 7ffdc000 7ffdd000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PEB [35c]
* 7ffdd000 7ffdf000 2000 MEM_FREE PAGE_NOACCESS Free
* 7ffdf000 7ffe0000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE TEB [35c.d0; ~0]
* 7ffe0000 7ffe1000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READONLY <unclassified>
|-7ffe1000 7fff0000 f000 MEM_PRIVATE MEM_RESERVE PAGE_NOACCESS <unclassified>
Attach will occur on next execution
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
804d7000 - 001f9000
Usage KernelSpaceUsageImage
ImageName ntkrnlpa.exe
81ec6000 - 00df0000
Usage KernelSpaceUsagePFNDatabase
82cb6000 - 08000000
Usage KernelSpaceUsageNonPagedPool
a71b7000 - 00004000
Usage KernelSpaceUsageKernelStack
KernelStack 8ab4eda8 : 23c.6a8
snip-----------------------------------------------------------
ba5a0000 - 00004000
Usage KernelSpaceUsageKernelStack
KernelStack 8a717020 : 4.140
ba5a4000 - 00004000
Usage KernelSpaceUsageKernelStack
KernelStack 8aac0bd8 : 190.1b8
bb800000 - 00400000
Usage KernelSpaceUsageSessionPool
bbc00000 - 03400000
Usage KernelSpaceUsageSessionView
bf000000 - 01000000
Usage KernelSpaceUsageSessionImage
c1200000 - 1fe00000
Usage KernelSpaceUsageSystemCache
e1000000 - 16800000
Usage KernelSpaceUsagePagedPool
f7be0000 - 08000000
Usage KernelSpaceUsageNonPagedPoolExpansion
Detached
quit:
C:\>
内核模式内存不是特定于进程的。它对所有进程都是相同的。
ntoskrnl.exe 本身并不是一个进程。它是内核映像。Microsoft 决定对内核映像使用相同的文件格式 (PE),因为它们用于其他可执行文件。内核映像由所有进程共享。