i trying learn more how read process memory. opened "entire memory" of firefox process in winhex , saw following hex values starting @ offset 10000.
00 00 00 00 00 00 00 00 ec 6b 3f 80 0c 6d 00 01 ee ff ee ff 01 00 00 00 my question is possible human interpret without further knowledge? these pointers or values? there anything, common different programs created different compilers regards process memory apart things endianness? why start lots of zeroes, isn't odd way start using space?
obviously, can't "without further knowledge". know whole lot fact it's windows. starters, know executable gets own view of memory, , in virtual view executable loaded @ preferred starting address (as stated in pe header of exe).
the start @ 0x00010000 compatibility thing ms-dos (yes, 16 bit os) - first 64kb reserved , never valid addresses. pages 0x00400000 (4mb) reserved os, , in general differ between os versions.
a common data structure in range process environment block. windbg tool, , microsoft symbol server, can figure whether process envirionment block indeed located @ offset 0x10000, , contents mean.
Comments
Post a Comment