w3hello.com logo
Home PHP C# C++ Android Java Javascript Python IOS SQL HTML videos Categories
Windbg memory map?

!address displays exactly this information. It works in both user mode and kernel mode. Example for user mode process:


0:000> !address


        BaseAddress      EndAddress+1        RegionSize     Type      
State                 Protect             Usage
------------------------------------------------------------------------------------------------------------------------
+        0`00000000        0`7ffe0000        0`7ffe0000            
MEM_FREE    PAGE_NOACCESS                      Free
+        0`7ffe0000        0`7ffe1000        0`00001000 MEM_PRIVATE
MEM_COMMIT  PAGE_READONLY                      Other      [User Shared
Data]
         0`7ffe1000        0`7fff0000        0`0000f000 MEM_PRIVATE
MEM_RESERVE                                    
+        0`7fff0000       db`475a0000       da`c75b0000            
MEM_FREE    PAGE_NOACCESS                      Free
+       db`475a0000       db`475b0000        0`00010000 MEM_MAPPED 
MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 1; Handle:
000000db475a0000; Type: Segment]
+       db`475b0000       db`475c0000        0`00010000            
MEM_FREE    PAGE_NOACCESS                      Free
+       db`475c0000       db`475cf000        0`0000f000 MEM_MAPPED 
MEM_COMMIT  PAGE_READONLY                      Other      [API Set Map]
+       db`475cf000       db`475d0000        0`00001000            
MEM_FREE    PAGE_NOACCESS                      Free
+       db`475d0000       db`475d1000        0`00001000 MEM_PRIVATE
MEM_RESERVE                                    Stack      [~0; 2a7c.19a8]
        db`475d1000       db`475d4000        0`00003000 MEM_PRIVATE
MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          Stack      [~0; 2a7c.19a8]
        db`475d4000       db`476d0000        0`000fc000 MEM_PRIVATE
MEM_COMMIT  PAGE_READWRITE                     Stack      [~0; 2a7c.19a8]
+       db`476d0000       db`476d4000        0`00004000 MEM_MAPPED 
MEM_COMMIT  PAGE_READONLY                      Other      [System Default
Activation Context Data]
+       db`476d4000       db`476e0000        0`0000c000            
MEM_FREE    PAGE_NOACCESS                      Free
+       db`476e0000       db`476e1000        0`00001000 MEM_MAPPED 
MEM_COMMIT  PAGE_READONLY                      Other      [Activation
Context Data]
+       db`476e1000       db`476f0000        0`0000f000            
MEM_FREE    PAGE_NOACCESS                      Free
+       db`476f0000       db`476f2000        0`00002000 MEM_PRIVATE
MEM_COMMIT  PAGE_READWRITE                     
+       db`476f2000       db`47700000        0`0000e000            
MEM_FREE    PAGE_NOACCESS                      Free
+       db`47700000       db`4777e000        0`0007e000 MEM_MAPPED 
MEM_COMMIT  PAGE_READONLY                      MappedFile
"DeviceHarddiskVolume2WindowsSystem32locale.nls"
+       db`4777e000       db`478c0000        0`00142000            
MEM_FREE    PAGE_NOACCESS                      Free
+       db`478c0000       db`478c6000        0`00006000 MEM_PRIVATE
MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 0; Handle:
000000db478c0000; Type: Segment]
        db`478c6000       db`479bf000        0`000f9000 MEM_PRIVATE
MEM_RESERVE                                    Heap       [ID: 0; Handle:
000000db478c0000; Type: Segment]
        db`479bf000       db`479c0000        0`00001000 MEM_PRIVATE
MEM_RESERVE                                    
+       db`479c0000     7ff7`3e0a0000     7f1b`f66e0000            
MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3e0a0000     7ff7`3e0a5000        0`00005000 MEM_MAPPED 
MEM_COMMIT  PAGE_READONLY                      Other      [Read Only Shared
Memory]
      7ff7`3e0a5000     7ff7`3e1a0000        0`000fb000 MEM_MAPPED 
MEM_RESERVE                                    MappedFile "PageFile"
+     7ff7`3e1a0000     7ff7`3e1c3000        0`00023000 MEM_MAPPED 
MEM_COMMIT  PAGE_READONLY                      Other      [NLS Tables]
+     7ff7`3e1c3000     7ff7`3e1c8000        0`00005000            
MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3e1c8000     7ff7`3e1c9000        0`00001000 MEM_PRIVATE
MEM_COMMIT  PAGE_READWRITE                     PEB        [2a7c]
+     7ff7`3e1c9000     7ff7`3e1ce000        0`00005000            
MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3e1ce000     7ff7`3e1d0000        0`00002000 MEM_PRIVATE
MEM_COMMIT  PAGE_READWRITE                     TEB        [~0; 2a7c.19a8]
+     7ff7`3e1d0000     7ff7`3f0f0000        0`00f20000            
MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3f0f0000     7ff7`3f0f1000        0`00001000 MEM_IMAGE  
MEM_COMMIT  PAGE_READONLY                      Image      [cmd; "cmd.exe"]
      7ff7`3f0f1000     7ff7`3f11d000        0`0002c000 MEM_IMAGE  
MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [cmd; "cmd.exe"]
      7ff7`3f11d000     7ff7`3f11e000        0`00001000 MEM_IMAGE  
MEM_COMMIT  PAGE_READWRITE                     Image      [cmd; "cmd.exe"]
      7ff7`3f11e000     7ff7`3f13a000        0`0001c000 MEM_IMAGE  
MEM_COMMIT  PAGE_WRITECOPY                     Image      [cmd; "cmd.exe"]
      7ff7`3f13a000     7ff7`3f14b000        0`00011000 MEM_IMAGE  
MEM_COMMIT  PAGE_READONLY                      Image      [cmd; "cmd.exe"]
+     7ff7`3f14b000     7ffd`07920000        5`c87d5000            
MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`07920000     7ffd`07921000        0`00001000 MEM_IMAGE  
MEM_COMMIT  PAGE_READONLY                      Image      [KERNELBASE;
"C:Windowssystem32KERNELBASE.dll"]
      7ffd`07921000     7ffd`07a0e000        0`000ed000 MEM_IMAGE  
MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [KERNELBASE;
"C:Windowssystem32KERNELBASE.dll"]
      7ffd`07a0e000     7ffd`07a11000        0`00003000 MEM_IMAGE  
MEM_COMMIT  PAGE_READWRITE                     Image      [KERNELBASE;
"C:Windowssystem32KERNELBASE.dll"]
      7ffd`07a11000     7ffd`07a12000        0`00001000 MEM_IMAGE  
MEM_COMMIT  PAGE_WRITECOPY                     Image      [KERNELBASE;
"C:Windowssystem32KERNELBASE.dll"]
      7ffd`07a12000     7ffd`07a2f000        0`0001d000 MEM_IMAGE  
MEM_COMMIT  PAGE_READONLY                      Image      [KERNELBASE;
"C:Windowssystem32KERNELBASE.dll"]
+     7ffd`07a2f000     7ffd`07c60000        0`00231000            
MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`07c60000     7ffd`07c61000        0`00001000 MEM_IMAGE  
MEM_COMMIT  PAGE_READONLY                      Image      [KERNEL32;
"C:Windowssystem32KERNEL32.DLL"]
      7ffd`07c61000     7ffd`07d73000        0`00112000 MEM_IMAGE  
MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [KERNEL32;
"C:Windowssystem32KERNEL32.DLL"]
      7ffd`07d73000     7ffd`07d74000        0`00001000 MEM_IMAGE  
MEM_COMMIT  PAGE_READWRITE                     Image      [KERNEL32;
"C:Windowssystem32KERNEL32.DLL"]
      7ffd`07d74000     7ffd`07d75000        0`00001000 MEM_IMAGE  
MEM_COMMIT  PAGE_WRITECOPY                     Image      [KERNEL32;
"C:Windowssystem32KERNEL32.DLL"]
      7ffd`07d75000     7ffd`07d99000        0`00024000 MEM_IMAGE  
MEM_COMMIT  PAGE_READONLY                      Image      [KERNEL32;
"C:Windowssystem32KERNEL32.DLL"]
+     7ffd`07d99000     7ffd`08200000        0`00467000            
MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`08200000     7ffd`08201000        0`00001000 MEM_IMAGE  
MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt;
"C:Windowssystem32msvcrt.dll"]
      7ffd`08201000     7ffd`0828f000        0`0008e000 MEM_IMAGE  
MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [msvcrt;
"C:Windowssystem32msvcrt.dll"]
      7ffd`0828f000     7ffd`08290000        0`00001000 MEM_IMAGE  
MEM_COMMIT  PAGE_READWRITE                     Image      [msvcrt;
"C:Windowssystem32msvcrt.dll"]
      7ffd`08290000     7ffd`08294000        0`00004000 MEM_IMAGE  
MEM_COMMIT  PAGE_WRITECOPY                     Image      [msvcrt;
"C:Windowssystem32msvcrt.dll"]
      7ffd`08294000     7ffd`0829f000        0`0000b000 MEM_IMAGE  
MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt;
"C:Windowssystem32msvcrt.dll"]
      7ffd`0829f000     7ffd`082a1000        0`00002000 MEM_IMAGE  
MEM_COMMIT  PAGE_EXECUTE                       Image      [msvcrt;
"C:Windowssystem32msvcrt.dll"]
      7ffd`082a1000     7ffd`082a7000        0`00006000 MEM_IMAGE  
MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt;
"C:Windowssystem32msvcrt.dll"]
+     7ffd`082a7000     7ffd`0a3d0000        0`02129000            
MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`0a3d0000     7ffd`0a3d1000        0`00001000 MEM_IMAGE  
MEM_COMMIT  PAGE_READONLY                      Image      [ntdll;
"ntdll.dll"]
      7ffd`0a3d1000     7ffd`0a4f9000        0`00128000 MEM_IMAGE  
MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [ntdll;
"ntdll.dll"]
      7ffd`0a4f9000     7ffd`0a4fa000        0`00001000 MEM_IMAGE  
MEM_COMMIT  PAGE_READWRITE                     Image      [ntdll;
"ntdll.dll"]
      7ffd`0a4fa000     7ffd`0a4fc000        0`00002000 MEM_IMAGE  
MEM_COMMIT  PAGE_WRITECOPY                     Image      [ntdll;
"ntdll.dll"]
      7ffd`0a4fc000     7ffd`0a502000        0`00006000 MEM_IMAGE  
MEM_COMMIT  PAGE_READWRITE                     Image      [ntdll;
"ntdll.dll"]
      7ffd`0a502000     7ffd`0a510000        0`0000e000 MEM_IMAGE  
MEM_COMMIT  PAGE_READONLY                      Image      [ntdll;
"ntdll.dll"]
      7ffd`0a510000     7ffd`0a511000        0`00001000 MEM_IMAGE  
MEM_COMMIT  PAGE_EXECUTE                       Image      [ntdll;
"ntdll.dll"]
      7ffd`0a511000     7ffd`0a579000        0`00068000 MEM_IMAGE  
MEM_COMMIT  PAGE_READONLY                      Image      [ntdll;
"ntdll.dll"]
+     7ffd`0a579000     7fff`fffe0000        2`f5a67000            
MEM_FREE    PAGE_NOACCESS                      Free
+     7fff`fffe0000     7fff`ffff0000        0`00010000 MEM_PRIVATE
MEM_RESERVE PAGE_NOACCESS                      





© Copyright 2018 w3hello.com Publishing Limited. All rights reserved.