0

We have tools like objdump, readelf, and dumbin to show executable file contents.

But when an executable file is loaded into memory (a process is created), the segments in memory is usually different from the segments in the executable file. For example, when loaded, two extra segments namely stack and heap are allocated (we overlook details of page mapping here).

Is there a tool that help show the in-time memory segment/status of a process?

Zachary
  • 1,633
  • 2
  • 22
  • 34

1 Answers1

2

Windows executables use the Portable Executable format. This format describes sections of memory that are allocated when the process is loaded, and optionally raw data (.text, .data sections) to be loaded into those sections.

Each section will typically have a file offset specifying where in the raw file the data is located, and a Virtual Address at which the data will be loaded. These may or may not resemble each other.

PE Explorer can give you details on the sections (and everything else about a PE file) of an executable.

Immunity Debugger will allow you to attach to a running process and see its memory map.

TheGameiswar
  • 27,855
  • 8
  • 56
  • 94
Jonathon Reinhart
  • 132,704
  • 33
  • 254
  • 328
  • Thx for late response.I was away for other business. PE is very expensive. I just want to learn program by myself. I am trying to find any free software or embedded tools. By the way, do you know any tool for ELF under linux? – Zachary Jul 17 '13 at 03:15
  • It seems that Immunity Debugger is for python language. Not for C/C++! – Zachary Jul 17 '13 at 03:21
  • @Zack Um, not at all. Immunity is for *any* compiled Windows (PE) executable (regardless of language) - it deals with programs at the assembly code level. – Jonathon Reinhart Jul 17 '13 at 03:25
  • @Zack I'm not really sure what you're trying to learn/accomplish. If you just want to learn how to program under Windows or Linux, then I think you're digging in way too deep at this time. – Jonathon Reinhart Jul 17 '13 at 03:26