快乐虾
http://blog.csdn.net/lights_joy/
lights@hb165.com
本文适用于
Xp sp3
vs2008
欢迎转载,但请保留作者信息
在去除前面的那些东西之后,我们的内存块里面还有一堆MEM_MAPPED的内容,就像这样的块:
基址
|
分配基址
|
分配保护
|
大小
|
状态
|
保护
|
类型
|
00140000
|
00140000
|
00000002 PAGE_READONLY
|
00001000
|
00001000 MEM_COMMIT
|
00000002 PAGE_READONLY
|
00040000 MEM_MAPPED
|
MSDN里面这样解释MEM_MAPPED这种类型:
Indicates that the memory pages within the region are mapped into the view of a section.
很自然地我们想用GetMappedFileName来看看映射到这些内存区域的文件名,于是发现了下面几个块的确是做了文件映射:
基址
|
分配基址
|
分配保护
|
大小
|
状态
|
保护
|
类型
|
映射文件
|
00270000
|
00270000
|
00000002 PAGE_READONLY
|
00016000
|
00001000 MEM_COMMIT
|
00000002 PAGE_READONLY
|
00040000 MEM_MAPPED
|
\Device\HarddiskVolume3\WINDOWS\system32\unicode.nls
|
00290000
|
00290000
|
00000002 PAGE_READONLY
|
00041000
|
00001000 MEM_COMMIT
|
00000002 PAGE_READONLY
|
00040000 MEM_MAPPED
|
\Device\HarddiskVolume3\WINDOWS\system32\locale.nls
|
002e0000
|
002e0000
|
00000002 PAGE_READONLY
|
00041000
|
00001000 MEM_COMMIT
|
00000002 PAGE_READONLY
|
00040000 MEM_MAPPED
|
\Device\HarddiskVolume3\WINDOWS\system32\sortkey.nls
|
00330000
|
00330000
|
00000002 PAGE_READONLY
|
00006000
|
00001000 MEM_COMMIT
|
00000002 PAGE_READONLY
|
00040000 MEM_MAPPED
|
\Device\HarddiskVolume3\WINDOWS\system32\sorttbls.nls
|
003b0000
|
003b0000
|
00000002 PAGE_READONLY
|
00003000
|
00001000 MEM_COMMIT
|
00000002 PAGE_READONLY
|
00040000 MEM_MAPPED
|
\Device\HarddiskVolume3\WINDOWS\system32\ctype.nls
|
那么其它东西是哪里来的?
使用GetLastError取错误信息:“error: 000003ee : 文件所在的卷已被外部改变,因此打开的文件不再有效。”,诡异得很!一怒之下使用UnmapViewOfFile将这些内存块给Unmap了,不幸的是程序就这样挂掉了!
写段代码查询一下当前打开的句柄,看看有没有file mapping的内容:
void enum_handles(HANDLE hProcess)
{
// 枚举已经打开的句柄,取其名称
HMODULE hNtDll = NULL; // nt.dll句柄
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
NTQUERYOBJECT NtQueryObject = NULL;
SYSTEM_HANDLE_INFORMATION *hInfo = NULL;
int nNumHandle = 0, i; // 句柄数量
NTSTATUS Status;
ULONG nSize, nCount;
char cBuffer[0x40000], cInfoBuffer[0x1000];
OBJECT_ALL_INFORMATION *pInfo;
OBJECT_NAME_INFORMATION* pName;
DWORD nId = GetProcessId(hProcess);
// 取导出函数
hNtDll = GetModuleHandle( "ntdll.dll" );
ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( hNtDll, "ZwQuerySystemInformation" );
NtQueryObject = ( NTQUERYOBJECT )GetProcAddress( hNtDll, "NtQueryObject" );
// 查询句柄信息
Status = ZwQuerySystemInformation(SystemHandleInformation,
cBuffer,
0x40000,
&nSize);
if(NT_SUCCESS(Status))
{
nNumHandle = *(PULONG)cBuffer;
hInfo = (SYSTEM_HANDLE_INFORMATION*)(cBuffer + 4);
nCount = 0;
for(i = 0; i < nNumHandle; i++)
{
if(hInfo[i].ProcessId != nId) continue;
Status = NtQueryObject(hInfo[i].Handle, ObjectAllInformation, cInfoBuffer, 0x1000, &nSize);
if(NT_SUCCESS(Status))
{
pInfo = (OBJECT_ALL_INFORMATION*)cInfoBuffer;
nCount++;
……………………….
}
}
}
}
网上有资料说NtQueryObject会让程序挂掉,但是没有发现有此现象,奇怪!上面的代码可以得到下面的句柄列表:
句柄
|
名称
|
类型
|
0c
|
\Device\HarddiskVolume5\embed\etools\Debug\bin
|
File
|
24c
|
\BaseNamedObjects\DBWinMutex
|
Mutant
|
e54
|
(null)
|
Section
|
e60
|
\BaseNamedObjects\P???Lx.DAT!Memo
|
Section
|
e64
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGJ.IMD
|
File
|
e68
|
(null)
|
Section
|
e94
|
(null)
|
Section
|
e98
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGVR.IMD
|
File
|
e9c
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGID.IMD
|
File
|
ea0
|
\BaseNamedObjects\GlobalFileMappingIncmpIdxMSPYhld23qwe2527
|
Section
|
ea4
|
(null)
|
Section
|
ea8
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGJ.IMD
|
File
|
eb4
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGC.IMD
|
File
|
ed0
|
\BaseNamedObjects\LocalMutex2341MSPYhld23qwe2527
|
Mutant
|
ee4
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGIX.IMD
|
File
|
ee8
|
(null)
|
Section
|
eec
|
(null)
|
Section
|
ef0
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGL.IMD
|
File
|
ef8
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGS.IMD
|
File
|
f0c
|
(null)
|
Section
|
f10
|
(null)
|
Section
|
f24
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGDX.IMD
|
File
|
f2c
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGJ.IMD
|
File
|
f30
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGCF.IMD
|
File
|
f38
|
(null)
|
Section
|
f3c
|
\BaseNamedObjects\GlobalFileMappingIncmpIdxMSPYhld23qwe2527
|
Section
|
f44
|
\BaseNamedObjects\P???Sx.DAT!Memo
|
Section
|
f5c
|
\BaseNamedObjects\P???Lx.DAT!Memo
|
Section
|
f80
|
\BaseNamedObjects\P???Lx.DAT!Memo
|
Section
|
f8c
|
\BaseNamedObjects\GlobalFileMappingIncmpIdxMSPYhld23qwe2527
|
Section
|
f9c
|
\BaseNamedObjects\GlobalFileMappingTrigramMSPYhld23qwe2527
|
Section
|
fb8
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGI.IMD
|
File
|
fc0
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGR.IMD
|
File
|
fc4
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGD.IMD
|
File
|
fd4
|
\BaseNamedObjects\P???Sx.DAT!Memo
|
Section
|
fe4
|
\BaseNamedObjects\P???Lx.DAT!Memo
|
Section
|
ff0
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGT.IMD
|
File
|
ff4
|
\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\IME\IMSC40A\PINTLGJ.IMD
|
File
|
ff8
|
(null)
|
Section
|
1004
|
\BaseNamedObjects\CfgMappingMSPYqeuir9hj
|
Section
|
100c
|
\BaseNamedObjects\P???Lx.DAT!Memo
|
Section
|
1024
|
\BaseNamedObjects\GlobalFileMappingIncmpIdxMSPYhld23qwe2527
|
Section
|
1028
|
(null)
|
la
分享到:
Global site tag (gtag.js) - Google Analytics
|
相关推荐
Delphi 修改内存保护属性,包括修改以下信息:基地址、分配地址、区域大孝所分配... MEM_MAPPED: ListBox1.Items.Add('内存类型: MEM_MAPPED'); MEM_PRIVATE: ListBox1.Items.Add('内存类型: MEM_PRIVATE'); end;
函数模板 std::mem_fn 生成指向成员指针的包装对象,它可以存储、复制及调用指向成员指针。到对象的引用和指针(含智能指针)可在调用 std::mem_fn 时使用。 有点类似于std::bind,提前绑定好成员指针,调用的时候...
python库。 资源全名:mem_usage_ui-0.1.tar.gz
详细介绍了利用request_mem_region管理I/O内存映射列表的过程,绝对值得一看!!
MEM_BAD_POINTER 错误解决办法.txt
mem_cpu.rar mem_cpu.rar mem_cpu.rar mem_cpu.rar
采用verilog实现RTLAB多路驱动程序
if(HAL_I2C_Mem_Read(&_MLX90615_I2C_MLX90615_I2C_ADDRESS0x27I2C_MEMADD_SIZE_8BITData3100)!=HAL_OK)return false;double tempFactor = 0.02; double tempData = 0x0000; tempData = (double)(((Data[1] &...
Rose关闭错误MEM_BAD_POINTER_EMEND补丁。
实现自己的mem_malloc和mem_free
Rose MEM_BAD_POINTER 错误解决办法.txt
shared_mem_demo 在用户空间和内核之间进行通信的演示(证明)(将内核内存映射到用户空间)输出root@eBPF:~/shared_mem_demo# makemake -C /lib/modules/4.15.0-20-generic/build M=/root/shared_mem_demo modules...
SHW32.DLL 博文链接:https://bluestar.iteye.com/blog/161496
boost库中,mem_fun使用实例代码, 注意要有boost库才能编译. 用于将成员函数转化为函数指针.
资源分类:Python库 所属语言:Python 资源全名:mem_edit-0.6-py3-none-any.whl 资源来源:官方 安装方法:https://lanzao.blog.csdn.net/article/details/101784059
1>错误信息: XP SP2下安装Rose 出现 “MEM_BAD_POINTER”错误! 选确定后能这完成安装,但运行时仍报上述错误。 2>解决方法: 将SHW32.DLL覆盖原来rose目录下的这个dll文件就行啦~
MEM_MVM_MNM_MUSIC_以及前后向平滑技术在两个相干源下的性能对比仿真代码
linux_os_mem_cpu_usage.htm
S3C2440完全开发流程 一....8)、Step 8:boot_or_vivi() 58 五.附录一VI命令解释 65 1、HELP命令 65 2、MEM命令 65 3、LOAD命令 66 4、PARAM命令 67 5、PART命令 69 6、BOOT命令 70 7、BON命令 71