Address Space Layout

Question 1

Dynamic Linked Libraries (DLLs)

Answer 1

This area represents shared libraries (DLLs) that were loaded into address space, either intentionally by the process or forcefully through library injection.

Question 2

Environmental Variables

Answer 2

This range of memory stores the process’ environment variables, such as its exectuable paths, temporary directories, home folders, and so on.

Question 3

Process Environment Block (PEB)

Answer 3

An extremely useful structure that tells you where to find several of the other items in this list, including DLLs, heaps, and environment variables. It also contains process’ command line arguments, its current working directory, and its standard handles.

Question 4

Process heaps

Answer 4

Where you can find a majority of dynamic input that the process receives. For example, variable-length text that you type into e-mail or documents is often placed on the heap, as is data sent or received over network sockets.

Question 5

Thread Stacks

Answer 5

Each thread has a dedicated range of process memory set aside for its runtime stack. This is where you can find function arguments, return addresses (allowing you to reconstruct call history), and local variables.

Question 6

Mapped Files and Application Data

Answer 6

This item is left intentionally vague because the content really depends on the process. Mapped files represent content from files on disk, which could be configuration data, documents, and so on. Application data is anything the process needs to perform its intended duties.

Question 7

Executable

Answer 7

The process executable contains the primary body of code and read/write variables for the application. This data may be compressed or encrypted on disk, but once loaded into memory, it unpacks, enabling you to dump plain-text code back to disk.