JIURL玩玩Win2k 地址空间的布局

最新推荐文章于 2022-02-25 19:38:17 发布
最新推荐文章于 2022-02-25 19:38:17 发布
阅读量4.4k 收藏 1
点赞数
文章标签: c 360 thread db2 layout image
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/imquestion/article/details/16425
版权

JIURL玩玩Win2k 地址空间的布局

作者: JIURL

                主页: http://jiurl.yeah.net

    日期: 2003-7-30

    地址空间的布局,每个进程有4G的地址空间,其中低2G是用户地址空间,高2G是系统地址空间。

用户地址空间的布局

    每个进程有自己的用户地址空间(低2G),在用户地址空间中有,进程的环境变量,进程的参数,进程的堆(Heap),进程载入的模组,进程PEB,线程的堆栈(Stack),线程TEB等等。我写了一个叫 JiurlL2gLayoutSee 的程序,可以获得一个指定进程的用户地址空间布局情况。下面是使用 JiurlL2gLayoutSee 获得的一个记事本的用户地址空间布局情况。

NOTEPAD.EXE:

// 通过进程的VAD我们可以了解到进程保留了哪些用户地址空间。
VADs:

#define MEM_IMAGE 0x001
#define MEM_PRIVATE 0x800
#define PAGE_READONLY 0x010
#define PAGE_READWRITE 0x040
#define PAGE_WRITECOPY 0x050
#define PAGE_EXECUTE 0x020
#define PAGE_EXECUTE_READ 0x030
#define PAGE_EXECUTE_READWRITE 0x060
#define PAGE_EXECUTE_WRITECOPY 0x070

0x00010000 - 0x00011000 Flags= 0xc40
0x00020000 - 0x00021000 Flags= 0xc40
0x00030000 - 0x00070000 Flags= 0x840
0x00070000 - 0x00170000 Flags= 0x840
0x00170000 - 0x00180000 Flags= 0x040
0x00180000 - 0x00196000 Flags= 0x010
0x001a0000 - 0x001cf000 Flags= 0x010
0x001d0000 - 0x00211000 Flags= 0x010
0x00220000 - 0x00224000 Flags= 0x010
0x00230000 - 0x00271000 Flags= 0x010
0x00280000 - 0x00348000 Flags= 0x034
0x00350000 - 0x00393000 Flags= 0x014
0x003a0000 - 0x006a0000 Flags= 0x034
0x006a0000 - 0x006a1000 Flags= 0xc44
0x006b0000 - 0x006b1000 Flags= 0xc44
0x006c0000 - 0x006d0000 Flags= 0x840
0x006d0000 - 0x006d2000 Flags= 0x010
0x006e0000 - 0x006e1000 Flags= 0x040
0x006f0000 - 0x00770000 Flags= 0x840
0x00770000 - 0x00780000 Flags= 0x840
0x00780000 - 0x00b80000 Flags= 0x840
0x00b90000 - 0x00b91000 Flags= 0xc44
0x00bb0000 - 0x00bc2000 Flags= 0xc44
0x00bd0000 - 0x00bd5000 Flags= 0xc44
0x00be0000 - 0x00be5000 Flags= 0x010
0x00bf0000 - 0x00c30000 Flags= 0x840
0x00d40000 - 0x00d5c000 Flags= 0x071
0x00d60000 - 0x00d70000 Flags= 0x840
0x00d70000 - 0x00dc3000 Flags= 0x071
0x00dd0000 - 0x00de0000 Flags= 0x840
0x00de0000 - 0x00f84000 Flags= 0x040
0x01000000 - 0x01010000 Flags= 0x071
0x01010000 - 0x011f0000 Flags= 0x010
0x011f0000 - 0x01201000 Flags= 0x010
0x01210000 - 0x01310000 Flags= 0x840
0x10000000 - 0x10019000 Flags= 0x071
0x6dd30000 - 0x6dd36000 Flags= 0x071
0x75e00000 - 0x75e1a000 Flags= 0x071
0x76af0000 - 0x76b2e000 Flags= 0x071
0x77560000 - 0x777a0000 Flags= 0x071
0x777c0000 - 0x777dd000 Flags= 0x071
0x77990000 - 0x77a25000 Flags= 0x071
0x77a30000 - 0x77b24000 Flags= 0x071
0x77b30000 - 0x77bba000 Flags= 0x071
0x77c50000 - 0x77c9a000 Flags= 0x071
0x77ca0000 - 0x77d20000 Flags= 0x071
0x77d20000 - 0x77d8f000 Flags= 0x071
0x77d90000 - 0x77dea000 Flags= 0x071
0x77df0000 - 0x77e54000 Flags= 0x071
0x77e60000 - 0x77f35000 Flags= 0x071
0x77f40000 - 0x77f7c000 Flags= 0x071
0x77f80000 - 0x77ff9000 Flags= 0x071
0x78000000 - 0x78046000 Flags= 0x071
0x7f6f0000 - 0x7f7f0000 Flags= 0x034
0x7ffa0000 - 0x7ffd3000 Flags= 0x014
0x7ffdd000 - 0x7ffde000 Flags= 0xc64
0x7ffde000 - 0x7ffdf000 Flags= 0xc64
0x7ffdf000 - 0x7ffe0000 Flags= 0xc64

// 布局情况
Layout:

// 环境变量
0x00010000 - 0x00011000 Environment

// 进程参数
0x00020000 - 0x00021000 ProcessParameters

// 进程堆
0x00070000 - 0x00170000 ProcessHeap 0
0x00170000 - 0x00270000 ProcessHeap 1
0x006c0000 - 0x007c0000 ProcessHeap 2
0x00770000 - 0x00870000 ProcessHeap 3
0x00d60000 - 0x00e60000 ProcessHeap 4
0x00dd0000 - 0x00ed0000 ProcessHeap 5

// 进程载入的模组,以及模组中的各节
0x00d70000 - 0x00dc3000 upengine.dll
0x00d71000 - 0x00d8b000 .text
0x00d8b000 - 0x00da0000 .rdata
0x00da0000 - 0x00db2000 .data
0x00db2000 - 0x00db3000 .idata
0x00db3000 - 0x00dbf000 .share_d
0x00dbf000 - 0x00dc1000 .rsrc
0x00dc1000 - 0x00dc3000 .reloc

0x00d40000 - 0x00d5c000 unispim.ime
0x00d41000 - 0x00d4e000 .text
0x00d4e000 - 0x00d51000 .rdata
0x00d51000 - 0x00d55000 .data
0x00d55000 - 0x00d56000 .SharedD
0x00d56000 - 0x00d5a000 .rsrc
0x00d5a000 - 0x00d5c000 .reloc

0x77ca0000 - 0x77d20000 CLBCATQ.DLL
0x77ca1000 - 0x77d0f000 .text
0x77d0f000 - 0x77d19000 .data
0x77d19000 - 0x77d1b000 .rsrc
0x77d1b000 - 0x77d20000 .reloc

0x77990000 - 0x77a25000 OLEAUT32.DLL
0x77991000 - 0x77a16000 .text
0x77a16000 - 0x77a1d000 .data
0x77a1d000 - 0x77a1e000 .rsrc
0x77a1e000 - 0x77a25000 .reloc

0x77a30000 - 0x77b24000 OLE32.DLL
0x77a31000 - 0x77b08000 .text
0x77b08000 - 0x77b11000 .orpc
0x77b11000 - 0x77b17000 .data
0x77b17000 - 0x77b19000 .rsrc
0x77b19000 - 0x77b24000 .reloc

0x6dd30000 - 0x6dd36000 INDICDLL.dll
0x6dd31000 - 0x6dd33000 .text
0x6dd33000 - 0x6dd34000 .data
0x6dd34000 - 0x6dd35000 .rsrc
0x6dd35000 - 0x6dd36000 .reloc

0x10000000 - 0x10019000 NVDESK32.DLL
0x10001000 - 0x1000f000 .text
0x1000f000 - 0x10010000 .rdata
0x10010000 - 0x10012000 .data
0x10012000 - 0x10014000 .shared
0x10014000 - 0x10015000 .notshar
0x10015000 - 0x10017000 .rsrc
0x10017000 - 0x10019000 .reloc

0x75e00000 - 0x75e1a000 IMM32.DLL
0x75e01000 - 0x75e13000 .text
0x75e13000 - 0x75e14000 .data
0x75e14000 - 0x75e19000 .rsrc
0x75e19000 - 0x75e1a000 .reloc

0x777c0000 - 0x777dd000 WINSPOOL.DRV
0x777c1000 - 0x777d8000 .text
0x777d8000 - 0x777db000 .data
0x777db000 - 0x777dc000 .rsrc
0x777dc000 - 0x777dd000 .reloc

0x78000000 - 0x78046000 MSVCRT.DLL
0x78001000 - 0x78033000 .text
0x78033000 - 0x7803b000 .rdata
0x7803b000 - 0x78042000 .data
0x78042000 - 0x78043000 .rsrc
0x78043000 - 0x78046000 .reloc

0x77560000 - 0x777a0000 SHELL32.DLL
0x77561000 - 0x7767c000 .text
0x7767c000 - 0x77680000 .data
0x77680000 - 0x77791000 .rsrc
0x77791000 - 0x777a0000 .reloc

0x77b30000 - 0x77bba000 COMCTL32.DLL
0x77b31000 - 0x77b96000 .text
0x77b96000 - 0x77b97000 .data
0x77b97000 - 0x77bb6000 .rsrc
0x77bb6000 - 0x77bba000 .reloc

0x77d20000 - 0x77d8f000 RPCRT4.DLL
0x77d21000 - 0x77d81000 .text
0x77d81000 - 0x77d89000 .orpc
0x77d89000 - 0x77d8a000 .data
0x77d8a000 - 0x77d8b000 .rsrc
0x77d8b000 - 0x77d8f000 .reloc

0x77d90000 - 0x77dea000 ADVAPI32.DLL
0x77d91000 - 0x77de1000 .text
0x77de1000 - 0x77de4000 .data
0x77de4000 - 0x77de6000 .rsrc
0x77de6000 - 0x77dea000 .reloc

0x77df0000 - 0x77e54000 USER32.DLL
0x77df1000 - 0x77e48000 .text
0x77e48000 - 0x77e49000 .data
0x77e49000 - 0x77e51000 .rsrc
0x77e51000 - 0x77e54000 .reloc

0x77e60000 - 0x77f35000 KERNEL32.DLL
0x77e61000 - 0x77ebf000 .text
0x77ebf000 - 0x77ec1000 .data
0x77ec1000 - 0x77f31000 .rsrc
0x77f31000 - 0x77f35000 .reloc

0x77f40000 - 0x77f7c000 GDI32.DLL
0x77f41000 - 0x77f78000 .text
0x77f78000 - 0x77f79000 .data
0x77f79000 - 0x77f7a000 .rsrc
0x77f7a000 - 0x77f7c000 .reloc

0x77c50000 - 0x77c9a000 SHLWAPI.DLL
0x77c51000 - 0x77c94000 .text
0x77c94000 - 0x77c95000 .data
0x77c95000 - 0x77c97000 .rsrc
0x77c97000 - 0x77c9a000 .reloc

0x76af0000 - 0x76b2e000 comdlg32.dll
0x76af1000 - 0x76b1b000 .text
0x76b1b000 - 0x76b1f000 .data
0x76b1f000 - 0x76b2b000 .rsrc
0x76b2b000 - 0x76b2e000 .reloc

0x77f80000 - 0x77ff9000 ntdll.dll
0x77f81000 - 0x77fc4000 .text
0x77fc4000 - 0x77fc9000 ECODE
0x77fc9000 - 0x77fcd000 PAGE
0x77fcd000 - 0x77fd0000 .data
0x77fd0000 - 0x77ff7000 .rsrc
0x77ff7000 - 0x77ff9000 .reloc

0x01000000 - 0x01010000 NOTEPAD.EXE
0x01001000 - 0x01008000 .text
0x01008000 - 0x0100a000 .data
0x0100a000 - 0x01010000 .rsrc

// 进程PEB
0x7ffdf000 - 0x7ffe0000 PEB

// 线程堆栈(Stack),以及线程TEB
0x0006a000 - 0x00070000 Stack Thread 0x118
0x7ffde000 - 0x7ffdf000 TEB Thread 0x118

0x00c2f000 - 0x00c30000 Stack Thread 0x2a8
0x7ffdd000 - 0x7ffde000 TEB Thread 0x2a8


系统地址空间的布局

    所有进程的系统地址空间中的内容,大部分是一样的。系统地址空间中有,系统代码,当前进程的页表,当前进程的页目录,当前进程的 Working Set,Paged pool (可以被换出物理内存的系统堆),Nonpaged pool (不能被换出物理内存的系统堆,NonPagedPool 有两部分,一部分位于系统地址空间的低处,一部分位于系统地址空间的高处),驱动程序等等。

下面我们来看一看当前我的系统地址空间的大概布局

HAL.dll 0x80001000 - 0x80011220

ntoskrnl.exe 0x80400000 - 0x80590900

MmNonPagedPoolStart 8103e000

win32k.sys 0xa0000000 - 0xa01a6000

当前进程的页表,页目录 0xc0000000 - 0xc03fffff

MmSystemCacheStart c1000000
MmSystemCacheEnd e0ffffff

MmPagedPoolStart e1000000
MmPagedPoolEnd e77fffff

MmNonPagedSystemStart e7800000

MmNonPagedPoolExpansionStart fcd6c000
MmNonPagedPoolEnd ffbe0000

其中 MmNonPagedPoolStart,MmSystemCacheStart,MmSystemCacheEnd,MmPagedPoolStart,MmPagedPoolEnd,MmNonPagedSystemStart,MmNonPagedPoolEnd 是全局变量,使用 kd 我们可以得到这些全局变量的值。

kd> dd MmNonPagedPoolStart l 1
dd MmNonPagedPoolStart l 1
8047e750 8103e000

kd> dd MmSystemCacheStart l 1
dd MmSystemCacheStart l 1
8046ac00 c1000000

kd> dd MmSystemCacheEnd l 1
dd MmSystemCacheEnd l 1
8047efd8 e0ffffff

kd> dd MmPagedPoolStart l 1
dd MmPagedPoolStart l 1
80471038 e1000000

kd> dd MmPagedPoolEnd l 1
dd MmPagedPoolEnd l 1
8047e738 e77fffff

kd> dd MmNonPagedSystemStart l 1
dd MmNonPagedSystemStart l 1
8047f62c e7800000

kd> dd MmNonPagedPoolExpansionStart l 1
dd MmNonPagedPoolExpansionStart l 1
8047e8dc fcd6c000

kd> dd MmNonPagedPoolEnd l 1
dd MmNonPagedPoolEnd l 1
8046a85c ffbe0000

我写了一个叫 JiurlSystemModulesSee 的程序,可以获得系统地址空间载入的模组的信息。系统地址空间中载入的模组包括,ntoskrnl.exe,hal.dll,win32k.sys 以及驱动程序。

// 当前我的系统地址空间中载入的模组,以及模组中的各节
0x80400000 - 0x80590900 ntoskrnl.exe
0x804004c0 - 0x80466c69 .text
0x80466c80 - 0x804677df POOLCODE
0x80467800 - 0x80468a10 POOLMI
0x80468a40 - 0x8046912c MISYSPTE
0x80469140 - 0x80480ba4 .data
0x80480bc0 - 0x8048c2f8 PAGELK
0x8048c300 - 0x8052c481 PAGE
0x8052c4c0 - 0x8053275f PAGEVRFY
0x80532780 - 0x80535b39 PAGEKD
0x80535b40 - 0x80538430 PAGEHYDR
0x80538440 - 0x80538e4c PAGESPEC
0x80538e80 - 0x80541f87 .edata
0x80541fc0 - 0x80542cec PAGE
0x80542d00 - 0x80543090 PAGEVRFY
0x805430c0 - 0x805470e0 PAGEKD
0x80547100 - 0x805471ac PAGELK
0x805471c0 - 0x80569020 INIT
0x80569040 - 0x80583dd0 .rsrc
0x80583e00 - 0x805908c8 .reloc

0x80001000 - 0x80011220 hal.dll
0x80001340 - 0x80007835 .text
0x80007840 - 0x80008fb0 .data
0x80008fc0 - 0x8000a93b PAGELK
0x8000a940 - 0x8000a998 PAGELK16
0x8000a9a0 - 0x8000cecc PAGE
0x8000cee0 - 0x8000da93 .edata
0x8000daa0 - 0x80010298 INIT
0x800102a0 - 0x80010670 .rsrc
0x80010680 - 0x80011204 .reloc

0xf0810000 - 0xf0813000 BOOTVID.DLL
0xf08102c0 - 0xf08118d4 .text
0xf08118e0 - 0xf081226c .data
0xf0812280 - 0xf08123d8 .edata
0xf08123e0 - 0xf0812514 INIT
0xf0812520 - 0xf08128d0 .rsrc
0xf08128e0 - 0xf0812a04 .reloc

0xfcd43000 - 0xfcd6b000 ACPI.sys
0xfcd43320 - 0xfcd59ac4 .text
0xfcd59ae0 - 0xfcd5a3c0 .rdata
0xfcd5a3c0 - 0xfcd5c6b4 .data
0xfcd5c6c0 - 0xfcd66c74 PAGE
0xfcd66c80 - 0xfcd67091 PAGE
0xfcd670a0 - 0xfcd681e2 INIT
0xfcd68200 - 0xfcd68a18 .rsrc
0xfcd68a20 - 0xfcd6ab30 .reloc

0xf09c8000 - 0xf09c9000 WMILIB.SYS
0xf09c82e0 - 0xf09c84cd .text
0xf09c84e0 - 0xf09c8570 .rdata
0xf09c8580 - 0xf09c89e3 PAGE
0xf09c8a00 - 0xf09c8a82 .edata
0xf09c8aa0 - 0xf09c8b58 INIT
0xf09c8b60 - 0xf09c8f30 .rsrc
0xf09c8f40 - 0xf09c8f80 .reloc

0xf0400000 - 0xf040f000 pci.sys
0xf04002e0 - 0xf040346a .text
0xf0403480 - 0xf0403868 .rdata
0xf0403880 - 0xf0403e70 .data
0xf0403e80 - 0xf040b891 PAGE
0xf040b8a0 - 0xf040ca8a INIT
0xf040caa0 - 0xf040db18 .rsrc
0xf040db20 - 0xf040e33a .reloc

0xf0410000 - 0xf041c000 isapnp.sys
0xf04102e0 - 0xf0413ae2 .text
0xf0413b00 - 0xf0413d88 .rdata
0xf0413da0 - 0xf04140d4 .data
0xf04140e0 - 0xf0419a64 PAGE
0xf0419a80 - 0xf041a272 INIT
0xf041a280 - 0xf041ad28 .rsrc
0xf041ad40 - 0xf041b576 .reloc

0xf09c9000 - 0xf09ca000 intelide.sys
0xf09c92c0 - 0xf09c999a .text
0xf09c99a0 - 0xf09c9a20 .rdata
0xf09c9a20 - 0xf09c9a35 .data
0xf09c9a40 - 0xf09c9ac0 INIT
0xf09c9ac0 - 0xf09c9f00 .rsrc
0xf09c9f00 - 0xf09c9f26 .reloc

0xf0680000 - 0xf0686000 PCIIDEX.SYS
0xf0680340 - 0xf06811d0 NONPAGE
0xf06811e0 - 0xf06814e6 .text
0xf0681500 - 0xf0681968 .rdata
0xf0681980 - 0xf0681b60 .data
0xf0681b60 - 0xf0684611 PAGE
0xf0684620 - 0xf06846c4 .edata
0xf06846e0 - 0xf0684d24 INIT
0xf0684d40 - 0xf0685110 .rsrc
0xf0685120 - 0xf0685494 .reloc

0xf0688000 - 0xf0690000 MountMgr.sys
0xf06882c0 - 0xf06886e4 .text
0xf0688700 - 0xf06888b0 .rdata
0xf06888c0 - 0xf068e08d PAGE
0xf068e0a0 - 0xf068e904 INIT
0xf068e920 - 0xf068ecd8 .rsrc
0xf068ece0 - 0xf068f176 .reloc

0xfcd26000 - 0xfcd43000 ftdisk.sys
0xfcd26300 - 0xfcd2751a .text
0xfcd27520 - 0xfcd27c30 .rdata
0xfcd27c40 - 0xfcd27c54 .data
0xfcd27c60 - 0xfcd33237 PAGE
0xfcd33240 - 0xfcd3efab PAGELK
0xfcd3efc0 - 0xfcd3fce8 INIT
0xfcd3fd00 - 0xfcd40fd8 .rsrc
0xfcd40fe0 - 0xfcd420be .reloc

0xf0900000 - 0xf0902000 Diskperf.sys
0xf09002e0 - 0xf090099c .text
0xf09009a0 - 0xf0900ab0 .rdata
0xf0900ac0 - 0xf0900ad8 .data
0xf0900ae0 - 0xf09012bf PAGE
0xf09012c0 - 0xf09016e2 INIT
0xf0901700 - 0xf0901ac8 .rsrc
0xf0901ae0 - 0xf0901bfc .reloc

0xf0902000 - 0xf0904000 dmload.sys
0xf09022c0 - 0xf0902de0 .text
0xf0902de0 - 0xf0902ec0 .rdata
0xf0902ec0 - 0xf0902ef8 .data
0xf0902f00 - 0xf090314a INIT
0xf0903160 - 0xf0903a90 .rsrc
0xf0903aa0 - 0xf0903b7e .reloc

0xfcd04000 - 0xfcd26000 dmio.sys
0xfcd042c0 - 0xfcd1db9a .text
0xfcd1dba0 - 0xfcd1de40 .rdata
0xfcd1de40 - 0xfcd21978 .data
0xfcd21980 - 0xfcd22416 INIT
0xfcd22420 - 0xfcd23e58 .rsrc
0xfcd23e60 - 0xfcd2521e .reloc

0xf0814000 - 0xf0817000 PartMgr.sys
0xf08142c0 - 0xf08144ea .text
0xf0814500 - 0xf0814640 .rdata
0xf0814640 - 0xf081602a PAGE
0xf0816040 - 0xf0816582 INIT
0xf08165a0 - 0xf0816958 .rsrc
0xf0816960 - 0xf0816b6c .reloc

0xfccef000 - 0xfcd04000 atapi.sys
0xfccef360 - 0xfccf7e98 .text
0xfccf7ea0 - 0xfccf99eb NONPAGE
0xfccf9a00 - 0xfccfa900 .rdata
0xfccfa900 - 0xfccfb630 .data
0xfccfb640 - 0xfccfc61f PAGESCAN
0xfccfc620 - 0xfcd008c5 PAGE
0xfcd008e0 - 0xfcd00b59 PAGE_ATA
0xfcd00b60 - 0xfcd02b0e INIT
0xfcd02b20 - 0xfcd02ed8 .rsrc
0xfcd02ee0 - 0xfcd03ac6 .reloc

0xf0690000 - 0xf0697000 disk.sys
0xf06902e0 - 0xf0692290 .text
0xf06922a0 - 0xf0692830 .rdata
0xf0692840 - 0xf06928d8 .data
0xf06928e0 - 0xf06950c7 PAGE
0xf06950e0 - 0xf06961ee INIT
0xf0696200 - 0xf06965b8 .rsrc
0xf06965c0 - 0xf0696a1e .reloc

0xf0420000 - 0xf0429000 CLASSPNP.SYS
0xf0420300 - 0xf0423b56 .text
0xf0423b60 - 0xf0423d8c .rdata
0xf0423da0 - 0xf0423dc4 .data
0xf0423de0 - 0xf042695f PAGE
0xf0426960 - 0xf042709e .edata
0xf04270a0 - 0xf04279ca INIT
0xf04279e0 - 0xf0427da8 .rsrc
0xf0427dc0 - 0xf042825c .reloc

0xfccca000 - 0xfccef000 Fastfat.sys
0xfccca2e0 - 0xfcccc3c1 .text
0xfcccc3e0 - 0xfcccd29c .rdata
0xfcccd2a0 - 0xfcccd660 .data
0xfcccd660 - 0xfccea9d4 PAGE
0xfccea9e0 - 0xfccec8ba INIT
0xfccec8c0 - 0xfccecc88 .rsrc
0xfccecca0 - 0xfccee038 .reloc

0xfccb9000 - 0xfccca000 KSecDD.sys
0xfccb9360 - 0xfccbe98f .text
0xfccbe9a0 - 0xfccbef7c .rdata
0xfccbef80 - 0xfccc08a0 .data
0xfccc08a0 - 0xfccc3cd0 PAGE
0xfccc3ce0 - 0xfccc7420 PAGEMSG
0xfccc7420 - 0xfccc7863 .edata
0xfccc7880 - 0xfccc8880 PAGER32D
0xfccc8880 - 0xfccc8eca INIT
0xfccc8ee0 - 0xfccc92c8 .rsrc
0xfccc92e0 - 0xfccc9b6e .reloc

0xfcc90000 - 0xfccb9000 NDIS.sys
0xfcc904a0 - 0xfcc9342e .text
0xfcc93440 - 0xfcc93850 .rdata
0xfcc93860 - 0xfcc93d90 .data
0xfcc93da0 - 0xfcc99f74 PAGENPNP
0xfcc99f80 - 0xfcc9f0b3 PAGENDSM
0xfcc9f0c0 - 0xfcca7f10 PAGENDSI
0xfcca7f20 - 0xfccaa475 PAGENDSP
0xfccaa480 - 0xfccab3fc PAGENDSW
0xfccab400 - 0xfccad828 PAGENDCO
0xfccad840 - 0xfccaea97 PAGENDST
0xfccaeaa0 - 0xfccb068e PAGENDSF
0xfccb06a0 - 0xfccb1bbf PAGENDSE
0xfccb1bc0 - 0xfccb2ba9 PAGENDSA
0xfccb2bc0 - 0xfccb55f5 .edata
0xfccb5600 - 0xfccb6190 PAGE
0xfccb61a0 - 0xfccb76e6 INIT
0xfccb7700 - 0xfccb7ab8 .rsrc
0xfccb7ac0 - 0xfccb8e2c .reloc

0xf0430000 - 0xf0439000 ohci1394.sys
0xf04302c0 - 0xf0436fa6 .text
0xf0436fc0 - 0xf0437130 .rdata
0xf0437140 - 0xf0437f9f PAGE
0xf0437fa0 - 0xf043863c INIT
0xf0438640 - 0xf0438a10 .rsrc
0xf0438a20 - 0xf0438dfe .reloc

0xf0440000 - 0xf044b000 1394BUS.SYS
0xf0440300 - 0xf044526f .text
0xf0445280 - 0xf04453c0 .rdata
0xf04453c0 - 0xf0445400 .data
0xf0445400 - 0xf04491c5 PAGE
0xf04491e0 - 0xf0449238 .edata
0xf0449240 - 0xf0449772 INIT
0xf0449780 - 0xf0449b40 .rsrc
0xf0449b40 - 0xf044a08a .reloc

0xfcc7a000 - 0xfcc90000 Mup.sys
0xfcc7a2e0 - 0xfcc7bc88 .text
0xfcc7bca0 - 0xfcc7c1bc .rdata
0xfcc7c1c0 - 0xfcc7dbcc .data
0xfcc7dbe0 - 0xfcc8cdcc PAGE
0xfcc8cde0 - 0xfcc8d9f2 INIT
0xfcc8da00 - 0xfcc8ddc0 .rsrc
0xfcc8ddc0 - 0xfcc8f130 .reloc

0xf0698000 - 0xf069d000 agp440.sys
0xf06982e0 - 0xf0699411 .text
0xf0699420 - 0xf0699540 .rdata
0xf0699540 - 0xf0699554 .data
0xf0699560 - 0xf069c422 PAGE
0xf069c440 - 0xf069c7f6 INIT
0xf069c800 - 0xf069cbb8 .rsrc
0xf069cbc0 - 0xf069cf94 .reloc

0xf0470000 - 0xf047d000 VIDEOPRT.SYS
0xf0470340 - 0xf0471bb2 .text
0xf0471bc0 - 0xf047224c .rdata
0xf0472260 - 0xf04722b8 .data
0xf04722c0 - 0xf04799cf PAGE
0xf04799e0 - 0xf047a62b .edata
0xf047a640 - 0xf047a7e8 PAGE_DAT
0xf047a800 - 0xf047b854 INIT
0xf047b860 - 0xf047bc20 .rsrc
0xf047bc20 - 0xf047c3f4 .reloc

0xf032a000 - 0xf03e0000 nv4_mini.sys
0xf032a340 - 0xf0391472 .text
0xf0391480 - 0xf0391fc9 _NVTEXT3
0xf0391fe0 - 0xf039304c .rdata
0xf0393060 - 0xf03d5ee0 .data
0xf03d5ee0 - 0xf03d996b PAGE
0xf03d9980 - 0xf03dc46a PAGE
0xf03dc480 - 0xf03dcc54 INIT
0xf03dcc60 - 0xf03dd098 .rsrc
0xf03dd0a0 - 0xf03df67a .reloc

0xf06c0000 - 0xf06c7000 fdc.sys
0xf06c02e0 - 0xf06c4972 .text
0xf06c4980 - 0xf06c4b40 .rdata
0xf06c4b40 - 0xf06c4c2a .data
0xf06c4c40 - 0xf06c4d7d PAGE
0xf06c4d80 - 0xf06c5c78 INIT
0xf06c5c80 - 0xf06c6040 .rsrc
0xf06c6040 - 0xf06c6530 .reloc

0xf0480000 - 0xf0490000 serial.sys
0xf0480320 - 0xf0482555 .text
0xf0482560 - 0xf0482700 .rdata
0xf0482700 - 0xf04827f4 .data
0xf0482800 - 0xf0486b66 PAGESRP0
0xf0486b80 - 0xf048a2e8 PAGESER
0xf048a300 - 0xf048c7ba INIT
0xf048c7c0 - 0xf048eaf8 .rsrc
0xf048eb00 - 0xf048f2d4 .reloc

0xf0878000 - 0xf087c000 serenum.sys
0xf0878320 - 0xf0878af6 .text
0xf0878b00 - 0xf0878c50 .rdata
0xf0878c60 - 0xf0878c64 .data
0xf0878c80 - 0xf0879e09 PAGE
0xf0879e20 - 0xf087a9a5 PAGESENM
0xf087a9c0 - 0xf087aeea INIT
0xf087af00 - 0xf087b2c0 .rsrc
0xf087b2c0 - 0xf087b492 .reloc

0xf06d8000 - 0xf06df000 parport.sys
0xf06d82e0 - 0xf06dc346 .text
0xf06dc360 - 0xf06dc948 .rdata
0xf06dc960 - 0xf06dcb40 .data
0xf06dcb40 - 0xf06dcc5b PAGEPARW
0xf06dcc60 - 0xf06dd368 INIT
0xf06dd380 - 0xf06ddd00 .rsrc
0xf06ddd00 - 0xf06de0dc .reloc

0xf0490000 - 0xf049c000 i8042prt.sys
0xf0490300 - 0xf04928aa .text
0xf04928c0 - 0xf04938f0 .rdata
0xf0493900 - 0xf0493d08 .data
0xf0493d20 - 0xf04973bd PAGE
0xf04973c0 - 0xf04987da PAGEMOUC
0xf04987e0 - 0xf049958c INIT
0xf04995a0 - 0xf049b258 .rsrc
0xf049b260 - 0xf049b970 .reloc

0xf06e8000 - 0xf06ee000 mouclass.sys
0xf06e82e0 - 0xf06e9b1a .text
0xf06e9b20 - 0xf06e9cf0 .rdata
0xf06e9d00 - 0xf06ea068 .data
0xf06ea080 - 0xf06eb4a3 PAGE
0xf06eb4c0 - 0xf06ec2ec INIT
0xf06ec300 - 0xf06ecf50 .rsrc
0xf06ecf60 - 0xf06ed3f4 .reloc

0xf06f8000 - 0xf06fe000 kbdclass.sys
0xf06f82e0 - 0xf06f9df2 .text
0xf06f9e00 - 0xf06f9fe0 .rdata
0xf06f9fe0 - 0xf06fa364 .data
0xf06fa380 - 0xf06fbe3b PAGE
0xf06fbe40 - 0xf06fccfa INIT
0xf06fcd00 - 0xf06fd960 .rsrc
0xf06fd960 - 0xf06fde92 .reloc

0xf04a0000 - 0xf04ad000 Cdr4_2K.SYS
0xf04a02c0 - 0xf04ab762 .text
0xf04ab780 - 0xf04ab8e8 .rdata
0xf04ab900 - 0xf04abdfc .data
0xf04abe00 - 0xf04ac41e INIT
0xf04ac420 - 0xf04ac780 .rsrc
0xf04ac780 - 0xf04acccc .reloc

0xf0710000 - 0xf0717000 cdrom.sys
0xf0710360 - 0xf07147ec .text
0xf0714800 - 0xf07149ec .rdata
0xf0714a00 - 0xf0714a2c .data
0xf0714a40 - 0xf071559b PAGE
0xf07155a0 - 0xf07155d9 PAGEHIT2
0xf07155e0 - 0xf0715750 PAGEHITA
0xf0715760 - 0xf0715962 PAGETOSH
0xf0715980 - 0xf071628c INIT
0xf07162a0 - 0xf0716660 .rsrc
0xf0716660 - 0xf07169c4 .reloc

0xf0720000 - 0xf0726000 Cdralw2k.SYS
0xf07202c0 - 0xf0723e94 .text
0xf0723ea0 - 0xf0724064 .rdata
0xf0724080 - 0xf0724210 .data
0xf0724220 - 0xf0724abe INIT
0xf0724ac0 - 0xf0724e40 .rsrc
0xf0724e40 - 0xf0725238 .reloc

0xf0740000 - 0xf0745000 USBD.SYS
0xf0740300 - 0xf074202e .text
0xf0742040 - 0xf07421a0 .rdata
0xf07421a0 - 0xf07423b1 .data
0xf07423c0 - 0xf0743ee9 PAGE
0xf0743f00 - 0xf07443aa .edata
0xf07443c0 - 0xf07448d4 INIT
0xf07448e0 - 0xf0744ca0 .rsrc
0xf0744ca0 - 0xf0744f4a .reloc

0xf0730000 - 0xf0738000 uhcd.sys
0xf07302e0 - 0xf0736014 .text
0xf0736020 - 0xf07361a0 .rdata
0xf07361a0 - 0xf0736208 .data
0xf0736220 - 0xf0736eab PAGE
0xf0736ec0 - 0xf073757a INIT
0xf0737580 - 0xf0737950 .rsrc
0xf0737960 - 0xf0737c70 .reloc

0xf04b0000 - 0xf04be000 mf.sys
0xf04b02e0 - 0xf04b14e8 .text
0xf04b1500 - 0xf04b7b38 .rdata
0xf04b7b40 - 0xf04b99a8 .data
0xf04b99c0 - 0xf04bca07 PAGE
0xf04bca20 - 0xf04bcf16 INIT
0xf04bcf20 - 0xf04bd2d8 .rsrc
0xf04bd2e0 - 0xf04bde4a .reloc

0xf0758000 - 0xf075d000 RTL8139.SYS
0xf0758400 - 0xf075b1af .text
0xf075b200 - 0xf075b2fd .data
0xf075b400 - 0xf075b7ce PAGE
0xf075b800 - 0xf075bda0 INIT
0xf075be00 - 0xf075c3a0 .rsrc
0xf075c400 - 0xf075c668 .reloc

0xf0888000 - 0xf088b000 fsvga.sys
0xf08882c0 - 0xf0889ce4 .text
0xf0889d00 - 0xf0889e2c .rdata
0xf0889e40 - 0xf0889e88 .data
0xf0889ea0 - 0xf088a694 INIT
0xf088a6a0 - 0xf088adf0 .rsrc
0xf088ae00 - 0xf088af3c .reloc

0xf09d6000 - 0xf09d7000 audstub.sys
0xf09d62c0 - 0xf09d6360 .rdata
0xf09d6360 - 0xf09d64ed PAGE
0xf09d6500 - 0xf09d6640 INIT
0xf09d6640 - 0xf09d69f0 .rsrc
0xf09d6a00 - 0xf09d6a3c .reloc

0xf04c0000 - 0xf04cd000 rasl2tp.sys
0xf04c02c0 - 0xf04cafa7 .text
0xf04cafc0 - 0xf04cb0fc .rdata
0xf04cb100 - 0xf04cb2a0 .data
0xf04cb2a0 - 0xf04cbc06 INIT
0xf04cbc20 - 0xf04cc000 .rsrc
0xf04cc000 - 0xf04cc55c .reloc

0xf0890000 - 0xf0893000 ndistapi.sys
0xf08902e0 - 0xf0891490 .text
0xf08914a0 - 0xf089159c .rdata
0xf08915a0 - 0xf08915f4 .data
0xf0891600 - 0xf08916c0 .edata
0xf08916c0 - 0xf0891be2 INIT
0xf0891c00 - 0xf0891fe0 .rsrc
0xf0891fe0 - 0xf089221c .reloc

0xf0313000 - 0xf032a000 ndiswan.sys
0xf03132c0 - 0xf0324893 .text
0xf03248a0 - 0xf0325868 .rdata
0xf0325880 - 0xf0326114 .data
0xf0326120 - 0xf0327f22 INIT
0xf0327f40 - 0xf0328330 .rsrc
0xf0328340 - 0xf032916c .reloc

0xf089c000 - 0xf08a0000 TDI.SYS
0xf089c300 - 0xf089e9ba .text
0xf089e9c0 - 0xf089eb4e .rdata
0xf089eb60 - 0xf089ec8c .data
0xf089eca0 - 0xf089edbc PAGE
0xf089edc0 - 0xf089f419 .edata
0xf089f420 - 0xf089f94a INIT
0xf089f960 - 0xf089fcf8 .rsrc
0xf089fd00 - 0xf089ff28 .reloc

0xf04d0000 - 0xf04dc000 raspptp.sys
0xf04d02c0 - 0xf04da138 .text
0xf04da140 - 0xf04da393 .rdata
0xf04da3a0 - 0xf04da6b8 .data
0xf04da6c0 - 0xf04dae4e INIT
0xf04dae60 - 0xf04db230 .rsrc
0xf04db240 - 0xf04db9d0 .reloc

0xf0780000 - 0xf0785000 ptilink.sys
0xf07802e0 - 0xf078352d .text
0xf0783540 - 0xf0783670 .rdata
0xf0783680 - 0xf078371c .data
0xf0783720 - 0xf078383d .edata
0xf0783840 - 0xf0783d10 INIT
0xf0783d20 - 0xf0784120 .rsrc
0xf0784120 - 0xf07843c4 .reloc

0xf0790000 - 0xf0795000 raspti.sys
0xf07902c0 - 0xf0792e40 .text
0xf0792e40 - 0xf0792fd0 .rdata
0xf0792fe0 - 0xf0793240 .data
0xf0793240 - 0xf0793aa0 INIT
0xf0793aa0 - 0xf0793e98 .rsrc
0xf0793ea0 - 0xf07940ce .reloc

0xf04e0000 - 0xf04ef000 parallel.sys
0xf04e02e0 - 0xf04ebdb2 .text
0xf04ebdc0 - 0xf04ec6b8 .rdata
0xf04ec6c0 - 0xf04eced4 .data
0xf04ecee0 - 0xf04ed04d PAGEPARW
0xf04ed060 - 0xf04ed9cc INIT
0xf04ed9e0 - 0xf04ee000 .rsrc
0xf04ee000 - 0xf04ee998 .reloc

0xf07a8000 - 0xf07b0000 RMSPPPOE.SYS
0xf07a82c0 - 0xf07ae542 .text
0xf07ae560 - 0xf07ae942 .rdata
0xf07ae960 - 0xf07ae9e0 .data
0xf07ae9e0 - 0xf07af21e INIT
0xf07af220 - 0xf07af658 .rsrc
0xf07af660 - 0xf07af938 .reloc

0xf02cd000 - 0xf02eb000 ks.sys
0xf02cd360 - 0xf02d3512 .text
0xf02d3520 - 0xf02d3d39 .rdata
0xf02d3d40 - 0xf02d3d6c .data
0xf02d3d80 - 0xf02e5167 PAGE
0xf02e5180 - 0xf02e6fa9 .edata
0xf02e6fc0 - 0xf02e8054 PAGECONS
0xf02e8060 - 0xf02e90b0 INIT
0xf02e90c0 - 0xf02e94a8 .rsrc
0xf02e94c0 - 0xf02eaa00 .reloc

0xf09d7000 - 0xf09d8000 swenum.sys
0xf09d72c0 - 0xf09d739e .text
0xf09d73a0 - 0xf09d7445 .rdata
0xf09d7460 - 0xf09d7684 PAGE
0xf09d76a0 - 0xf09d78d2 INIT
0xf09d78e0 - 0xf09d7d00 .rsrc
0xf09d7d00 - 0xf09d7d76 .reloc

0xf02b8000 - 0xf02cd000 update.sys
0xf02b8320 - 0xf02b8524 .text
0xf02b8540 - 0xf02b85ac .rdata
0xf02b85c0 - 0xf02b85dc .data
0xf02b85e0 - 0xf02b8e51 PAGE
0xf02b8e60 - 0xf02cbe60 PAGELK
0xf02cbe60 - 0xf02cc172 INIT
0xf02cc180 - 0xf02cc7f0 .rsrc
0xf02cc800 - 0xf02cc884 .reloc

0xf07c0000 - 0xf07c5000 flpydisk.sys
0xf07c02e0 - 0xf07c097a .text
0xf07c0980 - 0xf07c0b1c .rdata
0xf07c0b20 - 0xf07c0fb8 .data
0xf07c0fc0 - 0xf07c3b83 PAGE
0xf07c3ba0 - 0xf07c4374 INIT
0xf07c4380 - 0xf07c4730 .rsrc
0xf07c4740 - 0xf07c4a66 .reloc

0xf0510000 - 0xf051a000 usbhub.sys
0xf05102e0 - 0xf0513b1e .text
0xf0513b20 - 0xf0513e2e .rdata
0xf0513e40 - 0xf0513f78 .data
0xf0513f80 - 0xf051883f PAGE
0xf0518840 - 0xf0519080 INIT
0xf0519080 - 0xf0519448 .rsrc
0xf0519460 - 0xf0519b36 .reloc

0xef206000 - 0xef22b000 portcls.sys
0xef206320 - 0xef210515 .text
0xef210520 - 0xef2131c0 .rdata
0xef2131c0 - 0xef215ad8 .data
0xef215ae0 - 0xef226f8b PAGE
0xef226fa0 - 0xef227642 .edata
0xef227660 - 0xef2286cc INIT
0xef2286e0 - 0xef228ad8 .rsrc
0xef228ae0 - 0xef22a48c .reloc

0xef22b000 - 0xef2b8000 adm8820.sys
0xef22b320 - 0xef26f5b0 .text
0xef26f5c0 - 0xef2723dc .rdata
0xef2723e0 - 0xef2b3d48 .data
0xef2b3d60 - 0xef2b3d64 .CRT
0xef2b3d80 - 0xef2b4631 PAGE
0xef2b4640 - 0xef2b4f90 INIT
0xef2b4fa0 - 0xef2b5380 .rsrc
0xef2b5380 - 0xef2b7938 .reloc

0xf08a4000 - 0xf08a7000 admjoy.sys
0xf08a42c0 - 0xf08a47fd .text
0xf08a4800 - 0xf08a4920 .rdata
0xf08a4920 - 0xf08a5b92 PAGE
0xf08a5ba0 - 0xf08a600c INIT
0xf08a6020 - 0xf08a6420 .rsrc
0xf08a6420 - 0xf08a65b4 .reloc

0xf0520000 - 0xf052a000 NDProxy.SYS
0xf05202c0 - 0xf0527d5c .text
0xf0527d60 - 0xf0527ed0 .rdata
0xf0527ee0 - 0xf05286e8 .data
0xf0528700 - 0xf0529080 INIT
0xf0529080 - 0xf0529428 .rsrc
0xf0529440 - 0xf0529cca .reloc

0xf0910000 - 0xf0912000 Fs_Rec.SYS
0xf09102e0 - 0xf09102f2 .text
0xf0910300 - 0xf0910416 .rdata
0xf0910420 - 0xf0910474 .data
0xf0910480 - 0xf091110b PAGE
0xf0911120 - 0xf09116fe INIT
0xf0911700 - 0xf0911ad0 .rsrc
0xf0911ae0 - 0xf0911bb4 .reloc

0xf09d8000 - 0xf09d9000 Null.SYS
0xf09d82c0 - 0xf09d8350 .rdata
0xf09d8360 - 0xf09d8447 PAGE
0xf09d8460 - 0xf09d85f2 INIT
0xf09d8600 - 0xf09d89a0 .rsrc
0xf09d89a0 - 0xf09d89cc .reloc

0xf09d9000 - 0xf09da000 Beep.SYS
0xf09d9280 - 0xf09d96b8 .text
0xf09d96c0 - 0xf09d97a0 .rdata
0xf09d97a0 - 0xf09d9a76 INIT
0xf09d9a80 - 0xf09d9e20 .rsrc
0xf09d9e20 - 0xf09d9ece .reloc

0xf08c0000 - 0xf08c4000 vga.sys
0xf08c02e0 - 0xf08c03c0 .text
0xf08c03c0 - 0xf08c0490 .rdata
0xf08c04a0 - 0xf08c27ec PAGE
0xf08c2800 - 0xf08c2c3a PAGE_DAT
0xf08c2c40 - 0xf08c2ffc INIT
0xf08c3000 - 0xf08c33b8 .rsrc
0xf08c33c0 - 0xf08c3564 .reloc

0xf09da000 - 0xf09db000 mnmdd.SYS
0xf09da2e0 - 0xf09da2ec .text
0xf09da300 - 0xf09da3a0 .rdata
0xf09da3a0 - 0xf09da6c3 PAGE
0xf09da6e0 - 0xf09daa0c PAGE
0xf09daa20 - 0xf09dab52 INIT
0xf09dab60 - 0xf09daf28 .rsrc
0xf09daf40 - 0xf09daf80 .reloc

0xf07e8000 - 0xf07ee000 Msfs.SYS
0xf07e82e0 - 0xf07e84a8 .text
0xf07e84c0 - 0xf07e891c .rdata
0xf07e8920 - 0xf07e8930 .data
0xf07e8940 - 0xf07ec222 PAGE
0xf07ec240 - 0xf07ec884 INIT
0xf07ec8a0 - 0xf07ecc48 .rsrc
0xf07ecc60 - 0xf07ed22a .reloc

0xf0540000 - 0xf0549000 Npfs.SYS
0xf05402e0 - 0xf0541c2a .text
0xf0541c40 - 0xf05421f4 .rdata
0xf0542200 - 0xf05422b4 .data
0xf05422c0 - 0xf0547617 PAGE
0xf0547620 - 0xf0548282 INIT
0xf05482a0 - 0xf0548640 .rsrc
0xf0548640 - 0xf0548f98 .reloc

0xf091c000 - 0xf091e000 rasacd.sys
0xf091c2e0 - 0xf091d0e0 .text
0xf091d0e0 - 0xf091d1c0 .rdata
0xf091d1c0 - 0xf091d2d4 .data
0xf091d2e0 - 0xf091d3f7 PAGE
0xf091d400 - 0xf091d84a INIT
0xf091d860 - 0xf091dc30 .rsrc
0xf091dc40 - 0xf091de32 .reloc

0xef15b000 - 0xef1a6000 tcpip.sys
0xef15b340 - 0xef1934da .text
0xef1934e0 - 0xef1939d4 .rdata
0xef1939e0 - 0xef196950 .data
0xef196960 - 0xef19a2d3 PAGE
0xef19a2e0 - 0xef19d2ad PAGEIPMc
0xef19d2c0 - 0xef19d580 .edata
0xef19d580 - 0xef1a1f7a INIT
0xef1a1f80 - 0xef1a2348 .rsrc
0xef1a2360 - 0xef1a5844 .reloc

0xf0550000 - 0xf0559000 msgpc.sys
0xf05502e0 - 0xf0557104 .text
0xf0557120 - 0xf05571d0 .rdata
0xf05571e0 - 0xf05576d0 .data
0xf05576e0 - 0xf055789d PAGE
0xf05578a0 - 0xf0557c8e INIT
0xf0557ca0 - 0xf0558068 .rsrc
0xf0558080 - 0xf05586c4 .reloc

0xf07f8000 - 0xf0800000 wanarp.sys
0xf07f82e0 - 0xf07fcf5c .text
0xf07fcf60 - 0xf07fd100 .rdata
0xf07fd100 - 0xf07fd408 .data
0xf07fd420 - 0xf07fe181 PAGE
0xf07fe1a0 - 0xf07feb7c INIT
0xf07feb80 - 0xf07fef60 .rsrc
0xf07fef60 - 0xf07ff950 .reloc

0xef136000 - 0xef15b000 netbt.sys
0xef136320 - 0xef14e8b8 .text
0xef14e8c0 - 0xef14eb5a .rdata
0xef14eb60 - 0xef14f124 .data
0xef14f140 - 0xef1568ac PAGE
0xef1568c0 - 0xef156f2b PAGENBT
0xef156f40 - 0xef15850c INIT
0xef158520 - 0xef1588d8 .rsrc
0xef1588e0 - 0xef15a4c4 .reloc

0xf0560000 - 0xf0569000 netbios.sys
0xf05602e0 - 0xf0563b94 .text
0xf0563ba0 - 0xf0563d34 .rdata
0xf0563d40 - 0xf0563ff4 .data
0xf0564000 - 0xf0566d49 PAGE
0xf0566d60 - 0xf0567646 INIT
0xf0567660 - 0xf0567a28 .rsrc
0xf0567a40 - 0xf056818c .reloc

0xef078000 - 0xef096000 Siwvid.SYS
0xef0782e0 - 0xef078387 _LTEXT
0xef0783a0 - 0xef081172 .text
0xef081180 - 0xef093878 .data
0xef093880 - 0xef093888 _LDATA
0xef0938a0 - 0xef093e7c INIT
0xef093e80 - 0xef094248 .rsrc
0xef094260 - 0xef095314 .reloc

0xef056000 - 0xef078000 rdbss.sys
0xef056300 - 0xef05cf8f .text
0xef05cfa0 - 0xef05d706 .rdata
0xef05d720 - 0xef05deb4 .data
0xef05dec0 - 0xef073139 PAGE
0xef073140 - 0xef073ec4 .edata
0xef073ee0 - 0xef075e2e INIT
0xef075e40 - 0xef076240 .rsrc
0xef076240 - 0xef077394 .reloc

0xeefe6000 - 0xef044000 mrxsmb.sys
0xeefe63c0 - 0xeeffc707 .text
0xeeffc720 - 0xeeffc983 SECUR
0xeeffc9a0 - 0xeeffda17 .rdata
0xeeffda20 - 0xef002f51 .data
0xef002f60 - 0xef03b767 PAGE
0xef03b780 - 0xef03cac0 PAGE4BRO
0xef03cac0 - 0xef03cefc PAGE5NET
0xef03cf00 - 0xef03cf33 .edata
0xef03cf40 - 0xef03cf8c PAGE
0xef03cfa0 - 0xef03f6a2 INIT
0xef03f6c0 - 0xef03fa80 .rsrc
0xef03fa80 - 0xef0431e0 .reloc

0xa0000000 - 0xa01a6000 win32k.sys
JiurlReadProcessMemory Failed

0xecdd8000 - 0xecfae000 nv4_disp.dll
0xecdd8320 - 0xecf2222a .text
0xecf22240 - 0xecf484e4 .rdata
0xecf48500 - 0xecf8fed8 .data
0xecf8fee0 - 0xecf8fee8 .CRT
0xecf8ff00 - 0xecf8ffba .edata
0xecf8ffc0 - 0xecf90656 INIT
0xecf90660 - 0xecf90ae0 .rsrc
0xecf90ae0 - 0xecfada14 .reloc

0xeba25000 - 0xeba3f000 afd.sys
0xeba25320 - 0xeba26a5c .text
0xeba26a60 - 0xeba27348 .rdata
0xeba27360 - 0xeba278cc .data
0xeba278e0 - 0xeba35fa5 PAGEAFD
0xeba35fc0 - 0xeba3b8e1 PAGE
0xeba3b900 - 0xeba3d248 INIT
0xeba3d260 - 0xeba3d630 .rsrc
0xeba3d640 - 0xeba3e978 .reloc

0xf0932000 - 0xf0934000 ParVdm.SYS
0xf09322c0 - 0xf09327d4 .text
0xf09327e0 - 0xf09328c8 .rdata
0xf09328e0 - 0xf09328f4 .data
0xf0932900 - 0xf093310a INIT
0xf0933120 - 0xf0933778 .rsrc
0xf0933780 - 0xf0933846 .reloc

0xebb47000 - 0xebb4b000 Aspi32.SYS
0xebb47240 - 0xebb49d2a .text
0xebb49d40 - 0xebb49e94 .data
0xebb49ea0 - 0xebb4a504 INIT
0xebb4a520 - 0xebb4a894 .rsrc
0xebb4a8a0 - 0xebb4ab7c .reloc

0xf06f0000 - 0xf06f7000 cis1284.sys
0xf06f0280 - 0xf06f57e0 .text
0xf06f57e0 - 0xf06f6008 .data
0xf06f6020 - 0xf06f6552 INIT
0xf06f6560 - 0xf06f6920 .rsrc
0xf06f6920 - 0xf06f6d1a .reloc

0xeb9c2000 - 0xeb9d5000 wdmaud.sys
0xeb9c2340 - 0xeb9c4522 .text
0xeb9c4540 - 0xeb9c4838 .rdata
0xeb9c4840 - 0xeb9c573c .data
0xeb9c5740 - 0xeb9d289b PAGE
0xeb9d28a0 - 0xeb9d28bc PAGEDATA
0xeb9d28c0 - 0xeb9d2d00 PAGECONS
0xeb9d2d00 - 0xeb9d35d2 INIT
0xeb9d35e0 - 0xeb9d39a8 .rsrc
0xeb9d39c0 - 0xeb9d40a0 .reloc

0xebad7000 - 0xebae3000 sysaudio.sys
0xebad7340 - 0xebad7650 .text
0xebad7660 - 0xebad8210 .rdata
0xebad8220 - 0xebad82a0 .data
0xebad82a0 - 0xebae0a41 PAGE
0xebae0a60 - 0xebae109c PAGEDATA
0xebae10a0 - 0xebae1340 PAGECONS
0xebae1340 - 0xebae1d7c INIT
0xebae1d80 - 0xebae2148 .rsrc
0xebae2160 - 0xebae2798 .reloc

0xebac7000 - 0xebad4000 swmidi.sys
0xebac7320 - 0xebac8558 .text
0xebac8560 - 0xebac8c70 .rdata
0xebac8c80 - 0xebac8e80 .data
0xebac8e80 - 0xebad0560 PAGE
0xebad0560 - 0xebad2ba0 PAGEDATA
0xebad2ba0 - 0xebad3198 INIT
0xebad31a0 - 0xebad35a8 .rsrc
0xebad35c0 - 0xebad39d6 .reloc

0xebab7000 - 0xebac4000 DMusic.sys
0xebab72c0 - 0xebac0d7c .text
0xebac0d80 - 0xebac27d0 .rdata
0xebac27e0 - 0xebac29bc .data
0xebac29c0 - 0xebac2da2 INIT
0xebac2dc0 - 0xebac3200 .rsrc
0xebac3200 - 0xebac36a6 .reloc

0xeb8d6000 - 0xeb8fa000 kmixer.sys
0xeb8d6340 - 0xeb8d9051 .text
0xeb8d9060 - 0xeb8daa68 .rdata
0xeb8daa80 - 0xeb8e3494 .data
0xeb8e34a0 - 0xeb8f6d50 PAGE
0xeb8f6d60 - 0xeb8f8584 PAGEDATA
0xeb8f85a0 - 0xeb8f86d0 PAGECONS
0xeb8f86e0 - 0xeb8f90d6 INIT
0xeb8f90e0 - 0xeb8f94a0 .rsrc
0xeb8f94a0 - 0xeb8f9fd8 .reloc

0xf07a0000 - 0xf07a5000 JiurlDriver.sys
0xf07a1000 - 0xf07a13ac .text
0xf07a2000 - 0xf07a216b .rdata
0xf07a3000 - 0xf07a30f2 INIT
0xf07a4000 - 0xf07a405c .reloc

欢迎交流,欢迎交朋友,
欢迎访问 http://jiurl.yeah.net http://jiurl.cosoft.org.cn/forum

 

下载 JiurlL2gLayoutSee 可执行文件及源程序
下载 JiurlSystemModulesSee 可执行文件及源程序


imquestion
关注
CSAPP Lab2
caisense的专栏
10-30 1776
做的是bomb2,一共有大概40多个,简要记录一下 环境:ubuntu14.04,32bit phase1: 08048b80 : 8048b80: 55 push %ebp 8048b81: 89 e5 mov %esp,%ebp 8048b83: 83 ec 08 sub
U盘初始化程序对U盘做出的数据修改分析
谢绝(无视)留言与私信
09-22 1247
实验对象: TOSHIBATransMemory(7.2GB,USB) 总容量:7759462400=0x1CE800000Bytes 用WinHex对U盘全部填空,保存成uDisk_all_zero.bin 用老毛桃”初始化U盘”功能后,用WinHex将U盘全部内容保存成uDisk_init_ok_by_lmt.bin 用WinHex的文件比较
CK:User mode Bus Error(用户空间操作内核地址导致的异常)
有趣的人生 一半是山川湖海 一半是初心情怀
06-20 1022
关键词:VEC_ACCESS、coredump、LR、PC等。 CK中存在一种VEC_ACCESS异常,可能原因是用户空间访问了内核空间,还有一种是内核访问不存在的总线地址。 下面简单构造VEC_ACCESS异常,包括变量指针异常和函数指针异常并分析。 1. 变量指针异常 #include <stdio.h> void main(void) { char *p...
2k的地址范围 计算机组成原理,计算机组成原理课后习题
weixin_34570507的博客
07-15 5274
所以,地址寄存器为20位,数据寄存器为8位,编址范围0~2^20-1,写成16进制为00000H~FFFFFH。 (2)由题意得:半字为16b,1M=2^19*16b所以,地址寄存器为19位,数据寄存器为16位,编址范围0~2^19-1,写成16进制为00000H~7FFFFH。(3) 按字编址,字长为32,1M=2^18*32b所以,地址寄存器为18位,数据寄存器为32位,编址范围0~2^18-...
JIURL玩玩Win2k 对象
|独自望海。。。
06-18 1197
 Windows 2000 中有如下27种对象 Directory Thread Mutant Controller Type Profile Event SymbolicLink Section EventPair Desktop Timer File WindowStation Driver WmiGuid Token Device IoCompletion Process Adapter K
JIURL玩玩Win2k进程线程篇 PEB
xrzh8989的专栏
08-03 438
   PEB,Process Environment Block ,进程环境块。位于用户地址空间。在地址 0x7FFDF000 处。所以用户进程可以直接访问自己的 PEB 结构。Win2k Build 2195 中进程的 EPROCESS 结构偏移+1b0 处的 *Peb 也指向 PEB 结构。在 undocumented.ntinternals.net (需要注意的是这是个非官方的站点)我
JIURL玩玩Win2k内存篇 VAD
benny5609的专栏
09-17 1334
在程序中我们可以使用 VirtualAlloc 在用户地址空间(4G地址空间中的低2G)中申请(保留或者提交)指定地址和大小的一段地址空间。那么系统如何知道指定的这段地址空间是不是已经被分配(保留或者提交)。对于指定地址空间是否已经被提交了物理内存,可以通过页目录和页表来判断,不过这样做很麻烦。而对于指定地址空间是否已经被保留,通过页目录和页表没有办法判断。Win2k 中使用 VAD 来解决这个问
JIURL玩玩Win2k进程线程篇 EPROCESS
|独自望海。。。
06-18 992
每个进程都有一个 EPROCESS 结构,里面保存着进程的各种信息,和相关结构的指针。EPROCESS 结构位于系统地址空间,所以访问这个结构需要有ring0的权限。使用 Win2k DDK 的 KD (内核调试器)我们可以得到 EPROCESS 结构的定义。注意下面的是 Win2k Build 2195 下的 EPROCESS 结构定义。kd> !strct eprocess!str
JIURL玩玩Win2k进程线程篇 ETHREAD
|独自望海。。。
06-18 934
每个线程都有一个 ETHREAD 结构。Win2k Build 2195 中 ETHREAD 结构定义如下kd> !strct ethread!strct ethreadstruct _ETHREAD (sizeof=584)+000 struct _KTHREAD Tcb+000 struct _DISPATCHER_HEADER Header+000 byte Ty
JIURL玩玩Win2k内存篇
08-17
JIURL玩玩Win2k内存篇
PEDump.zip_ JIURL PEDUMP_ dump_R-Tree_coff_pedump
09-22
PEDUMP程序自从1994年的版本以来,已经有了明显的改善。.../I 包括输入地址表thunk地址   /L 包括行号信息   /P 包括PDATA(运行时函数)   /R 包括详细的资源(字符串表和对话框) /S 显示符号表
JIURL键盘驱动
04-10
"JIURL键盘驱动"是专为JIURL品牌键盘设计的驱动程序,它允许操作系统识别并有效地控制这个特定品牌的键盘,确保键盘上的按键能够正确地将输入指令传递给计算机。 首先,我们要理解驱动程序的基本概念。驱动程序,或...
JIURL玩玩Win2k进程线程篇 TEB
jiurl的专栏
08-18 2627
JIURL玩玩Win2k进程线程篇 TEB作者: JIURL                 主页: http://jiurl.yeah.net     日期: 2003-7-30     TEB,Thread Environment Block,线程环境块。位于用户地址空间。在比
K8s 很难么?带你从头到尾捋一遍,不信你学不会
民工哥的博客
02-23 9137
点击关注公众号,回复“1024”获取2TB学习资源!为什么要学习 Kubernetes?虽然 Docker 已经很强大了,但是在实际使用上还是有诸多不便,比如集群管理、资源调度、文件管理等...
10天智能锁项目实战第1天(了解单片机STM32F401RET6和C语言基础)
北豼不太皮的博客
02-21 3664
10天智能锁项目实战第1天(了解单片机STM32F401RET6和C语言基础)一、学习目标二、了解单片机STM32F401RET6三、C语言基础 一、学习目标 二、了解单片机STM32F401RET6 4、STM32F401RE特征 三、C语言基础 1.数据类型 常用2的次方: 2^7 = 128 2^8 = 256 2^15 = 32768 2^16= 65536 51单片机常见的数据类型: char: 占内存1字节 取值范围:-128~127 -2^7 ~ 2
Android开发(1) | Fragment 的应用——新闻应用
Jormungand_V的博客
02-21 7151
文章目录 news_item.xml: <TextView xmlns:android="http://schemas.android.com/apk/res/android" android:id="@+id/news_title" android:layout_width="match_parent" android:layout_height="wrap_content" android:lines="1" android:ellipsize="
系统学习 TypeScript(四)——变量声明的初步学习
编程三昧
02-25 1781
认识了 TypeScript 中的基础类型,接下来当然是变量声明的相关学习了,我在这里记录一下我学习过程中的一些总结。
清除浮动的五种方法
weixin_52212950的博客
02-22 2769
为什么要清除浮动?因为往往浮动后的子元素因为脱离了标准流,不能自动撑起父元素的高度,所以会对后续布局产生影响,对此清除浮动不如理解为清除浮动产生的影响更为合理。 例如:我们设置了两个盒子如图所示,粉色为父盒子,只有宽度没有高度,蓝色盒子有宽有高,粉色盒子的高由蓝盒子的高度撑开。 但是给蓝色的子盒子设置了左浮动后,脱离了标准流,无法再撑开粉盒子,可以看到粉盒子高度变成了0; 清除浮动有五种方法: 直接设置父元素的高度 额外标签法 单伪元素法 双伪元素法 ove.
PE文件资源解析:JIURL的学习总结
"JIURL PE 格式学习总结(四)-- PE文件中的资源" 这篇文档主要探讨了PE(Portable Executable)文件格式中的资源部分,包括如何定位和解析PE文件中的资源,如位图(BMP)、光标、菜单和对话框等。以下是详细的知识...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值