The term "module" is used to represent the code, data, and resources of executable files or DLL loaded into the memory. In addition to the code and data directly used in the program, a module also refers to the supported data structure used in Windows to determine the location of the code and data in the memory. In 16-bit windows, the supported data structure is in Module Database (hmodule points to this segment ). In 32-bit windows, the data structure is placed in the beginning of the PE.
For PE files, you should first know that the execution files on the disk look very similar to the module mounted by the Windows loader. The Windows loader makes the actual code execution of the disk file program quite simple. The loader uses the file memory image mechanism to map the disk file to the virtual address space. For example, a PE file is like an active house. When loading a file, you only need to place it somewhere and twist it with other parts (for example, link it with the DLL ). Loading the DLL file in PE format is also simple. Once the module is mounted, it is the same as other mounted files in windows.
This method is significantly different from 16-bit Windows 3.1. The 16-bit ne Format File loader reads some disk files and generates a completely different data structure to create a module in the memory. When code or data needs to be loaded, the loader must allocate a block from the global memory to find the location of the original data in the file and then read the original data, finally, perform some repairs. In addition, each 16-bit module is responsible for remembering all the selectors used now (segment selector), which indicates whether the segment has been discarded, and so on.
For Win32, the memory used for code, Data, resources, input tables, output tables, and other useful data structures in a module is stored in a continuous memory block, programmers only need to know the address after loading the program file image to the memory. You can easily find all the content in the module through various pointers behind the image.
We should also be familiar with the term relative virual address (RVA) in Win32. Many items in the PE file are specified in the RVA mode, and RVA is the offset of an item relative to the file image address. For example, the loader loads a PE file into the virtual address space. In memory starting from 10000h, if the starting address of a table in the PE is 10464 H in the image, the RVA of this table is 464 H. Replace RVA with an available pointer. You only need to add the RVA value to the base address of the module. Base address is the starting address of the EXE or DLL program loaded into the memory. It is an important concept in Win32. For convenience, Windows NT or Windows 95 uses the module's base address as the module's instance handle (hinstance ). In Win32, the base address is hintance, which seems to be a bit confusing, because the word "instance handle" comes from Windows 3.1, where each execution instance has its own data segment, so it can be distinguished from each other, this is the history of instance handle. In Win32, it is assumed that there is no shared address space, so there is no difference between the used programs. Of course, hinstance in Win16 and Win32 still has some connection: in Win32, you can directly call getmodulehandle to obtain the pointer to the DLL and access the content of the DLL module through the pointer.
We also need to know the section in the PE file ). The section in the PE file is roughly equivalent to the segment or resource in the ne format. The block contains code or data. Different from the block, the block has no size limit and is a continuous memory block. Some blocks contain code and data declared and directly used in the program, while others are generated by the connector or library Management Program, which contains information that is extremely important to the * system. Some people call Section as an object, but the object has too much meaning.
The logical structure of PE executable files is segments, such as the segments ". Text", ". Data", and ". RSCs. These segments are all aligned by file, that is, the segment size is at least 10 h aligned, generally 1000 h (4096 bytes), which is specified in the file header (determined when the link is used ). But the code is also good data, it is impossible to achieve the length is just aligned. That is to say, the segment size is greater than the actual size of the code or data in the segment. The difference between them is the redundant space of the segment, which is called a "gap ".
//--------------------------------------
Sflags dd? ; Block attributes
This field indicates block attributes (such as code, Data, readable, and writable. Important indicators are as follows:
00000020h the block contains code, which is usually set together with the executable flag (10000000 H.
100000040h this block contains initialized data.
20170080h this block contains uninitialized data.
H this block can be discarded, because once it is loaded, the process no longer needs it. Commonly discarded is. reloc (relocate block)
10000000 h. The block is a shared block.
This block can be executed at Gb/s. Generally, when the 00000020h flag is set, the flag is also set.
40000000 H. This flag is always set for the block in the executable file.
H this block can be written. If this flag is not set for an executable file, the loader marks the memory image page as readable or executable.
