XP User Program space allocation (9): What's left?

After removing the front section, look at what's left in the memory:

Base	Assigning base addresses	assigning protection	Size	State	Protection	Type
00010000	00010000	00000004 Page_readwrite	00002000	00001000 Mem_commit	00000004 Page_readwrite	00020000 Mem_private
7ffdd000	7ffdd000	00000004 Page_readwrite	00001000	00001000 Mem_commit	00000004 Page_readwrite	00020000 Mem_private
7ffde000	7ffde000	00000004 Page_readwrite	00001000	00001000 Mem_commit	00000004 Page_readwrite	00020000 Mem_private
7ffdf000	7ffdf000	00000004 Page_readwrite	00001000	00001000 Mem_commit	00000004 Page_readwrite	00020000 Mem_private
7ffe0000	7ffe0000	00000002 Page_readonly	00001000	00001000 Mem_commit	00000002 Page_readonly	00020000 Mem_private

These pieces are small, what is it?

1.1 Environment block

In Maudeca's Windows kernel situational analysis, a reference to an environment block (as if it was the name), and at the lowest point in memory, let's look at its contents:

0x00010000 3d 3a 3a 3d 45 3a 3a 0 5c 3d (3a) 3d 00 0x00010014 =::=::\.=e
0 3a (5c) =e:\progr
0x00010028 6d 6c (0) by the same as the same as the same as 6f 0 4d am files\m
0x0001003c (6f) icrosoft (V) 0x00010050 69, at the same as
All isual Stud
0x00010064 for a 6c of 2e at the same as 6f (5c) at the same-a- A 5c io 9.0\vc\
0x00010078 for A (6b) Vcpackages
in the same-for-all. 0X0001008C 3d 3a 3d 3a 5c, 6d =f:=f:\em
0x000100a0, 5c 00, and all of the same. Our 6f 6f 6c Bed\etools
0X000100B4 4c 4c 00 55 00 53 00 45 00 52 00 53 00 50. . ALLUSERSP
0X000100C8 3d 3a 5c rofile=e:\
0X000100DC 00 6f (4c) for a 4f for all 6d 00 65 00 settin Documents
0x000100f0 (6e) A (6e) and A (6e) of all of the same.
0x00010104 5c 6c 6c Gs\all Use
0x00010118 72 00 73 00 00 00 41, at this very very Of all of the same in Rs. AppData
0X0001012C 3d 3a 5c 6f =e:\docume
0x00010140 6d 00 74 00 7, at the same. 3 6e nts and Se
0x00010154 for all 6e (MB) 5c, 5f D, at the very very very same,. 1 ttings\ Developer
0x00010168 The 0x0001017c of the 5c for a 6c-a-a-\applicati
6f 6e data.bx
0x00010190 for the 00-in-a-bed-and-for-a-a-I $2e share=. CD
0x000101a4 4f 4f ' 3d Sroot=e:\e 3a 5c (

)---

Are some Unicode text, comparing its content with system environment variables, the difference is obvious, but the system environment variables and user environment variables can be found in this memory area of the corresponding definition. Try adding a definition to the user environment variable, and then running the program again, and it really found this new environment variable in the area.

1.2 Nt_tib

Each thread has a place to record the basic information of the thread, there are three threads in the program, presumably should have three space, read the content of FS, you can find the main thread of this information stored in 0X7FFD f000, look at its raw data:

0x7FFDF000　 a8 ff 12 00 00 00 13 00 00 10 0e 00 00 00 00 00　 ................
0x7FFDF010　 00 1e 00 00 00 00 00 00 00 f0 fd 7f 00 00 00 00　 ................
0x7FFDF020　 30 0e 00 00 d4 07 00 00 00 00 00 00 00 00 00 00　 0...............
0x7FFDF030　 00 d0 fd 7f b7 00 00 00 00 00 00 00 00 00 00 00　 ................
0x7FFDF040　 00 b3 6e e3 00 00 00 00 00 00 00 00 00 00 00 00　 ..n.............