十一、系统内存信息流(SystemMemoryInfoStream)
SystemMemoryInfoStream包含系统内存管理的一些信息,它紧随在UnloadedModuleListStream流的后面。UnloadedModuleListStream的信息如下:
0x91f8+0n324=0x933c
而SystemMemoryInfoStream的相关信息如下:
可知SystemMemoryInfoStream的RVA 为0x933C,大小为492字节,数据如下:
对应的数据结构目前我还没找到,但我们可以通过Minidump Browser工具大概了解一下:
对照上面的图,感觉这些数据对应的是SYSTEM_INFO结构,如下:
typedef struct _SYSTEM_INFO { union { DWORD dwOemId; struct { WORD wProcessorArchitecture; WORD wReserved; } DUMMYSTRUCTNAME; } DUMMYUNIONNAME; DWORD dwPageSize; LPVOID lpMinimumApplicationAddress; LPVOID lpMaximumApplicationAddress; DWORD_PTR dwActiveProcessorMask; DWORD dwNumberOfProcessors; DWORD dwProcessorType; DWORD dwAllocationGranularity; WORD wProcessorLevel; WORD wProcessorRevision; } SYSTEM_INFO, *LPSYSTEM_INFO;
具体情况请知道的道友告诉我