|Informative Information for the Uninformed|
Next: Understanding Assemblies Up: Locating the WinMine Playing Previous: Loaded Symbols   Contents
When an application requests memory, a region is allocated provided the requested amount is available. If the allocation is successful, this region of memory can, amongst other things, be protected. More specifically, the region has psuedo access control lists applied to it that deny or permit certain access types. A couple examples of these access types are the ability to read information from, write information to, and execute instructions at, the given region. It is these access types that will provide the ability to quickly determine with relatively high probability whether a symbol is a function or non-function. By virtue of being a function, these memory regions allow execution. Conversely, memory regions allocated for classic variables do not allow instruction execution5.1. Conveniently, WinDBG is shipped with an extension that allows the user the retrieve memory protection attributes for a given address. This extension command is !vprot. Let's select aptly named symbols to demonstrate this functionality. Type the following in the Command window:
!vprot WinMine!ShowBombsShowBombs was chosen as the name implies (to me) that it's a function. Let's see what !vprot says:
BaseAddress: 01002000 AllocationBase: 01000000 AllocationProtect: 00000080 PAGE_EXECUTE_WRITECOPY RegionSize: 00003000 State: 00001000 MEM_COMMIT Protect: 00000020 PAGE_EXECUTE_READ Type: 01000000 MEM_IMAGEAt first glance this might appear contradictory. However, the AllocationProtect field denotes the default protection for the entire memory region. The Protect field speaks to the current protections on the specific region specified in the first argument. This, as one would expect, is set to execute and read as denoted by PAGE_EXECUTE_READ. Next, look at the memory protection for a region allocated for a suspected variable, such as WinMine!szClass.
!vprot WinMine!szClassThe expectation is !vprot will return page protection that only allows read and write access to this region.
BaseAddress: 01005000 AllocationBase: 01000000 AllocationProtect: 00000080 PAGE_EXECUTE_WRITECOPY RegionSize: 00001000 State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 01000000 MEM_IMAGESo be it. Considering the naming convention (sz preface), which implies a string type, one could easily validate the assumption by examining the data at this memory location. To do this, the display memory command can be utilized. Type the following in the Command window:
du WinMine!szClassThe 'u' modifier tells the (d)isplay memory command to interpret the string as Unicode. The results of this are:
01005aa0 "Minesweeper"I'm convinced.