Reversing : The Hacker's Guide to Reverse Engineering

Figure 3.1 A typical layout of the Windows kernel memory address space.

Terminal Services Session Space This memory area is used by the kernel

mode component of the Win32 subsystem: WIN32K.SYS(see the section

on the Win32 subsystem later in this chapter). The Terminal Services

component is a Windows service that allows for multiple, remote GUI

System Cache Space

512Mb

0xC1000000

0xE1000000

Paged Pool

192Mb (Actual size calculated in

runtime)

0xED000000

Non-Paged Pool

12Mb (Actual size calculated in

runtime)

0x80DA6000

0x819A6000

Extra Non-Paged Pool

100Mb (Actual size calculated in

runtime)

0xF96A8000

0xFFBE0000

Te rminal Services Session Space

32 Mb (session-private)

0xBE000000

0xC0000000

Kernel Code

0x80000000

0x8073B000

Page Tables (process-private)

0xC0400000

System PTEs

200Mb (Actual size calculated in

runtime)

System Working Set

4Mb

0xC0C00000

Hyper Space (process-private)

0xC0800000

Additional System PTEs

(Actual size calculated in runtime)

76 Chapter 3