mapping the same section object into both the kernel address space and one or
more user-mode address spaces. Finally, it should be noted that the term “sec-
tion object” is a kernel concept—in Win32 (and in most of Microsoft’s docu-
mentation) they are called memory mapped files.
There are two basic types of section objects:
Pagefile-Backed A pagefile-backed section object can be used for tempo-
rary storage of information, and is usually created for the purpose of
sharing data between two processes or between applications and the
kernel. The section is created empty, and can be mapped to any address
space (both in user memory and in kernel memory). Just like any other
paged memory region, a pagefile-backed section can be paged out to a
pagefile if required.
File-Backed A file-backed section object is attached to a physical file on
the hard drive. This means that when it is first mapped, it will contain the
contents of the file to which it is attached. If it is writable, any changes
made to the data while the object is mapped into memory will be written
back into the file. A file-backed section object is a convenient way of
accessing a file, because instead of using cumbersome APIs such as
ReadFileand WriteFile, a program can just directly access the data
in memory using a pointer. The system uses file-backed section objects
for a variety of purposes, including the loading of executable images.VAD Trees
AVirtual Address Descriptor (VAD)tree is the data structure used by Windows
for managing each individual process’s address allocation. The VAD tree is
a binary tree that describes every address range that is currently in use. Each
process has its own individual tree, and within those trees each entry describes
the memory allocation in question. Generally speaking, there are two distinct
kinds of allocations: mapped allocations and private allocations. Mapped allo-
cations are memory-mapped files that are mapped into the address space. This
includes all executables loaded into the process address space and every
memory-mapped file (section object) mapped into the address space. Private
allocations are allocations that are process private and were allocated locally.
Private allocations are typically used for heaps and stacks (there can be multi-
ple stacks in a single process—one for each thread).User-Mode Allocations
Let’s take a look at what goes on in user-mode address spaces. Of course we
can’t be as specific as we were in our earlier discussion of the kernel address78 Chapter 3