windows how to show memory segment of a process?

Question

We have tools like objdump, readelf, and dumbin to show executable file contents.

But when an executable file is loaded into memory (a process is created), the segments in memory is usually different from the segments in the executable file. For example, when loaded, two extra segments namely stack and heap are allocated (we overlook details of page mapping here).

Is there a tool that help show the in-time memory segment/status of a process?

Answer 1

Windows executables use the Portable Executable format. This format describes sections of memory that are allocated when the process is loaded, and optionally raw data (.text, .data sections) to be loaded into those sections.

Each section will typically have a file offset specifying where in the raw file the data is located, and a Virtual Address at which the data will be loaded. These may or may not resemble each other.

PE Explorer can give you details on the sections (and everything else about a PE file) of an executable.

Immunity Debugger will allow you to attach to a running process and see its memory map.