Windows executables use the Portable Executable format. This format describes sections of memory that are allocated when the process is loaded, and optionally raw data (.text
, .data
sections) to be loaded into those sections.
Each section will typically have a file offset specifying where in the raw file the data is located, and a Virtual Address at which the data will be loaded. These may or may not resemble each other.
PE Explorer can give you details on the sections (and everything else about a PE file) of an executable.
Immunity Debugger will allow you to attach to a running process and see its memory map.