A forum for reverse engineering, OS internals and malware analysis 

[Kernel] _SEGMENT / _SECTION / _SUBSECTION

Ask your beginner questions here.

[Kernel] _SEGMENT / _SECTION / _SUBSECTION

 #12062  by iSecure
 Sun Mar 11, 2012 11:40 am
Hi there =)

The thing i just can't understand is: what are the logical meaning of kernel structures _SEGMENT, _SECTION, _SUBSECTION. What each of them represents and how they are connected with each other.

At the moment my feeling about this is: _SECTION represents a memory mapped file (?executable?), _SUBSECTION represents each of sections inside ?executable? (.text, .data, etc...), and _SEGMENT....i have no idea, really =)

Can someone explain this to me? Any help will be appreciated! Thanks.

Re: [Kernel] _SEGMENT / _SECTION / _SUBSECTION

 #12063  by rkhunter
 Sun Mar 11, 2012 12:32 pm
iSecure wrote:At the moment my feeling about this is: _SECTION represents a memory mapped file (?executable?), _SUBSECTION represents each of sections inside ?executable? (.text, .data, etc...)
You are correct. In case of executable there are one subsection for PE-section (and one subsection for PE-header, as I remember), in case of usual binary file (mapping as binary), there are one subsection for all file.
Purpose of SEGMENT is a description of the physical view of file for SECTION object. This mean that several views of one file (several sections) have a one segment structure. Segment also stores proto-PTE table for describing binary or image view of file. For view of file (section) there are possible two types of SEGMENTS - image map and data map. SECTION_OBJECT_POINTERS - key structure of file system, stores pointers two these segments.
There are also important structure - segment contol area. With help of it all i/o operations with memory-mapped file occurs.

Re: [Kernel] _SEGMENT / _SECTION / _SUBSECTION

 #12064  by iSecure
 Sun Mar 11, 2012 12:58 pm
So if we assume that M different processes uses the same dll, for that dll we would have:

1 SEGMENT (describes phisical view), M SECTIONs (describes virtual view), M CONTROL_AREAs, M FILE_OBJECTS, M*N SUBSECTIONs, where N - number of PE-sections inside binary image file of dll

Is this correct? =)

Re: [Kernel] _SEGMENT / _SECTION / _SUBSECTION

 #12065  by rkhunter
 Sun Mar 11, 2012 1:25 pm
There are no several CONTROL_AREAs (ca) as you wrote, because one ca for one segment. Moreover, controlArea as internal VMM structure also stores X + 1 _SUBSECTIONs (i. e. X PE-sections + 1 for PE-header). There is no need to create ca for section object... Look !ca command for this purpose.
 Return to “Newbie Questions”