Memory Overview

Memory Overview


2 min read

When a program is loaded into the memory in the Windows Operating System. it sees an abstract view of the memory. This means that the program doesn't have access to the full Memory; instead, it only has access to its Memory. For that program, that is all the Memory it needs. for the sake of brevity, we will not go into the details of how the Operating System performs abstraction. We will look at memory as the program sees it, as that is more relevant to us when reverse engineering malware.

The diagram here is an overview of the typical memory layout for a program.

An image showing memory layout including stack, heap, code, and data

As can be seen, Memory is divided into different sections, namely:

  • Stack

  • Heap

  • Code

  • Data

While we have shown the four sections in a particular order, this can be different from how they will be all the time, e.g., the Code section can be below the Data section.


The code section, as the name implies, contains the program's code. Specifically, this section refers to the text section in a Portable Executable (PE) file, which includes instructions executed by the CPU. This section of the memory has execute permissions, meaning that the CPU can execute the data in this section of the program memory.


The Data section contains initialized data that is not variable and remains constant. It refers to the data section in a Portable Executable file. It often contains Global variables and other data that are not supposed to change during the program's execution.


The Heap, also known as dynamic memory, contains variables and data created and destroyed during program execution. When a variable is created, memory is allocated for that variable at runtime. And when that variable is deleted, the memory is freed. Hence the name dynamic memory.


The Stack is one of the important parts of the memory from a malware analysis point of view. This section of the memory contains local variables, arguments passed on to the program, and the return address of the parent process that is called the program. since the return address is related to the control flow of the CPU's instructions, the stack is often targeted by malware to hijack the control flow. You can look at the Buffer Overflows room to learn how this happens.