In the previous section, we examined the structure of the executable on the disk. Let's try to understand what happens when an executable is loaded into the memory. When the executable is double-clicked, a process memory is allocated by the operating system, and the executable is loaded into the allocated memory by the operating system loader. The following simplified memory layout should help you to visualize the concept; note that the structure of the executable on the disk is similar to the structure of the executable in the memory:

In the preceding diagram, the heap is used for dynamic memory allocation during program execution, and its contents can vary. The stack is used for storing the local variables, function arguments, and the return address. You will learn about the stack in detail in later sections.

Now, let's go back to our compiled executable (print_string.exe) and load it into the memory. The executable was opened in the x64dbg debugger, which loaded the executable in the memory (we will be covering x64dbg in a later chapter; for now, we will focus on the structure of the executable in memory). In the following screenshot, you can see that the executable was loaded at the memory address 0x010F0000, and all the sections of the executable were also loaded into the memory. A point to remember is that the memory address that you are looking at is the virtual address, not the physical memory address. The virtual address will eventually be translated into a physical memory address (you will learn more about the virtual and physical address in later chapters):

Examining the memory address of the .data section at 0x010F3000 displays the string This is a simple program.

Examining the memory address of the .text section at 0x010F1000 displays the sequence of bytes, which is the machine code.

Once the executable that contains the code and data is loaded into the memory, the CPU fetches the machine code from memory, interprets it, and executes it. While executing the machine instructions, the required data will also be fetched from memory. In our example, the CPU fetches the machine code containing the instructions (to print on the screen) from the .text section, and it fetches the string (data) This is a simple program, to be printed from the .data section. The following diagram should help you to visualize the interactions between the CPU and the memory:

While executing instructions, the program may also interact with the input/output devices. In our example, when the program is executed, the string is printed onto the computer screen (output device). If the machine code had an instruction to receive input, the processor (CPU) would have interacted with the input device (such as the keyboard).

To summarize, the following steps are performed when a program is executed:

1. The program (which contains code and data) is loaded into the memory.
2. The CPU fetches the machine instruction, decodes it, and executes it.
3. The CPU fetches the required data from memory; the data can also be written to the memory.

4. The CPU may interact with the input/output system, as necessary: