When an executable (.exe) is double-clicked, a process is created. We talked about this in the last section. Each process has its own virtual memory. The code of the executable and supporting libraries (DLLs) are loaded into virtual memory. Now, each process in a 32-bit window has a 4 GB virtual memory address space. Does that sound confusing?
If a computer has 2 GB of RAM, then how can each process have a 4 GB virtual memory? Well, here is a simplified explanation for this. The virtual memory is split into regions called pages. The processor cannot execute all the code at one time. Only the pages which contain currently executing code are loaded into RAM. At a particular instance of time, the RAM has pages from virtual memory of various processes. Windows memory management takes care of the whole process of loading and unloading pages through a method termed paging. Virtual memory gives a process the illusion of having 4 GB of RAM.
There is a tool called Process Hacker which, by default, shows the processes executing on the system. Double-clicking on a process name (in this case, Notepad) brings up a new window for that particular process. The window has various tabs corresponding to a property of a process, such as modules, memory, and threads.
The libraries (DLLs) used by Notepad and the notepad.exe itself are called modules. The Modules tab in the Process Hacker tool shows the loaded modules:
In virtual memory, a module can be split into several pages. It's not necessary that all the code in a particular module will be there in the physical memory or RAM as explained earlier.
If you switch to the Memory tab, you can see the address:
The preceding screenshot of the Process Hacker tool shows a page which starts at address 0x1000000 of size 4 KB in the virtual memory of the Notepad process. The page lies in the notepad.exe module. The notepad.exe module is divided into four memory blocks. Each memory block is composed of pages. Process Hacker displays the contiguous pages with same properties as a memory block.
The four memory blocks start at the 0x1000000, 0x1001000, 0x1009000, 0x100b000 addresses in virtual memory.
Other than the modules, there are pages allocated for different purposes, such as heap and stack. Heap and stack are used by the program while assigning variables and assigning memory for carrying out certain operations, such as decryption.
A virtual memory of the 32-bit process is 4 GB, which is further divided into user space and kernel space, with 4 GB each. User space is specific to a process while kernel space is shared by all processes. Kernel space includes critical device drivers and other critical codes of the operating system.
Paging is a much more complex operation than explained here and Windows use a combination of hardware and several data structures to implement paging.