locked
Null page mitigation RRS feed

  • Question

  • What does the null page mitigation do?  Does it block the old NtAllocateVirtualMemory / NtMapViewOfSection trick of mapping valid memory to address 00000000 by asking for address 00000001?

    If that's what it does, that would probably work for almost all processes except for NTVDM on 32-bit OS's.

    Sunday, May 22, 2011 6:42 PM

All replies

  • Hi Myria,

    As you probably already know... memory addresses from a user-mode applications perspective are virtual. So this means that a NULL pointer can actually be a valid virtual memory address. There have been many exploits taking advantage of NULL pointer dereferences to execute code.

    I believe what EMET is doing is pre-allocating memory at the virtual address 0x00000000 and probably setting the protection to PAGE_NOACCESS or PAGE_GUARD. You could then use an exception handler to detect access to this address.

    Best Wishes,

    -David Delaune


    Sunday, May 22, 2011 7:02 PM