[Dailydave] (windows is vulnerable too) & final comments on naming

[intropy]

On 3/7/07, Brad Spengler <spender at grsecurity.net> wrote:
>
> What version of Windows are you using?  Maybe you're getting confused
> with the behavior that giving a NULL address as a hint to any
> allocation/mapping function is a special case within the OS to select
> its own address.  Luckily though, the address passed in is rounded down
> internally, so giving an address of 1 will let you allocate at the 0
> address.

Microsoft's own driver verifier does this to trap NULL derefs when
exercising code.  In the dc2 application specifying /n will map the
0x0 page.

"/n      Map zero page so that NULL pointer de-references don't raise"

And its done just like you.

45C push    4
460 push    3000h
464 lea     ecx, [ebp+var_1C]
464 push    ecx
468 push    1
46C lea     edx, [ebp+var_14]
46C push    edx
470 push    0FFFFFFFFh
474 call    ds:NtAllocateVirtualMemory