tags:

views:

122

answers:

3
+2  Q: 

What is at memory location 1 on an Intel x86 machine running Windows XP?

I am running Windows XP on an Intel x86 machine and I got an error in the instruction at memory location 0x00000001.

I am not worried about debugging the error, but I was interested to know what instructions would generally be located at the very begging of memory.

The only processors I have written low-level code for are PIC microcontrollers, and I know that the first memory location would be a GOTO and then the interrupt vectors.

+2  A: 

That is not the actual physical address space 000001. XP is a modern virtual paged memory OS so each application gets its own address space.

rerun  2010-02-16 04:28:06
+2  A: 

I believe that the zero page of a process's address space is deliberately inaccessible on Windows to help detect null pointer errors, in which case there's nothing there.

Stephen Canon  2010-02-16 04:28:39
+5  A: 

Windows guarantees that the first 64k and the last 64k of memory will always cause an access violation to read or write. This makes detecting null pointer dereferences easier.

See the graphic in this page below the heading

Free, Reserved, and Committed Virtual Memory

http://msdn.microsoft.com/en-us/library/ms810627.aspx

John Knoeller  2010-02-16 04:28:55
To be clear: The guarantee is a weak guarantee. It's possible to map valid memory to virtual location 0, there have been a couple of elevation of privilege vulnerabilities that were exploited by doing that. But by default the first 64K of virtual memory are always 0.
Larry Osterman  2010-02-16 06:31:18
@Larry: I'm sure there's a story behind that. It seems to me that if you can map memory into a privileged process you would have full control. There would be no need to try and exploit a null pointer reference.
John Knoeller  2010-02-16 08:44:44
@John: Think EoP, not RCE. A great example of this is Mark Dowd's Flash attack: http://chargen.matasano.com/chargen/2007/7/3/this-new-vulnerability-dowds-inhuman-flash-exploit.html. All you need is a vulnerability in the kernel that writes into an allocated structure where the kernel doesn't check that the allocation succeeded. If you can get the allocation to fail (by passing in a big buffer), you can sometimes get the kernel to write to arbitrary locations in memory.
Larry Osterman  2010-02-16 15:32:09
@Larry: I remember reading about that exploit when it happened. That was a very impressive attack.
Brightside  2010-02-17 02:38:49

related questions

CLR Profiler - Attaching to existing process
What's the maximum amount of RAM I can use in a Windows box?
.Net 2.0 - How efficient are Generic Lists?
Process Memory Size - Different Counters
C++ Memory management
Using MySQLi - which is better for closing queries
How Does A Stack Overflow Occur and How Do You Prevent It?
C Memory Management
How does .net managed memory handle value types inside objects?
FLVPlayback component memory issues
memset() causing data abort
Is Visual C++ memory managed by the Dot Net framework
Preventing Memory Leaks with Attached Behaviours
How to dispose a class in .net?
best way to persist data in .NET Web Service
Reading Other Process' Memory in Mac OS / BSD
Replicating load related crashes in non-production environments
Secure Memory Allocator in C++
Best way to wrap rsync progress in a gui?
Some kind of task manager for JavaScript in Firefox 3?
Of Memory Management, Heap Corruption, and C++
Understanding reference counting with Cocoa / Objective C
Setting Objects to Null/Nothing after use in .NET
Heap corruption under Win32; how to locate?
Anatomy of a "Memory Leak"