Why doesn’t Windows use the 64-bit virtual address space below 0x00000000 - 7ffe0000 ?
added on 2022/12/19 @ 12:25:52 | 1722 views| category: programming

A customer used VMMap and observed that for all of their 64-bit processes, nothing was allocated at any addresses below 0x00000000`7ffe0000. Why does the virtual address space start at 0x00000000`7ffe0000? Is it to make it easier to catch pointer truncation bugs? And what’s so special about 0x00000000`7ffe0000?

Okay, let’s go through the questions one at a time.

First, is it even true that the virtual address space starts at 0x00000000`7ffe0000?

No. The virtual address space starts at the 64KB boundary. You can confirm this by calling GetSystemInfo and checking the lpMinimum­Application­Address. It will be 0x00000000`00010000.

If the address space starts at 64KB, why is the lower 2GB pretty much ignored?

Because it turns out that the total address space is really big.

Address Space Layout Randomization (ASLR) tries to put things at unpredictable addresses. The full user-mode address space on x86-64 is 128TB, and a randomly-generated 47-bit address is very unlikely to begin with 15 consecutive zero bits. The first 2GB of address space is only 0.003% of the total available address space, so it’s a pretty small target.

But why is there a page of memory consistently allocated at exactly 0x00000000`7ffe0000?