Didier Stevens

Monday 6 December 2010


Filed under: My Software,PDF,Vulnerabilities — Didier Stevens @ 0:00

HeapLocker is a new tool I’m releasing to mitigate heap spray attacks. But be patient, don’t use this version (V0.0.0.2) yet for other reasons than experimenting! I’m still testing newer versions that I’ll release soon.

HeapLocker uses 5 mitigation techniques.

1) Like EMET, HeapLocker will pre-allocate virtual memory pages to protect the addresses often used in exploits with heap sprays. HeapLocker can go one step further than EMET: it can inject its own shellcode to warn the user in case of an attack:

2) HeapLocker can also pre-allocate memory page zero, like EMET.

3) To detect heap sprays in action, HeapLocker monitors private memory usage:

4) HeapLocker can monitor the application’s memory for NOP-sleds:

5) The last technique, monitoring the application’s memory for specific strings, proved to be very successful to detect malicious PDF documents:

I will detail these techniques in upcoming posts.


  1. How hard would it be for Antivirus vendors to implement such a tool, or natively in an OS by the creators? Well done. Makes me feel a little better knowing people are actually doing something to combat the attacks instead of merely using band-aids to fix individual outbreaks patch by patch.

    Someone had mentioned EMET a while back and i forgot all about it as well.

    Comment by DigiP — Monday 6 December 2010 @ 9:05

  2. This looks extremely interesting and very relevant for a project of mine at the moment.
    I’m looking forward to see the development of this.

    Great work.

    Comment by Thomas Stig Jacobsen — Monday 6 December 2010 @ 9:46

  3. Thanks for all your valuable work!
    Hurray for the good guys!

    Comment by Jonathon — Monday 6 December 2010 @ 15:33

  4. Awesome Didier, keep it coming.

    Comment by Thierry Zoller — Monday 6 December 2010 @ 17:48

  5. This looks very interesting. Am not a malware expert, on a particular platform I believe some types of checks can be done in a generic way for all applications ? And some others can be done in a specific way. I look forward for more details.

    Comment by Madhusudan Challa — Tuesday 7 December 2010 @ 1:43

  6. Didier,

    I certainly don’t want this post to sound like I’m knocking your good work, because believe me everything you have been giving to the community is top notch and keep it up! One question I have on this though is how do you compare it’s use to EMET? Is your tool covering areas that EMET is not? Do you see usefulness is running both this and EMET?

    Comment by Curt Shaffer — Wednesday 8 December 2010 @ 13:04

  7. @Curt Shaffer It’s my plan that HeapLocker can be used together with EMET, and I’ve already performed tests with both.

    Comment by Didier Stevens — Wednesday 8 December 2010 @ 17:34

  8. This tool looks very interesting! I hope you release a stable version soon so I can test it =P

    Good job!


    Comment by Shyish — Saturday 8 January 2011 @ 21:25

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.