I recently had cause to change some ulimit settings in a shell, and was struck by a realization: memory exploits would have an effect on what a program looked like in terms of physical memory usage. This would especially hold, I'd think, for current generation stuff using NOP slides, heap spraying, and other heap based attacks. Some of those can briefly allocate enormous amounts of address space for instance. And I wondered: would it be possible to have heuristics for recognizing that a program may be about to be compromised? Have a DLL library that is loaded by the program perhaps, intercepts memory management syscalls, and looks at where they go and how big they are. If they fit certain patterns, then make them fail and/or kill the program. Kind of like AV heuristics, only aimed at the exploit stage rather than the payload stage. Is this feasible? Have I just described part of EMET or something? Or is memory management too unpredictable for this to work in most cases?