The memory must be in the MEM_COMMIT state.
The protection of the memory must be PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY. The vast majority is PAGE_EXECUTE_READ. PAGE_EXECUTE_READWRITE and PAGE_EXECUTE_WRITECOPY are rare and can be considered dangerous, as code can be modified (injected).
- Be sure to reference the current values; not the allocation values
- Each memory page region (minimum 4K) tracks both the initial protection value at allocation, and the current protection value, as set by the VirtualProtect family of functions.
The violation is detected by the processor via Data Execution Protection.
The memory address may be invalid because of one of these common scenarios:
- Stack Corruption - the return address of a call is pushed on the stack. Local variables are next to this location. If a local has a buffer overrun, the return address is corrupted.
- DLL Reference Counting - the address was valid, but is now being accessed after the DLL has been unloaded
- Bit-Flip - RAM (hardware) issue where one or more bits have flipped (rare)
- Inside - Access Violation
- Inside - Access Violation C0000005 - Read or Write
- Inside - Windows SDK
- MSDN - Memory Protection Constants
- MSDN - MEMORY_BASIC_INFORMATION structure
- MSDN - Data Execution Protection