Episode

Access Violation C0000005 - Execute

An Execute Access Violation occurs when the application attempts to execute code from a memory address that is invalid. To be valid, the memory page must have a valid state, protection and type.

The memory must be in the MEM_COMMIT state.

The memory can be of any type; MEM_IMAGE, MEM_MAPPED or MEM_PRIVATE. The vast majority is MEM_IMAGE. MEM_PRIVATE is used for Just-in-Time (JIT) code - the main example being JavaScript.

The protection of the memory must be PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY. The vast majority is PAGE_EXECUTE_READ. PAGE_EXECUTE_READWRITE and PAGE_EXECUTE_WRITECOPY are rare and can be considered dangerous, as code can be modified (injected).

To view the state, protection and type of the address, use !address <address>

  • Be sure to reference the current values; not the allocation values
  • Each memory page region (minimum 4K) tracks both the initial protection value at allocation, and the current protection value, as set by the VirtualProtect family of functions.

The violation is detected by the processor via Data Execution Protection.

The memory address may be invalid because of one of these common scenarios:

  • Stack Corruption - the return address of a call is pushed on the stack. Local variables are next to this location. If a local has a buffer overrun, the return address is corrupted.
  • DLL Reference Counting - the address was valid, but is now being accessed after the DLL has been unloaded
  • Bit-Flip - RAM (hardware) issue where one or more bits have flipped (rare)

Additional Resources: