Episode

Access Violation C0000005 - Read or Write

A Read or Write Access Violation occurs when the application attempts to read or write memory from a memory address that is invalid. To be valid, the memory page must have a valid state, protection and type.

The memory must be in the MEM_COMMIT state.

The memory can be of any type; MEM_IMAGE, MEM_MAPPED or MEM_PRIVATE.

For Read operations, the protection of the memory must be PAGE_READONLY, PAGE_READWRITE, PAGE_WRITECOPY, PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY.

For Write operations, the protection of the memory must be PAGE_READWRITE, PAGE_WRITECOPY, PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY.

To view the state, protection and type of the address, use !address <address>

  • Be sure to reference the current values; not the allocation values
  • Each memory page region (minimum 4K) tracks both the initial protection value at allocation, and the current protection value, as set by the VirtualProtect family of functions.

The memory address may be invalid because of one of these common scenarios:

  • NULL Pointer - addresses between 0x0 and 0x10000 (64K) - e.g. a function that usually returns a pointer returned NULL (0x0), and the pointer was accessed without verification
  • Memory Corruption - the address was mistakenly or maliciously overwritten - commonly via a buffer overrun (or underrun)
  • Use-After-Free - the address was valid, but is now being accessed after it is freed (data)
  • Bit-Flip - RAM (hardware) issue where one or more bits have flipped (rare)

Additional Resources: