PYTHON - Ctypes : OSError: exception: access violation writing 0xFFFFFFFFFA1C001B

Here is a code for writing values to memory using memory mapping. When I try to run the code, I get the error "File "MMF.py", line 26, in memcpy(pBuf, szMsg, len(szMsg)) OSError: exception: access violation writing 0xFFFFFFFFFA1C001B"

import msvcrt, mmap
import ctypes
from ctypes import *

FILE_MAP_ALL_ACCESS = 0x04
INVALID_HANDLE_VALUE = 0xFFFFFFFF
SHMEMSIZE = 256
PAGE_READWRITE = 0x04
szName = ctypes.c_wchar_p("MyFileMappingObject")
szMsg = "Message from Python(ctypes) process"

hMapObject = windll.kernel32.CreateFileMappingA(INVALID_HANDLE_VALUE,None, PAGE_READWRITE, 0, SHMEMSIZE, szName)
print("Handle:",hMapObject)
if (hMapObject == 0):
    print("Could not open file mapping object")
    raise WinError()

pBuf = windll.kernel32.MapViewOfFile(hMapObject, FILE_MAP_ALL_ACCESS,0, 0, SHMEMSIZE)
print("Buffer Starting Addr:",pBuf)
if (pBuf == 0):
    print("Could not map view of file")
    raise WinError()
else:
    print(len(szMsg))
    memcpy = cdll.msvcrt.memcpy
    memcpy(pBuf, szMsg, len(szMsg))

shmem = mmap.mmap(0, 256, "MyFileMappingObject_ctypes", mmap.ACCESS_WRITE)
shmem.write("Message Python process")

msvcrt.getch()

windll.kernel32.UnmapViewOfFile(pBuf)
windll.kernel32.CloseHandle(hMapObject)
shmem.close()

Before anything, here's (almost) everything that you need: [Python 3.Docs]: ctypes - A foreign function library for Python. ctypes.wintypes is not explained, but you can see its exports by running dir(ctypes.wintypes) in the Python console. Note that all these types are simple CTypes types, I use them just for convention / consistency / readability's sake.

Your updated code (code00.py):

import sys
import ctypes as ct
import ctypes.wintypes as wt
import mmap
import msvcrt


def main(*argv):
    FILE_MAP_ALL_ACCESS = 0x000F001F
    INVALID_HANDLE_VALUE = -1
    SHMEMSIZE = 0x100
    PAGE_READWRITE = 0x04

    kernel32_dll = ct.windll.kernel32
    msvcrt_dll = ct.cdll.msvcrt  # To be avoided

    CreateFileMapping = kernel32_dll.CreateFileMappingW
    CreateFileMapping.argtypes = (wt.HANDLE, wt.LPVOID, wt.DWORD, wt.DWORD, wt.DWORD, wt.LPCWSTR)
    CreateFileMapping.restype = wt.HANDLE

    MapViewOfFile = kernel32_dll.MapViewOfFile
    MapViewOfFile.argtypes = (wt.HANDLE, wt.DWORD, wt.DWORD, wt.DWORD, ct.c_ulonglong)
    MapViewOfFile.restype = wt.LPVOID

    memcpy = msvcrt_dll.memcpy
    memcpy.argtypes = (ct.c_void_p, ct.c_void_p, ct.c_size_t)
    memcpy.restype = wt.LPVOID

    RtlCopyMemory = kernel32_dll.RtlCopyMemory
    RtlCopyMemory.argtypes = (wt.LPVOID, wt.LPCVOID, ct.c_ulonglong)

    UnmapViewOfFile = kernel32_dll.UnmapViewOfFile
    UnmapViewOfFile.argtypes = (wt.LPCVOID,)
    UnmapViewOfFile.restype = wt.BOOL

    CloseHandle = kernel32_dll.CloseHandle
    CloseHandle.argtypes = (wt.HANDLE,)
    CloseHandle.restype = wt.BOOL

    GetLastError = kernel32_dll.GetLastError

    file_mapping_name_ptr = ct.c_wchar_p("MyFileMappingObject")
    msg = "Message from Python(ctypes) process"
    msg_ptr = ct.c_wchar_p(msg)

    mapping_handle = CreateFileMapping(INVALID_HANDLE_VALUE, 0, PAGE_READWRITE, 0, SHMEMSIZE, file_mapping_name_ptr)

    print("Mapping object handle: 0x{:016X}".format(mapping_handle))
    if not mapping_handle:
        print("Could not open file mapping object: {:d}".format(GetLastError()))
        raise ct.WinError()

    mapped_view_ptr = MapViewOfFile(mapping_handle, FILE_MAP_ALL_ACCESS, 0, 0, SHMEMSIZE)

    print("Mapped view addr: 0x{:016X}".format(mapped_view_ptr))
    if not mapped_view_ptr:
        print("Could not map view of file: {:d}".format(GetLastError()))
        CloseHandle(mapping_handle)
        raise ct.WinError()

    byte_len = len(msg) * ct.sizeof(ct.c_wchar)
    print("Message length: {:d} chars ({:d} bytes)".format(len(msg), byte_len))

    memcpy(mapped_view_ptr, msg_ptr, byte_len)  # Comment this line
    RtlCopyMemory(mapped_view_ptr, msg_ptr, byte_len)

    # Python vriant
    shmem = mmap.mmap(0, 256, "MyFileMappingObject_ctypes", mmap.ACCESS_WRITE)
    shmem.write(b"Message Python process")

    print("Hit a key to clean all memory maps and exit...")
    msvcrt.getch()

    UnmapViewOfFile(mapped_view_ptr)
    CloseHandle(mapping_handle)

    shmem.close()


if __name__ == "__main__":
    print("Python {0:s} {1:d}bit on {2:s}\n".format(" ".join(item.strip() for item in sys.version.split("\n")), 64 if sys.maxsize > 0x100000000 else 32, sys.platform))
    main(*sys.argv[1:])
    print("\nDone.")

Notes:

• Added the argtypes and restype for the functions. Details can be seen in the "Specifying the required argument types (function prototypes)" and "Return types" sections, and of course MS.Docs for function declarations. This is Undefined Behavior (UB) especially on 64bit: [SO]: C function called from Python via ctypes returns incorrect value (@CristiFati's answer)

• memcpy's 2^nd argument is a Python string, which is not the same its char * address (not to mention that in Python 3, strings are wchar_t based) that memcpy expects, this will probably also yield UB

• Constants:

  • FILE_MAP_ALL_ACCESS's value is 0x000F001F (printed out the value from VStudio 2015), 0x04 corresponds to FILE_MAP_READ

  • Error converting INVALID_HANDLE_VALUE's old value to HANDLE, changed it to -1 (as in handleapi.h)

• You're calling CreateFileMappingA with a c_wchar_p. That will set a name consisting of only the 1^st character from the supplied string for the mapping object because each wchar_t consists of 2 bytes: 0x00 plus the corresponding char value - 'A' will be represented as 0x00 0x41 (generally this is not true - especially the 0x00 part, but in our case, it is) - so the 2^nd char in the lpName argument (due to little-endianness) will be 0x00 (NUL)

• According to the page above:

  Accessing the standard C library through cdll.msvcrt will use an outdated version of the library that may be incompatible with the one being used by Python.

  So, I also added [MS.Docs]: RtlCopyMemory function to replace memcpy (you can comment out its line, I left it there just to show that it works), as in the example ([MS.Docs]: Creating Named Shared Memory) that you took the code from, and tried to convert it ([minwinbase.h: #36]: #define CopyMemory RtlCopyMemory)

• Changed naming convention to be Python compliant ([Python]: PEP 8 -- Style Guide for Python Code)

• Other (non critical) changes (output formatting, moving lines of code around for a better structure, and so on ...)

Output:

[cfati@CFATI-5510-0:e:\Work\Dev\StackOverflow\q048788549]> "e:\Work\Dev\VEnvs\py_pc064_03.07.06_test0\Scripts\python.exe" code00.py
Python 3.7.6 (tags/v3.7.6:43364a7ae0, Dec 19 2019, 00:42:30) [MSC v.1916 64 bit (AMD64)] 64bit on win32

Mapping object handle: 0x000000000000022C
Mapped view addr: 0x00000192912B0000
Message length: 35 chars (70 bytes)
Hit a key to clean all memory maps and exit...

Done.