Holy cow, I wrote a book!
Um, it means that the library was loaded at 0x10000000?
Okay, here's some more information:
"We're trying to debug an application which loads DLLs
and attempts to hook their registry accesses when they
It looks like when the special handle is returned from
the registry writes go through and bypass the hook.
On the other hand, when a normal value is returned by
the hook works."
There is nothing special about the value 0x10000000.
It's an address like any other address.
At this point, your psychic powers might start tingling.
Everybody who does Win32 programming should recognize that
0x10000000 is the default
DLL base address assigned by the linker.
If you don't specify a custom base address, the linker
will base you at 0x10000000.
Now things are starting to make sense.
The DLL being monitored was probably built with the default
The value 0x10000000 is special not because of
its numeric value,
but because it matches the DLL's preferred address,
which means that no rebasing has occurred.
And this in turn suggests that there's a bug in the
registry hooks if the DLL is loaded
at its preferred address.
The code in question was copied from a book,
so now they get to debug code copied from a book.
Wait, we're not finished yet.
You may have answered the customer's question,
but you haven't solved their problem.
Hooking and patching DLLs like this is not supported.
But what is supported is the
In fact, the
designed specifically to solve this very problem:
function is intended for software installation programs.
It allows them to remap a predefined key,
load a DLL component that will be installed on the system,
call an entry point in the DLL, and examine the changes
to the registry that the component attempted to make.
The documentation continues, explaining how such an
installation program might use the
to accomplish the desired task.