实例句柄0x10000000有什么特别之处?What is so special about the instance handle 0x10000000?

Load­Library函数返回特殊值时,客户想知道它意味着什么0x10000000
嗯,这意味着LIB被加载进了0x10000000
好的,这里有一些更多的信息:“我们正在尝试调试一个加载DLL的应用程序,并试图在他们调用时挂钩他们的注册表访问Dll­Register­Server看起来当从特殊句柄返回时Load­Library,注册表写入通过并绕过钩子。另一方面,当返回正常值时Load­Library,钩子起作用。“ 
值没有什么特别之处0x10000000这是一个像任何其他地址一样的地址。
在这一点上,你的精神力量可能会开始刺痛。每个进行Win32编程的人都应该认识到这一点0x10000000是链接器分配的默认DLL基址。如果您未指定自定义基址,则链接器将以您为基础0x10000000
现在情况开始变得有意义了。被监视的DLL可能是使用默认的基址构建的。该值0x10000000是特殊的,不是因为它的数值,而是因为它匹配DLL的首选地址,这意味着没有发生变基。这反过来表明,如果DLL在其首选地址加载,则注册表挂钩中存在错误。
有问题的代码是从书中复制的,所以现在他们可以调试从书中复制的代码。
等等,我们还没完成。
您可能已经回答了客户的问题,但您还没有解决他们的问题

不支持挂钩和修补这样的DLL。但是,什么支持的是Reg­Override­Predef­Key功能。事实上,这Reg­Override­Predef­Key专门为解决这个问题而设计的

RegOverridePredefKey功能可用于软件安装程序。它允许它们重新映射预定义的密钥,加载将安装在系统上的DLL组件,调用DLL中的入口点,并检查组件尝试进行的注册表更改。

文档继续,解释了这样的安装程序如何使用该Reg­Override­Predef­Key函数来完成所需的任务。

A customer wanted to know what it means when the Load­Library function returns the special value 0x10000000.
Um, it means that the library was loaded at 0x10000000?
Okay, here’s some more information: “We’re trying to debug an application which loads DLLs and attempts to hook their registry accesses when they call Dll­Register­Server. It looks like when the special handle is returned from Load­Library, the registry writes go through and bypass the hook. On the other hand, when a normal value is returned by Load­Library, the hook works.”
There is nothing special about the value 0x10000000. It’s an address like any other address.
At this point, your psychic powers might start tingling. Everybody who does Win32 programming should recognize that 0x10000000 is the default DLL base address assigned by the linker. If you don’t specify a custom base address, the linker will base you at 0x10000000.
Now things are starting to make sense. The DLL being monitored was probably built with the default base address. The value 0x10000000 is special not because of its numeric value, but because it matches the DLL’s preferred address, which means that no rebasing has occurred. And this in turn suggests that there’s a bug in the registry hooks if the DLL is loaded at its preferred address.
The code in question was copied from a book, so now they get to debug code copied from a book.
Wait, we’re not finished yet.
You may have answered the customer’s question, but you haven’t solved their problem.

Hooking and patching DLLs like this is not supported. But what is supported is the Reg­Override­Predef­Key function. In fact, the Reg­Override­Predef­Key was designed specifically to solve this very problem:

The Reg­Override­Predef­Key function is intended for software installation programs. It allows them to remap a predefined key, load a DLL component that will be installed on the system, call an entry point in the DLL, and examine the changes to the registry that the component attempted to make.

The documentation continues, explaining how such an installation program might use the Reg­Override­Predef­Key function to accomplish the desired task.

posted @ 2019-08-15 15:06  CharyGao  阅读(634)  评论(0编辑  收藏  举报