当LoadLibrary
函数返回特殊值时,客户想知道它意味着什么0x10000000
。
嗯,这意味着LIB被加载进了0x10000000
?
好的,这里有一些更多的信息:“我们正在尝试调试一个加载DLL的应用程序,并试图在他们调用时挂钩他们的注册表访问DllRegisterServer
。看起来当从特殊句柄返回时LoadLibrary
,注册表写入通过并绕过钩子。另一方面,当返回正常值时LoadLibrary
,钩子起作用。“
值没有什么特别之处0x10000000
。这是一个像任何其他地址一样的地址。
在这一点上,你的精神力量可能会开始刺痛。每个进行Win32编程的人都应该认识到这一点0x10000000
是链接器分配的默认DLL基址。如果您未指定自定义基址,则链接器将以您为基础0x10000000
。
现在情况开始变得有意义了。被监视的DLL可能是使用默认的基址构建的。该值0x10000000
是特殊的,不是因为它的数值,而是因为它匹配DLL的首选地址,这意味着没有发生变基。这反过来表明,如果DLL在其首选地址加载,则注册表挂钩中存在错误。
有问题的代码是从书中复制的,所以现在他们可以调试从书中复制的代码。
等等,我们还没完成。
您可能已经回答了客户的问题,但您还没有解决他们的问题。
不支持挂钩和修补这样的DLL。但是,什么是支持的是RegOverridePredefKey
功能。事实上,这RegOverridePredefKey
是专门为解决这个问题而设计的:
文档继续,解释了这样的安装程序如何使用该RegOverridePredefKey
函数来完成所需的任务。
A customer wanted to know what it means when the LoadLibrary
function returns the special value 0x10000000
.
Um, it means that the library was loaded at 0x10000000
?
Okay, here’s some more information: “We’re trying to debug an application which loads DLLs and attempts to hook their registry accesses when they call DllRegisterServer
. It looks like when the special handle is returned from LoadLibrary
, the registry writes go through and bypass the hook. On the other hand, when a normal value is returned by LoadLibrary
, the hook works.”
There is nothing special about the value 0x10000000
. It’s an address like any other address.
At this point, your psychic powers might start tingling. Everybody who does Win32 programming should recognize that 0x10000000
is the default DLL base address assigned by the linker. If you don’t specify a custom base address, the linker will base you at 0x10000000
.
Now things are starting to make sense. The DLL being monitored was probably built with the default base address. The value 0x10000000
is special not because of its numeric value, but because it matches the DLL’s preferred address, which means that no rebasing has occurred. And this in turn suggests that there’s a bug in the registry hooks if the DLL is loaded at its preferred address.
The code in question was copied from a book, so now they get to debug code copied from a book.
Wait, we’re not finished yet.
You may have answered the customer’s question, but you haven’t solved their problem.
Hooking and patching DLLs like this is not supported. But what is supported is the RegOverridePredefKey
function. In fact, the RegOverridePredefKey
was designed specifically to solve this very problem:
The documentation continues, explaining how such an installation program might use the RegOverridePredefKey
function to accomplish the desired task.