{"id":5713,"date":"2012-12-27T07:00:00","date_gmt":"2012-12-27T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2012\/12\/27\/what-is-so-special-about-the-instance-handle-0x10000000\/"},"modified":"2012-12-27T07:00:00","modified_gmt":"2012-12-27T07:00:00","slug":"what-is-so-special-about-the-instance-handle-0x10000000","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20121227-00\/?p=5713","title":{"rendered":"What is so special about the instance handle 0x10000000?"},"content":{"rendered":"<p>A customer wanted to know what it means when the <code>Load&shy;Library<\/code> function returns the special value <code>0x10000000<\/code>.\n Um, it means that the library was loaded at <code>0x10000000<\/code>?\n Okay, here&#8217;s some more information: &#8220;We&#8217;re trying to debug an application which loads DLLs and attempts to hook their registry accesses when they call <code>Dll&shy;Register&shy;Server<\/code>. It looks like when the special handle is returned from <code>Load&shy;Library<\/code>, the registry writes go through and bypass the hook. On the other hand, when a normal value is returned by <code>Load&shy;Library<\/code>, the hook works.&#8221;\n There is nothing special about the value <code>0x10000000<\/code>. It&#8217;s an address like any other address.\n At this point, your psychic powers might start tingling. Everybody who does Win32 programming should recognize that <code>0x10000000<\/code> is the default DLL base address assigned by the linker. If you don&#8217;t specify a custom base address, the linker will base you at <code>0x10000000<\/code>.\n Now things are starting to make sense. The DLL being monitored was probably built with the default base address. The value <code>0x10000000<\/code> is special not because of its numeric value, but because it matches the DLL&#8217;s preferred address, which means that no rebasing has occurred. And this in turn suggests that there&#8217;s a bug in the registry hooks if the DLL is loaded at its preferred address.\n The code in question was copied from a book, so now they get to debug code copied from a book.\n Wait, we&#8217;re not finished yet.\n You may have answered the customer&#8217;s question, but you haven&#8217;t <i>solved their problem<\/i>.<\/p>\n<p> Hooking and patching DLLs like this is not supported. But what <i>is<\/i> supported is the <code>Reg&shy;Override&shy;Predef&shy;Key<\/code> function. In fact, the <code>Reg&shy;Override&shy;Predef&shy;Key<\/code> was designed <i>specifically to solve this very problem<\/i>: <\/p>\n<blockquote class=\"q\"><p> The <b>Reg&shy;Override&shy;Predef&shy;Key<\/b> function is intended for software installation programs. It allows them to remap a predefined key, load a DLL component that will be installed on the system, call an entry point in the DLL, and examine the changes to the registry that the component attempted to make. <\/p><\/blockquote>\n<p> The documentation continues, explaining how such an installation program might use the <code>Reg&shy;Override&shy;Predef&shy;Key<\/code> function to accomplish the desired task. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>A customer wanted to know what it means when the Load&shy;Library function returns the special value 0x10000000. Um, it means that the library was loaded at 0x10000000? Okay, here&#8217;s some more information: &#8220;We&#8217;re trying to debug an application which loads DLLs and attempts to hook their registry accesses when they call Dll&shy;Register&shy;Server. It looks like [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-5713","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>A customer wanted to know what it means when the Load&shy;Library function returns the special value 0x10000000. Um, it means that the library was loaded at 0x10000000? Okay, here&#8217;s some more information: &#8220;We&#8217;re trying to debug an application which loads DLLs and attempts to hook their registry accesses when they call Dll&shy;Register&shy;Server. It looks like [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/5713","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=5713"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/5713\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=5713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=5713"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=5713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}