Interesting... According to the logs, it installs the hook for BasepProcessevalidImageReal correctly, but the hook never gets called then when processing an invalid image (i.e. DOS application) whereas on my system, this works fine.
The different addresses are normal as DLLs get loaded into different addresses in different processes, so that's nothing to worry about.
I can't imagine that KERNEL32.DLL differs in different language Versions of Windows 10.
If the memory for IAT wouldn't be writable, I guess this should result in an access violation which also isn't the case.
Now we have 2 options: As you said that you prepared a VMWare image, you can try to send me this image file of your OS image where it doesn't work so that I can check it.
Or you can set up remote access to your virtual machine for me where I can try to check it (maybe use Remote desktop connection protocol and do a port forwarding into the VM from Internet side?)
What do you think about these options? I need to analyse it with a debugger why the hook isn't working even though it has been correctly placed in KERNEL32.DLL.
Maybe we can arrange remote access via e-mail, you already got my e-mail address anyway
