From their names alone, you can make some educated guesses about these
APIs. It’s obvious that this is a group of APIs that manage some kind of a
generic list (generic probably meaning that the elements can contain any type
of data). There is an API for inserting, deleting, and searching for an element.
RtlNumberGenericTableElementsprobably returns the total number of
elements in the list, and RtlGetElementGenericTablemost likely allows
direct access to an element based on its index. Before you can start using a
generic table you most likely need to call RtlInitializeGenericTableto
initialize some kind of a root data structure.
Generally speaking, reversing sessions start with data—we must figure out
the key data structures that are managed by the code. Because of this, it would
be a good idea to start with RtlInitializeGenericTable, in the hope that
it would shed some light on the generic table data structures.
As I’ve already explained, I will be relying exclusively on offline code analy-
sis, and not on live debugging. If you want to try out the generic table code in a
debugger, you can use GenericTable.EXE, which is a little program I have
written based on my findings after reversing the generic table API. If you didn’t
have GenericTable.EXE, you’d have to either rely exclusively on a dead list-
ing, or find some other piece of code that uses the generic table. In a quick search
I conducted, I was only able to find kernel-mode components that do that (the
generic table also has a kernel-mode implementation inside the Windows ker-
nel), but no user-mode components. GenericTable.EXEis available along
with its source code on this book’s Web site at http://www.wiley.com/go/eeilam.
The following reversing session delves into each of the important functions in
the generic table API and demonstrates its inner workings. It should be noted
that I will be going a bit farther than I have to, just to demonstrate what can be
achieved using advanced reverse-engineering techniques. If this were a real
reversing session in which you simply needed the function prototypes in order
to make use of the generic table API, you could probably stop a lot sooner, as
soon as you had all of those function prototypes. In this session, I will proceed to
go after the exact layout of the generic table data structures, but this is only done
in order to demonstrate some of the more advanced reversing techniques.RtlInitializeGenericTable
As I’ve said earlier, the best place to start the investigation of the generic table
API is through its data structures. Even though you don’t necessarily need to
know everything about their layout, getting a general idea regarding their con-
tents might help you figure out the purposeof the API. Having said that, let’s
start the investigation from a function that (judging from its name) is very
likely to provide a few hints regarding those data structures: RtlInitialize
GenericTableis a disassembly of RtlInitializeGenericTable, gener-
ated by OllyDbg (see Listing 5.1).146 Chapter 5