UnknownStruct->Member7 = Param2;
UnknownStruct->Member8 = Param3;Let’s proceed to the next section of RtlInitializeGenericTable.7C921A5C MOV ECX,DWORD PTR SS:[EBP+14]
7C921A5F MOV DWORD PTR DS:[EAX+20],ECX
7C921A62 MOV ECX,DWORD PTR SS:[EBP+18]
7C921A65 MOV DWORD PTR DS:[EAX+14],EDX
7C921A68 MOV DWORD PTR DS:[EAX+10],EDX
7C921A6B MOV DWORD PTR DS:[EAX+24],ECXThis is pretty much the same as before—the rest of the structure is being ini-
tialized. In this section, offset +20 is initialized to the value of the fourth
parameter, offset +14 and +10 are both initialized to zero, and offset +24 is ini-
tialized to the value of the fifth parameter.
This concludes the structure initialization sequence in RtlInitialize
GenericTable. Unfortunately, without looking at live values passed into this
function in a debugger, you know little about the data types of the parameters
or of the structure members. What you do know is that the structure is most
likely 40 bytes long. You know this because the last offset that is accessed is
+24. This means that the structure is 28 bytes long (in hexadecimal), which is
40 bytes in decimal. If you work with the assumption that each member in the
structure is 4 bytes long, you can assume that our structure has 10 members. At
this point, you can create a vague definition of the structure, which you will
hopefully be able to improve on later.
struct TABLE
{
UNKNOWN Member1;
UNKNOWN_PTR Member2;
UNKNOWN_PTR Member3;
UNKNOWN_PTR Member4;
UNKNOWN Member5;
UNKNOWN Member6;
UNKNOWN Member7;
UNKNOWN Member8;
UNKNOWN Member9;
UNKNOWN Member10;
};RtlNumberGenericTableElements
Let’s proceed to investigate what is hopefully a simple function: RtlNumber
GenericTableElements. The idea is that if the root data structure has a
member that represents the total number of elements in the table, this function
would expose it. If not, this function would iterate through all the elements
Beyond the Documentation 151