7C96253D JNZ SHORT ntdll.7C96253A
7C96253F JMP SHORT ntdll.7C96254E
7C962541 TEST EDX,EDX
7C962543 LEA EAX,DWORD PTR [ECX+4]
7C962546 JE SHORT ntdll.7C96254E
7C962548 DEC EDX
7C962549 MOV EAX,DWORD PTR [EAX+4]
7C96254C JNZ SHORT ntdll.7C962548
7C96254E MOV DWORD PTR [ECX+C],EAX
7C962551 MOV DWORD PTR [ECX+10],EBX
7C962554 ADD EAX,0C
7C962557 JMP SHORT ntdll.7C96255B
7C962559 XOR EAX,EAX
7C96255B POP EDI
7C96255C POP ESI
7C96255D POP EBX
7C96255E POP EBP
7C96255F RET 8Listing 5.2 (continued)
As you can see, RtlGetElementGenericTable is a somewhat more
involved function compared to the ones you’ve looked at so far. The following
sections provide a detailed analysis of the disassembled code from Listing 5.2.
Setup and Initialization
Just like the previous APIs, RtlGetElementGenericTablestarts with a
conventional stack frame setup sequence. This tells you that this function’s
parameters are going to be accessed using EBPinstead of ESP. Let’s examine
the first few lines of RtlGetElementGenericTable.
7C9624E3 MOV ECX,DWORD PTR [EBP+8]
7C9624E6 MOV EDX,DWORD PTR [ECX+14]
7C9624E9 MOV EAX,DWORD PTR [ECX+C]Generic table APIs all seem to take the root table data structure as their first
parameter, and there is no reason to assume that RtlGetElementGeneric
Table is any different. In this sequence the function loads the root table pointer
into ECX, and then loads the value stored at offset +14 into EDX. Recall that in
the dissection of RtlNumberGenericTableElementsit was established
that offset +14 contains the total number of elements in the table. The next
instruction loads the third pointer at offset +0c from the three pointer group
into EAX. Let’s proceed to the next sequence.
Beyond the Documentation 155