The next two instructions in the function are somewhat interesting.7C924DC4 MOV EDI,DWORD PTR [EBP+8]
7C924DC7 LEA EAX,DWORD PTR [EBP+8]The first line loads the value of the first parameter passed into the function
(we’ve already established that [ebp+8]is the address of the first parameter
in a function) into the local variable, EDI. The second loads the pointerto the
first parameter into EAX. Notice that difference between the MOVand LEA
instructions in this sequence. MOVactually goes to memory and retrieves the
value pointed to by [ebp+8] while LEAsimply calculates EBP + 8and loads
that number into EAX.
One question that quickly arises is whether EAXis another local variable,
just like EDI. In order to answer that, let’s examine the code that immediately
follows.7C924DCA PUSH EAX
7C924DCB PUSH DWORD PTR [EBP+C]
7C924DCE CALL ntdll.7C92147BYou can see that the first parameter pushed onto the stack is the value of
EAX, which strongly suggests that EAXwas not assigned for a local variable,
but was used as temporary storage by the compiler because two instructions
were needed into order to push the pointer of the first parameter onto the
stack. This is a very common limitation in assembly language: Most instruc-
tions aren’t capable of receiving complex arguments like LEAand MOVcan.
Because of this, the compiler must use MOVor LEAand store their output into
a register and then use that register in the instruction that follows.
To go back to the code, you can quickly see that there is a function, ntdll
.7C92147B, that takes two parameters. Remember that in the stdcallcalling
convention (which is the convention used by most Windows code) parameters
are always pushed onto the stack in the reverse order, so the first PUSHinstruc-
tion (the one that pushes EAX) is really pushing the second parameter. The first
parameter that ntdll.7C92147Breceives is [ebp+C], which is the second
parameter that was passed to RtlInsertElementGenericTable.RtlLocateNodeGenericTable
Let’s now follow the function call made from RtlInsertElementGeneric
Tableinto ntdll.7C92147Band analyze that function, which I have tenta-
tively titled RtlLocateNodeGenericTable. The full disassembly of that
function is presented in Listing 5.6.170 Chapter 5