issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1

the right node where to insert the element, surely this function must do the
actual insertion into the table.
Before looking at the implementation of the function, let’s go back and look
at how it’s called from RtlInsertElementGenericTable. Since you now
have some information on some of the data that RtlInsertElementGeneric
Tabledeals with, you might be able to learn a bit about this function before
you even start actually disassembling it. Here’s the sequence in RtlInsert
ElementGenericTablethat calls the function.


7C924DD3 PUSH EAX

7C924DD4 PUSH DWORD PTR [EBP+8]

7C924DD7 PUSH DWORD PTR [EBP+14]

7C924DDA PUSH DWORD PTR [EBP+10]

7C924DDD PUSH DWORD PTR [EBP+C]

7C924DE0 PUSH EDI

7C924DE1 CALL ntdll.7C924DF0

It appears that ntdll.7C924DF0takes six parameters. Let’s go over each
one and see if we can figure out what it contains.


Argument 6 This snippet starts right after the call to position the new

element, so the sixth argument is essentially the return value from

ntdll.7C92147B, which could either be 1, 2, or 3.

Argument 5 This is the address of the first parameter passed to

RtlInsertElementGenericTable. However, it no longer contains

the value passed to RtlInsertElementGenericTablefrom the

caller. It has been used for receiving a binary tree node pointer from the

search function. This is essentially the pointer to the node to which the

new element will be added.

Argument 4 This is the fourth parameter passed to RtlInsert

ElementGenericTable. You don’t currently know what it contains.

Argument 3 This is the third parameter passed to RtlInsertElement

GenericTable. You don’t currently know what it contains.

Argument 2 Based on our previous assessment, the second parameter

passed to RtlInsertElementGenericTableis the actual element

we’ll be adding.

Argument 1 EDIcontains the root table data structure.

Let’s try to take all of this information and use it to make a temporary pro-
totype for this function.


UNKNOWN RtlRealInsertElementWorker(

TABLE *pTable,

PVOID ElementData,

UNKNOWN Unknown1,

UNKNOWN Unknown2,

Beyond the Documentation 179
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.