NODE *pNode,
ULONG SearchResult
);You now have some basic information on RtlRealInsertElement
Worker. At this point, you’re ready to take on the complete listing and try to
figure out exactly how it works. The full disassembly of RtlRealInsert
ElementWorkeris presented in Listing 5.7.7C924DF0 MOV EDI,EDI
7C924DF2 PUSH EBP
7C924DF3 MOV EBP,ESP
7C924DF5 CMP DWORD PTR [EBP+1C],1
7C924DF9 PUSH EBX
7C924DFA PUSH ESI
7C924DFB PUSH EDI
7C924DFC JE ntdll.7C935D5D
7C924E02 MOV EDI,DWORD PTR [EBP+10]
7C924E05 MOV ESI,DWORD PTR [EBP+8]
7C924E08 LEA EAX,DWORD PTR [EDI+18]
7C924E0B PUSH EAX
7C924E0C PUSH ESI
7C924E0D CALL DWORD PTR [ESI+1C]
7C924E10 MOV EBX,EAX
7C924E12 TEST EBX,EBX
7C924E14 JE ntdll.7C94D4BE
7C924E1A AND DWORD PTR [EBX+4],0
7C924E1E AND DWORD PTR [EBX+8],0
7C924E22 MOV DWORD PTR [EBX],EBX
7C924E24 LEA ECX,DWORD PTR [ESI+4]
7C924E27 MOV EDX,DWORD PTR [ECX+4]
7C924E2A LEA EAX,DWORD PTR [EBX+C]
7C924E2D MOV DWORD PTR [EAX],ECX
7C924E2F MOV DWORD PTR [EAX+4],EDX
7C924E32 MOV DWORD PTR [EDX],EAX
7C924E34 MOV DWORD PTR [ECX+4],EAX
7C924E37 INC DWORD PTR [ESI+14]
7C924E3A CMP DWORD PTR [EBP+1C],0
7C924E3E JE SHORT ntdll.7C924E88
7C924E40 CMP DWORD PTR [EBP+1C],2
7C924E44 MOV EAX,DWORD PTR [EBP+18]
7C924E47 JE ntdll.7C924F0C
7C924E4D MOV DWORD PTR [EAX+8],EBX
7C924E50 MOV DWORD PTR [EBX],EAX
7C924E52 MOV ESI,DWORD PTR [EBP+C]
7C924E55 MOV ECX,EDI
7C924E57 MOV EAX,ECXListing 5.7 Disassembly of function at ntdll.7C924DF0.180 Chapter 5