issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1 
UNKNOWN NTAPI RtlInsertElementGenericTable(

TABLE *pTable,

PVOID ElementData,

ULONG DataLength,

BOOLEAN *pResult OPTIONAL,

);

At this point in the game, you’ve gained quite a bit of knowledge on this API

and associated data structures. There’s probably no real need to even try and

figure out each and every member in a node’s header, but let’s look at that

code sequence and try and figure out how the new element is linked into the

existing data structure.

Linking the Element

First of all, you can see that the function is accessing the element header

through EBX, and then it loads EAXwith EBX + c, and accesses members

through EAX. This indicates that there is some kind of a data structure at offset

+c of the element’s header. Why else would the compiler access these members

through another register? Why not just use EBXfor accessing all the members?

Also, you’re now seeing distinct proof that the generic table maintains both

a linked list and a tree. EAXis loaded with the starting address of the linked list

header (LIST_ENTRY *), and EBXis used for accessing the binary tree mem-

bers. The function checks the SearchResultparameter before the tree node

gets attached to the rest of the tree. If it is 0, the code jumps to ntdll

.7C924E88, which is right after the end of the function’s main body. Here is

the code for that condition.

7C924E88 MOV DWORD PTR [ESI],EBX

7C924E8A JMP SHORT ntdll.7C924E52

In this case, the node is attached as the root of the tree. If SearchResultis

nonzero, the code proceeds into what is clearly an if-elseblock that is

entered when SearchResult != 2. If that conditional block is entered

(when SearchResult != 2), the code takes the pNodeparameter (which is

the node that was found in RtlLocateNodeGenericTable), and attaches

the newly created node as the left child (offset +8). If SearchResult == 2,

the code jumps to the following sequence.

7C924F0C MOV DWORD PTR [EAX+4],EBX

7C924F0F JMP ntdll.7C924E50

Here the newly created element is attached as the right child of pNode(offset

+4). Clearly, the search result indicates whether the new element is smaller or

larger than the value represented by pNode. Immediately after the ‘if-else’

184 Chapter 5

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.