Figure 5.5 Binary after splaying process. The new item is now the root node, and the rest
of the tree is centered on it.
From its name, you can guess that RtlLookupElementGenericTable per-
forms a binary tree search on the generic table, and that it probably takes the
TABLEstructure and an element data pointer for its parameters. It appears that
the actual implementation resides in ntdll.7C9215DA, so let’s take a look at
that function. Notice the clever stack use in the call to this function. The first
two parameters are the same parameters that were passed to RtlLookup
ElementGenericTable. The second two parameters are apparently point-
ers to some kind of output values that ntdll.7C9215DAreturns. They’re
apparently not used, but instead of allocating local variables that would con-
tain them, the compiler is simply using the stack area that was used for pass-
ing parameters into the function. Those stack slots are no longer needed after
they are read and passed on to ntdll.7C9215DA. Listing 5.9 shows the dis-
assembly for ntdll.7C9215DA.
11358 13031 82 119 14613 35 90 12471474Root NodeItem We’ve
Just AddedBeyond the Documentation 191