7C9215DA MOV EDI,EDI
7C9215DC PUSH EBP
7C9215DD MOV EBP,ESP
7C9215DF PUSH ESI
7C9215E0 MOV ESI,DWORD PTR [EBP+10]
7C9215E3 PUSH EDI
7C9215E4 MOV EDI,DWORD PTR [EBP+8]
7C9215E7 PUSH ESI
7C9215E8 PUSH DWORD PTR [EBP+C]
7C9215EB CALL ntdll.7C92147B
7C9215F0 TEST EAX,EAX
7C9215F2 MOV ECX,DWORD PTR [EBP+14]
7C9215F5 MOV DWORD PTR [ECX],EAX
7C9215F7 JE SHORT ntdll.7C9215FE
7C9215F9 CMP EAX,1
7C9215FC JE SHORT ntdll.7C921606
7C9215FE XOR EAX,EAX
7C921600 POP EDI
7C921601 POP ESI
7C921602 POP EBP
7C921603 RET 10
7C921606 PUSH DWORD PTR [ESI]
7C921608 CALL ntdll.RtlSplay
7C92160D MOV DWORD PTR [EDI],EAX
7C92160F MOV EAX,DWORD PTR [ESI]
7C921611 ADD EAX,18
7C921614 JMP SHORT ntdll.7C921600Listing 5.9 Disassembly of ntdll.7C9215DA, tentatively titled RtlLookupElementGeneric
TableWorker.At this point, you’re familiar enough with the generic table that you hardly
need to investigate much about this function—we’ve discussed the two
core functions that this API uses: RtlLocateNodeGenericTable(ntdll
.7C92147B) and RtlSplay. RtlLocateNodeGenericTableis used for the
actual locating of the element in question, just as it was used in RtlInsert
ElementGenericTable. After RtlLocateNodeGenericTable returns,
RtlSplayis called because, as mentioned earlier, splay trees are always splayed
after adding, removing, or searching for an element. Of course, RtlSplayis
only actually called if RtlLocateNodeGenericTablelocates the element
sought.
Based on the parameters passed into RtlLocateNodeGenericTable,
you can immediately see that RtlLookupElementGenericTabletakes the
TABLEpointer and the Elementpointer as its two parameters. As for the
return value, the add eax, 18shows that the function takes the located node192 Chapter 5