and skips its header to get to the return value. As you would expect, this func-
tion returns the pointer to the found element’s data.
RtlDeleteElementGenericTable
So we’ve covered the basic usage cases of adding, retrieving, and searching for
elements in the generic table. One case that hasn’t been covered yet is deletion.
How are elements deleted from the generic table? Let’s take a quick look at
RtlDeleteElementGenericTable.
7C924FFF MOV EDI,EDI
7C925001 PUSH EBP
7C925002 MOV EBP,ESP
7C925004 PUSH EDI
7C925005 MOV EDI,DWORD PTR [EBP+8]
7C925008 LEA EAX,DWORD PTR [EBP+C]
7C92500B PUSH EAX
7C92500C PUSH DWORD PTR [EBP+C]
7C92500F CALL ntdll.7C92147B
7C925014 TEST EAX,EAX
7C925016 JE SHORT ntdll.7C92504E
7C925018 CMP EAX,1
7C92501B JNZ SHORT ntdll.7C92504E
7C92501D PUSH ESI
7C92501E MOV ESI,DWORD PTR [EBP+C]
7C925021 PUSH ESI
7C925022 CALL ntdll.RtlDelete
7C925027 MOV DWORD PTR [EDI],EAX
7C925029 MOV EAX,DWORD PTR [ESI+C]
7C92502C MOV ECX,DWORD PTR [ESI+10]
7C92502F MOV DWORD PTR [ECX],EAX
7C925031 MOV DWORD PTR [EAX+4],ECX
7C925034 DEC DWORD PTR [EDI+14]
7C925037 AND DWORD PTR [EDI+10],0
7C92503B PUSH ESI
7C92503C LEA EAX,DWORD PTR [EDI+4]
7C92503F PUSH EDI
7C925040 MOV DWORD PTR [EDI+C],EAX
7C925043 CALL DWORD PTR [EDI+20]
7C925046 MOV AL,1
7C925048 POP ESI
7C925049 POP EDI
7C92504A POP EBP
7C92504B RET 8
7C92504E XOR AL,AL
7C925050 JMP SHORT ntdll.7C925049Listing 5.10 Disassembly of RtlDeleteElementGenericTable.
Beyond the Documentation 193