Case Study: The Generic Table API in NTDLL.DLL
Let’s dive headfirst into our very first hands-on reverse-engineering session.
In this session, I will be taking an undocumented group of Windows APIs and
analyzing them until I gather enough information to use them in my own
code. In fact, I’ve actually written a little program that uses these APIs, in order
to demonstrate that it’s really possible. Of course, the purpose of this chapter
is not to serve as a guide for this particular API, but rather to provide a live
demonstration of how reversing is performed on real-world code.
The particular API chosen for this chapter is the generic tableAPI. This API is
considered part of the Windows native API, which was discussed in Chapter 3.
The native API contains numerous APIs with different prefixes for different
groups of functions. For this exercise, I’ve chosen a set of functions from the
RTL group. These are the runtime library functions that typically aren’t used
for communicating with the operating system, but simply as a toolkit contain-
ing commonly required services such as string manipulation, data manage-
ment, and so on.
Once you’ve locked on to the generic table API, the next step is to look
through the list of exported symbols in NTDLL.DLL(which is where the
generic table API is implemented) for every function that might be relevant. In
this particular case any function that starts with the letters Rtland mentions
a generic table would probably be of interest. After dumping the NTDLL.DLL
exports using DUMPBIN (see the section on DUMPBIN in Chapter 4) I searched
for any RtlAPIs that contain the term GenericTablein them. I came up
with the following function names.
RtlNumberGenericTableElements
RtlDeleteElementGenericTable
RtlGetElementGenericTable
RtlEnumerateGenericTable
RtlEnumerateGenericTableLikeADirectory
RtlEnumerateGenericTableWithoutSplaying
RtlInitializeGenericTable
RtlIsGenericTableEmpty
RtlInsertElementGenericTable
RtlLookupElementGenericTable
If you try this by yourself and go through the NTDLL.DLLexport list, you’ll
probably notice that there are also versions of most of these APIs that have the
suffix Avl. Since the generic table API is large enough as it is, I’ll just ignore
these functions for the purposes of this discussion.
Beyond the Documentation 145