and just count them while doing that. The following is the OllyDbg output for
RtlNumberGenericTableElements.RtlNumberGenericTableElements:
7C923FD2 PUSH EBP
7C923FD3 MOV EBP,ESP
7C923FD5 MOV EAX,DWORD PTR [EBP+8]
7C923FD8 MOV EAX,DWORD PTR [EAX+14]
7C923FDB POP EBP
7C923FDC RET 4Well, it seems that the question has been answered. This function simply
takes a pointer to what one can only assume is the same structure as before,
and returns whatever is in offset +14. Clearly, offset +14 contains the number
of elements in a generic table data structure. Let’s update the definition of the
TABLEstructure.struct TABLE
{
UNKNOWN Member1;
UNKNOWN_PTR Member2;
UNKNOWN_PTR Member3;
UNKNOWN_PTR Member4;
UNKNOWN Member5;
ULONG NumberOfElements;
UNKNOWN Member7;
UNKNOWN Member8;
UNKNOWN Member9;
UNKNOWN Member10;
};RtlIsGenericTableEmpty
There is one other (hopefully) trivial function in the generic table API that
might shed some light on the data structure: RtlIsGenericTableEmpty. Of
course, it is also possible that RtlIsGenericTableEmptyuses the same
NumberOfElementsmember used in RtlNumberGenericTableElements.
Let’s take a look.RtlIsGenericTableEmpty:
7C92715B PUSH EBP
7C92715C MOV EBP,ESP
7C92715E MOV ECX,DWORD PTR [EBP+8]
7C927161 XOR EAX,EAX
7C927163 CMP DWORD PTR [ECX],EAX
7C927165 SETE AL
7C927168 POP EBP
7C927169 RET 4152 Chapter 5