7C92147B MOV EDI,EDI
7C92147D PUSH EBP
7C92147E MOV EBP,ESP
7C921480 PUSH ESI
7C921481 MOV ESI,DWORD PTR [EDI]
7C921483 TEST ESI,ESI
7C921485 JE ntdll.7C924E8C
7C92148B LEA EAX,DWORD PTR [ESI+18]
7C92148E PUSH EAX
7C92148F PUSH DWORD PTR [EBP+8]
7C921492 PUSH EDI
7C921493 CALL DWORD PTR [EDI+18]
7C921496 TEST EAX,EAX
7C921498 JE ntdll.7C924F14
7C92149E CMP EAX,1
7C9214A1 JNZ SHORT ntdll.7C9214BB
7C9214A3 MOV EAX,DWORD PTR [ESI+8]
7C9214A6 TEST EAX,EAX
7C9214A8 JNZ ntdll.7C924F22
7C9214AE PUSH 3
7C9214B0 POP EAX
7C9214B1 MOV ECX,DWORD PTR [EBP+C]
7C9214B4 MOV DWORD PTR [ECX],ESI
7C9214B6 POP ESI
7C9214B7 POP EBP
7C9214B8 RET 8
7C9214BB XOR EAX,EAX
7C9214BD INC EAX
7C9214BE JMP SHORT ntdll.7C9214B1Listing 5.6 Disassembly of the internal, nonexported function at ntdll.7C92147B.
Before even beginning to reverse this function, there are a couple of slight
oddities about the very first few lines in Listing 5.6 that must be considered.
Notice the first line: MOV EDI, EDI. It does nothing! It is essentially dead code
that was put in place by the compiler as a placeholder, in case someone wanted
to trap this function. Trapping means that some external component adds a JMP
instruction that is used as a notification whenever the trapped function is called.
By placing this instruction at the beginning of every function, Microsoft essen-
tially set an infrastructure for trapping functions inside NTDLL. Note that these
placeholders are only implemented in more recent versions of Windows (in
Windows XP, they were introduced in Service Pack 2), so you may or may not
see them on your system.
The next few lines also exhibit a peculiarity. After setting up the traditional
stack frame, the function is reading a value from EDI, even though that regis-
ter has not been accessed in this function up to this point. Isn’t EDI’s value just
going to be random at this point?
Beyond the Documentation 171