You might have noticed an interesting fact: the address ntdll.7C924E8C
is far away from the address of the current code you’re looking at! In fact, that
code was not even included in Listing 5.6—it resides in an entirely separate
region in the executable file. How can that be—why would a function be scat-
tered throughout the module like that? The reason this is done has to do with
some Windows memory management issues.
Remember we talked about working sets in Chapter 3? While building exe-
cutable modules, one of the primary concerns is to arrange the module in a way
that would allow the module to consume as little physical memory as possible
while it is loaded into memory. Because Windows only allocates physical mem-
ory to areas that are in active use, this module (and pretty much every other
component in Windows) is arranged in a special layout where popular code
sections are placed at the beginning of the module, while more esoteric code
sequences that are rarely executed are pushed toward the end. This process is
called working-set tuning, and is discussed in detail in Appendix A.
For now just try to think of what you can learn from the fact that this condi-
tional block has been relocated and sent to a higher memory address. It most
likely means that this conditional block is rarely executed! Granted, there are
various reasons why a certain conditional block would rarely be executed, but
there is one primary explanation that is probably true for 90 percent of such
conditional blocks: the block implements some sort of error-handling code.
Error-handling code is a typical case in which conditional statements are cre-
ated that are rarely, if ever, actually executed.
Let’s now proceed to examine the code at ntdll.7C924E8Cand see if it is
indeed an error-handling statement.
7C924E8C XOR EAX,EAX
7C924E8E JMP ntdll.7C9214B6As expected, all this sequence does is set EAXto zero and jump back to the
function’s epilogue. Again, this is not definite, but all evidence indicates that
this is an error condition.
At this point, you can proceed to the code that follows the conditional state-
ment at ntdll.7C92148B, which is clearly the body of the function.
The Callback
The body of RtlLocateNodeGenericTableperforms a somewhat unusual
function call that appears to be the focal point of this entire function. Let’s take
a look at that code.
7C92148B LEA EAX,DWORD PTR [ESI+18]
7C92148E PUSH EAX
7C92148F PUSH DWORD PTR [EBP+8]
7C921492 PUSH EDI
7C921493 CALL DWORD PTR [EDI+18]Beyond the Documentation 173