7C921496 TEST EAX,EAX
7C921498 JE ntdll.7C924F14
7C92149E CMP EAX,1
7C9214A1 JNZ SHORT ntdll.7C9214BBThis snippet does something interesting that you haven’t encountered so far.
It is obvious that the first five instructions are all part of the same function call
sequence, but notice the address that is being called. It is not a hard-coded
address as usual, but rather the value at offset +18 in EDI. This exposes another
member in the root table data structure at offset +18 as a callback function of
some sort. If you go back to RtlInitializeGenericTable, you’ll see that
that offset +18 was loaded from the second parameter passed to that function.
This means that offset +18 contains some kind of a user-defined callback.
The function seems to take three parameters, the first being the table data
structure; the second, the second parameter passed to the current function;
and the third, ESI + 18. Remember that ESIwas loaded earlier with the value
at offset +0 of the root structure. This indicates that offset +0 contains some
other data structure and that the callback is getting a pointer to offset +18 at
this structure. You don’t really know what this data structure is at this point.
Once the callback function returns, you can test its return value and jump to
ntdll.7C924F14if it is zero. Again, that address is outside of the main body
of the function. Another error handling code? Let’s find out. The following is
the code snippet found at ntdll.7C924F14.7C924F14 MOV EAX,DWORD PTR [ESI+4]
7C924F17 TEST EAX,EAX
7C924F19 JNZ SHORT ntdll.7C924F22
7C924F1B PUSH 2
7C924F1D JMP ntdll.7C9214B0
7C924F22 MOV ESI,EAX
7C924F24 JMP ntdll.7C92148BThis snippet loads offset +4 from the unknown structure in ESIand tests if
it is zero. If it is nonzero, the code jumps to ntdll.7C924F22, a two-line seg-
ment that jumps back to ntdll.7C92148B(which is back inside the main
body of our function), but not before it loads ESIwith the value from offset +4
in the unknown data structure (which is currently stored in EAX). If offset +4 at
the unknown structure is zero, the code pushes the number 2 onto the stack
and jumps back into ntdll.7C9214B0, which is another address at the main
body of RtlLocateNodeGenericTable.
It is important at this point to keep track of the various branches you’ve
encountered in the code so far. This is a bit more confusing than it could have
been because of the way the function is scattered throughout the module. Essen-
tially, the test for offset +4 at the unknown structure has one of two outcomes. If
the value is zero the function returns to the caller (ntdll.7C9214B0is near the174 Chapter 5