the second parameter contain? Essentially, it is the value of the third parameter
passed to RtlRealInsertElementWorkerplus 18 bytes (hex). When you
looked earlier at the parameters that RtlRealInsertElementWorkertakes,
you had no idea what the third parameter was, but the number 0x18sounds
somehow familiar. Remember how RtlLocateNodeGenericTableadded
0x18(24 in decimal) to the pointer of the current element before it passed it to
theTABLE_COMPARE_ELEMENTScallback? I suspected that adding 24 bytes
was a way of skipping the element’s header and getting to the actual data. This
corroborates that assumption—it looks like elements in a generic table are each
stored with 24-byte headers that are followed by the element’s data.
Let’s dig further into this function to try and figure out how it works and
what the callback does. Here’s what happens after the callback returns.7C924E10 MOV EBX,EAX
7C924E12 TEST EBX,EBX
7C924E14 JE ntdll.7C94D4BE
7C924E1A AND DWORD PTR [EBX+4],0
7C924E1E AND DWORD PTR [EBX+8],0
7C924E22 MOV DWORD PTR [EBX],EBX
7C924E24 LEA ECX,DWORD PTR [ESI+4]
7C924E27 MOV EDX,DWORD PTR [ECX+4]
7C924E2A LEA EAX,DWORD PTR [EBX+C]
7C924E2D MOV DWORD PTR [EAX],ECX
7C924E2F MOV DWORD PTR [EAX+4],EDX
7C924E32 MOV DWORD PTR [EDX],EAX
7C924E34 MOV DWORD PTR [ECX+4],EAX
7C924E37 INC DWORD PTR [ESI+14]
7C924E3A CMP DWORD PTR [EBP+1C],0
7C924E3E JE SHORT ntdll.7C924E88
7C924E40 CMP DWORD PTR [EBP+1C],2
7C924E44 MOV EAX,DWORD PTR [EBP+18]
7C924E47 JE ntdll.7C924F0C
7C924E4D MOV DWORD PTR [EAX+8],EBX
7C924E50 MOV DWORD PTR [EBX],EAXThis code tests the return value from the callback. If it’s zero, the function
jumps into a remote block. Let’s take a quick look at that block.7C94D4BE MOV EAX,DWORD PTR [EBP+14]
7C94D4C1 TEST EAX,EAX
7C94D4C3 JE SHORT ntdll.7C94D4C7
7C94D4C5 MOV BYTE PTR [EAX],BL
7C94D4C7 XOR EAX,EAX
7C94D4C9 JMP ntdll.7C924E81This appears to be some kind of failure mode that essentially returns 0 to the
caller. Notice how this sequence checks whether the fourth parameter at182 Chapter 5