Reversing Secrets Of Reverse Engineering : RtlInitializeGenericTable

티스토리 뷰

보안/분석

Reversing Secrets Of Reverse Engineering : RtlInitializeGenericTable

NineKY 2009. 10. 11. 16:38

Reversing Secrets Of Reverse Engineering
CH5. Beyond the Documentation

void NTAPI RtlInitializeGenericTable(
    TABLE *pGenericTable,                              : 4        : RtlInitializeGenericTable + 0
    TABLE_COMPARE_ELEMENTS ComapreElements,            : 4        : RtlInitializeGenericTable + 4
    // typedef int (stdcall * TABLE_COMPARE_ELEMENTS) (TABLE *pTable,PVOID pElement1,PVOID pElement2);
    TABLE_ALLOCATE_ELEMENT AllocateElement,            : 4        : RtlInitializeGenericTable + 8
    // typedef NODE * (NTAPI * TABLE_ALLOCATE_ELEMENT) ( TABLE *pTable, ULONG TotalElementSize );
    TABLE_FREE_ELEMENT FreeElement,                    : 4        : RtlInitializeGenericTable + C
    // typedef void (NTAPI * TABLE_FREE_ELEMENT) ( TABLE *pTable, PVOID Element );
    ULONG Unknown                                      : 4        : RtlInitializeGenericTable + 10
)

struct TABLE {
    NODE                     *TopNode;                : 4         : TABLE + 0
    LIST_ENTRY               LLHead;                  : 8         : TABLE + 4
    LIST_ENTRY               *LastElementFound;       : 4         : TABLE + C
    ULONG                    LastElementIndex;        : 4         : TABLE + 10
    ULONG                    NumberOfElements;        : 4         : TABLE + 14
    TABLE_COMPARE_ELEMENTS   CompareElements;         : 4         : TABLE + 18
    TABLE_ALLOCATE_ELEMENT   AllocateElement;         : 4         : TABLE + 1C
    TABLE_FREE_ELEMENT       FreeElement;             : 4         : TABLE + 20
    ULONG                    unknown;                 : 4         : TABLE + 24
};

struct NODE {
    NODE          *ParentNode;    : 4
    NODE          *RightChild;    : 4
    NODE          *LeftChild;     : 4
    LIST_ENTRY    LLEntry;        : 8
    ULONG         Unknown;        : 4
}

// sizeof(_LIST_ENTRY)  =  8
typedef struct _LIST_ENTRY {
   struct _LIST_ENTRY *Flink;        : 4   : LIST_ENTRY + 0
   struct _LIST_ENTRY *Blink;        : 4   : LIST_ENTRY + 4
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;

77F905F8 >/$ 55                push ebp                    ; esp:prev.ebp > esp+4:ret > esp+8:argv[0] > esp+c:argv[1] ...
77F905F9 |. 8BEC              mov ebp,esp
77F905FB |. 8B45 08           mov eax,[arg.1]             ; eax = pGenericTable ( TABLE )
77F905FE |. 33D2              xor edx,edx                 ; edx = 0
77F90600 |. 8D48 04           lea ecx,ds:[eax+4]          ; ecx = &( pGenericTable.LLHead )
77F90603 |. 8910              mov ds:[eax],edx            ; pGenericTable.TopNode = NULL
77F90605 |. 8949 04           mov ds:[ecx+4],ecx          ; pGenericTable.LLHead.Blink = pGenericTable.LLHead
77F90608 |. 8909              mov ds:[ecx],ecx            ; pGenericTable.LLHead.Flink = pGenericTable.LLHead
77F9060A |. 8948 0C           mov ds:[eax+C],ecx          ; pGenericTable.LastElementFound = pGenericTable.LLHead.Flink = pGenericTable.LLHead
77F9060D |. 8B4D 0C           mov ecx,[arg.2]             ; ecx = ComapreElements ( TABLE_COMPARE_ELEMENTS )
77F90610 |. 8948 18           mov ds:[eax+18],ecx         ; pGenericTable.CompareElements = arg.2
77F90613 |. 8B4D 10           mov ecx,[arg.3]             ; ecx = AllocateElement ( TABLE_ALLOCATE_ELEMENT )
77F90616 |. 8948 1C           mov ds:[eax+1C],ecx         ; pGenericTable.AllocateElement = arg.3
77F90619 |. 8B4D 14           mov ecx,[arg.4]             ; ecx = FreeElement ( TABLE_FREE_ELEMENT )
77F9061C |. 8948 20           mov ds:[eax+20],ecx         ; pGenericTable.FreeElement = arg.4
77F9061F |. 8B4D 18           mov ecx,[arg.5]             ; arg.5 : ULONG Unknown
77F90622 |. 8950 14           mov ds:[eax+14],edx         ; pGenericTable.NumberOfElements = 0
77F90625 |. 8950 10           mov ds:[eax+10],edx         ; pGenericTable.LastElementIndex = 0
77F90628 |. 8948 24           mov ds:[eax+24],ecx         ; pGenericTable.unknown = arg.5
77F9062B |. 5D                pop ebp
77F9062C \. C2 1400           retn 14

BOOLEAN NTAPI RtlIsGenericTableEmpty( TABLE *pGenericTable );

77F905F8 >/$  55                push ebp     
77F905F9  |.  8BEC              mov ebp,esp

// 파라메터 arg.1 ~ arg.5 --> 파라메터는 5개 : 08 ~ 18
77F905FB  |.  8B45 08           mov eax,[arg.1]
77F905FE  |.  33D2              xor edx,edx        
77F90600  |.  8D48 04           lea ecx,ds:[eax+4]   
77F90603  |.  8910              mov ds:[eax],edx     
77F90605  |.  8949 04           mov ds:[ecx+4],ecx    
77F90608  |.  8909              mov ds:[ecx],ecx      
77F9060A  |.  8948 0C           mov ds:[eax+C],ecx    
/*
 // eax : struct #1
 // ecx : struct #1 . element #1 
 unknownstruct1                   = param1
 unknownstruct1.element1          = 0
 unknownstruct1.element2.element2 = unknownstruct1.element2
 unknownstruct1.element2.element1 = unknownstruct1.element2
 unknownstruct1.element3          = unknownstruct1.element2
*/
77F9060D  |.  8B4D 0C           mov ecx,[arg.2]       
77F90610  |.  8948 18           mov ds:[eax+18],ecx 
/*
 unknownstruct1.element6           = param2
*/

77F90613  |.  8B4D 10           mov ecx,[arg.3]          
77F90616  |.  8948 1C           mov ds:[eax+1C],ecx   
/* 
 unknownstruct1.element7           = param3
*/ 

77F90619  |.  8B4D 14           mov ecx,[arg.4]             
77F9061C  |.  8948 20           mov ds:[eax+20],ecx   
/*
 unknownstruct1.element8           = param4
*/ 

77F9061F  |.  8B4D 18           mov ecx,[arg.5]          
77F90622  |.  8950 14           mov ds:[eax+14],edx         
77F90625  |.  8950 10           mov ds:[eax+10],edx         
77F90628  |.  8948 24           mov ds:[eax+24],ecx  
/* 
 unknownstruct1.element5           = 0
 unknownstruct1.element4           = 0
 unknownstruct1.element9           = param5
*/

77F9062B  |.  5D                pop ebp
77F9062C  \.  C2 1400           retn 14

struct _unknownstruct1
{
  int element1;
  struct _unknownstruct2
  {
    struct _unknownstruct2* element1;
    struct _unknownstruct2* element2;
  };
  struct _unknownstruct2* element3;
  int element4;
  int element5;
  unknown element6;
  unknown element7;
  unknown element8;
  unknown element9;
} unknownstruct;

저작자표시 비영리 변경금지

'보안 > 분석' 카테고리의 다른 글

Reversing Secrets Of Reverse Engineering : RtlIsGenericTableEmpty (0)	2009.10.11
Reversing Secrets Of Reverse Engineering : RtlNumberGenericTableElements (0)	2009.10.11
[노트] .COD 와 release 결과물의 차이 (0)	2009.09.17
[자문 自問] POP 대신에 ADD ESP, XX 를 이용하는 이유 ? (3)	2009.09.16
[노트] ProbeForRead (0)	2009.08.31

공지사항

최근에 올라온 글

최근에 달린 댓글

Total

Today

Yesterday

링크

TAG more

« 2024/05 »
일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

글 보관함

CoInzBlog

티스토리 뷰

Reversing Secrets Of Reverse Engineering : RtlInitializeGenericTable

'보안 > 분석' 카테고리의 다른 글

티스토리툴바