Reversing Secrets Of Reverse Engineering : RtlInitializeGenericTable

Reversing Secrets Of Reverse Engineering
  CH5. Beyond the Documentation

void NTAPI RtlInitializeGenericTable(
    TABLE *pGenericTable,                              : 4        : RtlInitializeGenericTable + 0
    TABLE_COMPARE_ELEMENTS ComapreElements,            : 4        : RtlInitializeGenericTable + 4
    // typedef int (stdcall * TABLE_COMPARE_ELEMENTS) (TABLE *pTable,PVOID pElement1,PVOID pElement2);
    TABLE_ALLOCATE_ELEMENT AllocateElement,            : 4        : RtlInitializeGenericTable + 8
    // typedef NODE * (NTAPI * TABLE_ALLOCATE_ELEMENT) ( TABLE *pTable, ULONG TotalElementSize );
    TABLE_FREE_ELEMENT FreeElement,                    : 4        : RtlInitializeGenericTable + C
    // typedef void (NTAPI * TABLE_FREE_ELEMENT) ( TABLE *pTable, PVOID Element );
    ULONG Unknown                                      : 4        : RtlInitializeGenericTable + 10
)

struct TABLE {
    NODE                     *TopNode;                : 4         : TABLE + 0
    LIST_ENTRY               LLHead;                  : 8         : TABLE + 4
    LIST_ENTRY               *LastElementFound;       : 4         : TABLE + C
    ULONG                    LastElementIndex;        : 4         : TABLE + 10
    ULONG                    NumberOfElements;        : 4         : TABLE + 14
    TABLE_COMPARE_ELEMENTS   CompareElements;         : 4         : TABLE + 18
    TABLE_ALLOCATE_ELEMENT   AllocateElement;         : 4         : TABLE + 1C
    TABLE_FREE_ELEMENT       FreeElement;             : 4         : TABLE + 20
    ULONG                    unknown;                 : 4         : TABLE + 24
};

struct NODE {
    NODE          *ParentNode;    : 4
    NODE          *RightChild;    : 4
    NODE          *LeftChild;     : 4
    LIST_ENTRY    LLEntry;        : 8
    ULONG         Unknown;        : 4
}

// sizeof(_LIST_ENTRY)  =  8
typedef struct _LIST_ENTRY {
   struct _LIST_ENTRY *Flink;        : 4   : LIST_ENTRY + 0
   struct _LIST_ENTRY *Blink;        : 4   : LIST_ENTRY + 4
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;

77F905F8 >/$  55                push ebp                    ;  esp:prev.ebp > esp+4:ret > esp+8:argv[0] > esp+c:argv[1] ...
77F905F9  |.  8BEC              mov ebp,esp
77F905FB  |.  8B45 08           mov eax,[arg.1]             ;  eax = pGenericTable ( TABLE )
77F905FE  |.  33D2              xor edx,edx                 ;  edx = 0
77F90600  |.  8D48 04           lea ecx,ds:[eax+4]          ;  ecx = &( pGenericTable.LLHead )
77F90603  |.  8910              mov ds:[eax],edx            ;  pGenericTable.TopNode  =  NULL
77F90605  |.  8949 04           mov ds:[ecx+4],ecx          ;  pGenericTable.LLHead.Blink = pGenericTable.LLHead
77F90608  |.  8909              mov ds:[ecx],ecx            ;  pGenericTable.LLHead.Flink = pGenericTable.LLHead
77F9060A  |.  8948 0C           mov ds:[eax+C],ecx          ;  pGenericTable.LastElementFound = pGenericTable.LLHead.Flink = pGenericTable.LLHead
77F9060D  |.  8B4D 0C           mov ecx,[arg.2]             ;  ecx = ComapreElements ( TABLE_COMPARE_ELEMENTS )
77F90610  |.  8948 18           mov ds:[eax+18],ecx         ;  pGenericTable.CompareElements = arg.2
77F90613  |.  8B4D 10           mov ecx,[arg.3]             ;  ecx = AllocateElement ( TABLE_ALLOCATE_ELEMENT )
77F90616  |.  8948 1C           mov ds:[eax+1C],ecx         ;  pGenericTable.AllocateElement = arg.3
77F90619  |.  8B4D 14           mov ecx,[arg.4]             ;  ecx = FreeElement ( TABLE_FREE_ELEMENT )
77F9061C  |.  8948 20           mov ds:[eax+20],ecx         ;  pGenericTable.FreeElement = arg.4
77F9061F  |.  8B4D 18           mov ecx,[arg.5]             ;  arg.5 : ULONG Unknown
77F90622  |.  8950 14           mov ds:[eax+14],edx         ;  pGenericTable.NumberOfElements = 0
77F90625  |.  8950 10           mov ds:[eax+10],edx         ;  pGenericTable.LastElementIndex = 0
77F90628  |.  8948 24           mov ds:[eax+24],ecx         ;  pGenericTable.unknown = arg.5
77F9062B  |.  5D                pop ebp
77F9062C  \.  C2 1400           retn 14

BOOLEAN NTAPI RtlIsGenericTableEmpty( TABLE *pGenericTable );

77F905F8 >/$  55                push ebp     
77F905F9  |.  8BEC              mov ebp,esp

// 파라메터 arg.1 ~ arg.5 --> 파라메터는 5개 : 08 ~ 18
77F905FB  |.  8B45 08           mov eax,[arg.1]
77F905FE  |.  33D2              xor edx,edx        
77F90600  |.  8D48 04           lea ecx,ds:[eax+4]   
77F90603  |.  8910              mov ds:[eax],edx     
77F90605  |.  8949 04           mov ds:[ecx+4],ecx    
77F90608  |.  8909              mov ds:[ecx],ecx      
77F9060A  |.  8948 0C           mov ds:[eax+C],ecx    
/*
 // eax : struct #1
 // ecx : struct #1 . element #1 
 unknownstruct1                   = param1
 unknownstruct1.element1          = 0
 unknownstruct1.element2.element2 = unknownstruct1.element2
 unknownstruct1.element2.element1 = unknownstruct1.element2
 unknownstruct1.element3          = unknownstruct1.element2
*/
77F9060D  |.  8B4D 0C           mov ecx,[arg.2]       
77F90610  |.  8948 18           mov ds:[eax+18],ecx 
/*
 unknownstruct1.element6           = param2
*/

77F90613  |.  8B4D 10           mov ecx,[arg.3]          
77F90616  |.  8948 1C           mov ds:[eax+1C],ecx   
/* 
 unknownstruct1.element7           = param3
*/ 

77F90619  |.  8B4D 14           mov ecx,[arg.4]             
77F9061C  |.  8948 20           mov ds:[eax+20],ecx   
/*
 unknownstruct1.element8           = param4
*/ 

77F9061F  |.  8B4D 18           mov ecx,[arg.5]          
77F90622  |.  8950 14           mov ds:[eax+14],edx         
77F90625  |.  8950 10           mov ds:[eax+10],edx         
77F90628  |.  8948 24           mov ds:[eax+24],ecx  
/* 
 unknownstruct1.element5           = 0
 unknownstruct1.element4           = 0
 unknownstruct1.element9           = param5
*/

77F9062B  |.  5D                pop ebp
77F9062C  \.  C2 1400           retn 14

struct _unknownstruct1
{
  int element1;
  struct _unknownstruct2
  {
    struct _unknownstruct2* element1;
    struct _unknownstruct2* element2;
  };
  struct _unknownstruct2* element3;
  int element4;
  int element5;
  unknown element6;
  unknown element7;
  unknown element8;
  unknown element9;
} unknownstruct;