16) ntdll!RtlFillMemoryUlong()

RtlpInsertFreeBlock()调用过RtlFillMemoryUlong()。注意该函数与memset()的区
别。

用IDA Pro逆向英文版XP SP1的ntdll!RtlFillMemoryUlong:

--------------------------------------------------------------------------
; __stdcall RtlFillMemoryUlong(x,x,x)
    public _RtlFillMemoryUlong@12
_RtlFillMemoryUlong@12 proc near

dest= dword ptr  8
bytecount= dword ptr  0Ch
value= dword ptr  10h

    push edi
    mov edi, [esp+dest]
    mov ecx, [esp+bytecount]
    mov eax, [esp+value]
    shr ecx, 2                          ; bytecount / 4
    rep stosd
    pop edi
    retn 0Ch
_RtlFillMemoryUlong@12 endp
--------------------------------------------------------------------------

下面是C风格的伪代码:

--------------------------------------------------------------------------
VOID NTAPI RtlFillMemoryUlong
(
    PULONG  dest,       // 第01形参，[EBP+0x008]
    DWORD   bytecount,  // 第02形参，[EBP+0x00C]，以字节为单位
    ULONG   value       // 第03形参，[EBP+0x010]
)
{
    /*
     * 假设ULONG占4字节
     */
    bytecount /= 4;
    while ( bytecount-- )
    {
        *dest++ = value;
    }  /* end of while */
    return;
}  /* end of RtlFillMemoryUlong */
--------------------------------------------------------------------------