Description

A LIST_ENTRY structure describes an entry in a doubly linked list or serves as the header for such a list.

Structure

typedef struct _LIST_ENTRY {
    struct _LIST_ENTRY  *Flink;
    struct _LIST_ENTRY  *Blink;
} LIST_ENTRY, *PLIST_ENTRY;

Members

Flink

For a LIST_ENTRY structure that serves as a list entry, the Flink member points to the next entry in the list or to the list header if there is no next entry in the list.

For a LIST_ENTRY structure that serves as the list header, the Flink member points to the first entry in the list or to the LIST_ENTRY structure itself if the list is empty.

Blink

For a LIST_ENTRY structure that serves as a list entry, the Blink member points to the previous entry in the list or to the list header if there is no previous entry in the list.

For a LIST_ENTRY structure that serves as the list header, the Blink member points to the last entry in the list or to the LIST_ENTRY structure itself if the list is empty.

Example

Below is an excerpt that shows how a rootkit modifies the EPROCESS structure to hide its process from the Windows task manager.

PAGE:F7CF266B call    ds:IoGetCurrentProcess
PAGE:F7CF2671 mov     ecx, [eax+8Ch]  ; Get pointer to next entry (Flink) and save in ECX
PAGE:F7CF2677 add     eax, 88h        ; this offset in EPROCESS is ActiveProcessLinks
PAGE:F7CF267C mov     edx, [eax]      ; Get pointer to previous entry (Blink) and save in EDX
PAGE:F7CF267E mov     [ecx], edx      ; Overwrite Blink pointer of the next entry with pointer to the previous entry 
PAGE:F7CF2680 mov     ecx, [eax]      ; Same operations iwth the Flink pointer of the previous entry
PAGE:F7CF2682 mov     eax, [eax+4]    ;
PAGE:F7CF2685 mov     [ecx+4]         ;