5 comments on “Windbg “dt” output converter

  1. Some things to look out for are:
    * unions, which you can detect by checking whether two structure “members” are listed at the same offset:
    +0x000 InLoadOrderLinks : _LIST_ENTRY
    +0x008 InMemoryOrderLinks : _LIST_ENTRY
    +0x010 InInitializationOrderLinks : _LIST_ENTRY
    +0x018 DllBase : Ptr32 Void
    +0x01c EntryPoint : Ptr32 Void
    +0x020 SizeOfImage : Uint4B
    +0x024 FullDllName : _UNICODE_STRING
    +0x02c BaseDllName : _UNICODE_STRING
    +0x034 Flags : Uint4B
    +0x038 LoadCount : Uint2B
    +0x03a TlsIndex : Uint2B
    union {
    +0x03c HashLinks : _LIST_ENTRY

    +0x03c SectionPointer : Ptr32 Void
    +0x040 CheckSum : Uint4B
    +0x044 TimeDateStamp : Uint4B

    +0x044 LoadedImports : Ptr32 Void
    +0x048 EntryPointActivationContext : Ptr32 Void
    +0x04c PatchInformation : Ptr32 Void

    * padding/alignment, which WinDbg sometimes doesn’t show:

    lkd> dt _PEB_LDR_DATA
    +0x000 Length : Uint4B
    +0x004 Initialized : UChar
    —> 3 bytes of padding/alignment
    +0x008 SsHandle : Ptr32 Void
    +0x00c InLoadOrderModuleList : _LIST_ENTRY
    +0x014 InMemoryOrderModuleList : _LIST_ENTRY
    +0x01c InInitializationOrderModuleList : _LIST_ENTRY
    +0x024 EntryInProgress : Ptr32 Void

    Though the latter may be a non-issue if you’re trying to rebuild C structures, as the compiler should align these structures correctly anyway.
    In my case, I was writing some Python code to parse these kinds of structures where it turned out to be a bit of an issue at first.

  2. Hi Kasperle.
    Union is supported, here is a snapshot of _LDR_DATA_TABLE_ENTRY converted structure:

    USHORT TlsIndex; // 0x03a
    union {
    LIST_ENTRY HashLinks; // 0x03c
    PVOID SectionPointer; // 0x03c
    ULONG CheckSum; // 0x040
    union {
    ULONG TimeDateStamp; // 0x044
    PVOID LoadedImports; // 0x044
    PVOID EntryPointActivationContext; // 0x048

    >padding/alignment, which WinDbg sometimes doesn’t show
    Yes, this is something to look out for sure.

    Thanks for your suggestion.

  3. Recommend it to anyone.
    Orbasoft Antispyware is the best scan that I have used to keep my PC clean and working like new. It’s a great scanner that finds all the same bugs that other scans such as Norton can find. What’s even better is that it cost less than many of the other options. I found the antispyware solution from Orbasoft at http://www.orbasoft.com and decided to give it a try. That was one of the best decisions I ever made. I’m very happy with this scanner and would recommend it to anyone that wants to protect and care for their PC so it will last as long as possible.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s