DownloadResearchTutorialhwdbg
Edit

dt (display and map virtual memory to structures)

Description of the 'dt' command in HyperDbg.

Command

dt

Syntax

dt [Module!SymbolName (string)] [AddressExpression (string)] [pid ProcessId (hex)] [padding Padding (yesno)] [offset Offset (yesno)] [bitfield Bitfield (yesno)] [native Native (yesno)] [decl Declaration (yesno)] [def Definitions (yesno)] [func Functions (yesno)] [pragma Pragma (yesno)] [prefix Prefix (string)] [suffix Suffix (string)] [inline Expantion (string)] [output FileName (string)]

Description

Displays data structures in an offset format, maps virtual address to a structure and shows the different fields and their values.

You can use the 'struct' command to make C (header) code structures, enums, and data types from the symbols.

Parameters

[Module!SymbolName (string)]

Module name combined with the symbol name (separated by a ! sign).

[AddressExpression (string)] (optional)

Address or an expression that evaluates as a virtual address. If you leave this argument empty, the symbol data is shown without mapping to data.

[pid ProcessId (hex)] (optional)

The Process ID (in the hex format) that we want to see the memory from its context (cr3).

[padding Padding (yesno)] (optional)

Create padding members. (default: yes)

[offset Offset (yesno)] (optional)

Show offsets. (default: yes)

[bitfield Bitfield (yesno)] (optional)

Allow bitfields in the union. (default: no)

[native Native (yesno)] (optional)

Use types from stdint.h instead of native types. (default: no)

[decl Declaration (yesno)] (optional)

Print declarations. (default: yes)

[def Definitions (yesno)] (optional)

Print definitions. (default: yes)

[func Functions (yesno)] (optional)

Print functions. (default: no)

[pragma Pragma (yesno)] (optional)

Print #pragma pack directives. (default: yes)

[prefix Prefix (string)] (optional)

Prefix for all symbols.

[suffix Suffix (string)] (optional)

Suffix for all symbols.

[inline Expantion (string)] (optional)

Specifies expansion of nested structures/unions. (default: unnamed)

none: only the top-most type is printed.

unnamed: unnamed types are nested.

all: all types are nested.

[output FileName (string)] (optional)

Specifies the output file if the user wants to save the printed data.

If you don't specify the pid, then the default pid is the current process (HyperDbg) process layout of memory.

In the Debugger Mode, the pid (parameter) is ignored. If you want to view another process memory, use the '.process' command to switch to another process memory layout.

Examples

The following command is used to show the nt!_EPROCESS in an offset format.

The following command is used to map the virtual address at ffff948cc0b41080 to the nt!_EPROCESS structure.

You can also use expressions to map to the structures.

The following command is used to show all structures by inlining each structure in an offset format.

IOCTL

The IOCTL for this command is implemented like db, dc, dd, dq (read virtual memory) commands to read data from memory.

Remarks

For implementing this command, pdbex is integrated into HyperDbg.

This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None

Related

!dt (display and map physical memory to structures)

struct (make structures, enums, data types from symbols)

Mapping Data & Create Structures, and Enums From Symbols

Previousk, kd, kq (display stack backtrace)Nextstruct (make structures, enums, data types from symbols)

Last updated