Community
Download Research Tutorial hwdbg

dt (display and map virtual memory to structures)

Description of the 'dt' command in HyperDbg.

Command

dt

Syntax

dt [Module!SymbolName (string)] [AddressExpression (string)] [pid ProcessId (hex)] [padding Padding (yesno)] [offset Offset (yesno)] [bitfield Bitfield (yesno)] [native Native (yesno)] [decl Declaration (yesno)] [def Definitions (yesno)] [func Functions (yesno)] [pragma Pragma (yesno)] [prefix Prefix (string)] [suffix Suffix (string)] [inline Expantion (string)] [output FileName (string)]

Description

Displays data structures in an offset format, maps virtual address to a structure and shows the different fields and their values.

You can use the 'struct' command to make C (header) code structures, enums, and data types from the symbols.

Parameters

[Module!SymbolName (string)]

Module name combined with the symbol name (separated by a ! sign).

[AddressExpression (string)] (optional)

Address or an expression that evaluates as a virtual address. If you leave this argument empty, the symbol data is shown without mapping to data.

[pid ProcessId (hex)] (optional)

The Process ID (in the hex format) that we want to see the memory from its context (cr3).

[padding Padding (yesno)] (optional)

Create padding members. (default: yes)

[offset Offset (yesno)] (optional)

Show offsets. (default: yes)

[bitfield Bitfield (yesno)] (optional)

Allow bitfields in the union. (default: no)

[native Native (yesno)] (optional)

Use types from stdint.h instead of native types. (default: no)

[decl Declaration (yesno)] (optional)

Print declarations. (default: yes)

[def Definitions (yesno)] (optional)

Print definitions. (default: yes)

[func Functions (yesno)] (optional)

Print functions. (default: no)

[pragma Pragma (yesno)] (optional)

Print #pragma pack directives. (default: yes)

[prefix Prefix (string)] (optional)

Prefix for all symbols.

[suffix Suffix (string)] (optional)

Suffix for all symbols.

[inline Expantion (string)] (optional)

Specifies expansion of nested structures/unions. (default: unnamed)

none: only the top-most type is printed.

unnamed: unnamed types are nested.

all: all types are nested.

[output FileName (string)] (optional)

Specifies the output file if the user wants to save the printed data.

If you don't specify the pid, then the default pid is the current process (HyperDbg) process layout of memory.

In the Debugger Mode, the pid (parameter) is ignored. If you want to view another process memory, use the '.process' command to switch to another process memory layout.

Examples

The following command is used to show the nt!_EPROCESS in an offset format.

HyperDbg> dt nt!_EPROCESS
 _EPROCESS
  +0x0000 _KPROCESS Pcb
  +0x0438 _EX_PUSH_LOCK ProcessLock
  +0x0440 void* UniqueProcessId
  +0x0448 _LIST_ENTRY ActiveProcessLinks
  +0x0458 _EX_RUNDOWN_REF RundownProtect
  +0x0460 uint32_t Flags2
  +0x0460 uint32_t JobNotReallyActive, Pos 0, 1 Bit
  +0x0460 uint32_t AccountingFolded, Pos 1, 1 Bit
  +0x0460 uint32_t NewProcessReported, Pos 2, 1 Bit
  +0x0460 uint32_t ExitProcessReported, Pos 3, 1 Bit
  +0x0460 uint32_t ReportCommitChanges, Pos 4, 1 Bit
  +0x0460 uint32_t LastReportMemory, Pos 5, 1 Bit
  +0x0460 uint32_t ForceWakeCharge, Pos 6, 1 Bit
  +0x0460 uint32_t CrossSessionCreate, Pos 7, 1 Bit
  +0x0460 uint32_t NeedsHandleRundown, Pos 8, 1 Bit
  +0x0460 uint32_t RefTraceEnabled, Pos 9, 1 Bit
  +0x0460 uint32_t PicoCreated, Pos 10, 1 Bit
  +0x0460 uint32_t EmptyJobEvaluated, Pos 11, 1 Bit
  +0x0460 uint32_t DefaultPagePriority, Pos 12, 3 Bit
  +0x0460 uint32_t PrimaryTokenFrozen, Pos 15, 1 Bit
  +0x0460 uint32_t ProcessVerifierTarget, Pos 16, 1 Bit
  +0x0460 uint32_t RestrictSetThreadContext, Pos 17, 1 Bit
  +0x0460 uint32_t AffinityPermanent, Pos 18, 1 Bit
  +0x0460 uint32_t AffinityUpdateEnable, Pos 19, 1 Bit
  +0x0460 uint32_t PropagateNode, Pos 20, 1 Bit
  ...

The following command is used to map the virtual address at ffff948cc0b41080 to the nt!_EPROCESS structure.

1: kHyperDbg> dt nt!_EPROCESS ffff948cc0b41080
 _EPROCESS
  +0x0000 _KPROCESS Pcb : _KPROCESS
  +0x0438 _EX_PUSH_LOCK ProcessLock : (null)
  +0x0440 void* UniqueProcessId : 00000000`00002240
  +0x0448 _LIST_ENTRY ActiveProcessLinks : _LIST_ENTRY [ ffff948c`bfbd0708 - ffff948c`c1424508 ]
  +0x0458 _EX_RUNDOWN_REF RundownProtect : (null)
  +0x0460 uint32_t Flags2 : 0x200d094
  +0x0460 uint32_t JobNotReallyActive, Pos 0, 1 Bit : 0y0
  +0x0460 uint32_t AccountingFolded, Pos 1, 1 Bit : 0y0
  +0x0460 uint32_t NewProcessReported, Pos 2, 1 Bit : 0y1
  +0x0460 uint32_t ExitProcessReported, Pos 3, 1 Bit : 0y0
  +0x0460 uint32_t ReportCommitChanges, Pos 4, 1 Bit : 0y1
  +0x0460 uint32_t LastReportMemory, Pos 5, 1 Bit : 0y0
  +0x0460 uint32_t ForceWakeCharge, Pos 6, 1 Bit : 0y0
  +0x0460 uint32_t CrossSessionCreate, Pos 7, 1 Bit : 0y1
  +0x0460 uint32_t NeedsHandleRundown, Pos 8, 1 Bit : 0y0
  +0x0460 uint32_t RefTraceEnabled, Pos 9, 1 Bit : 0y0
  +0x0460 uint32_t PicoCreated, Pos 10, 1 Bit : 0y0
  +0x0460 uint32_t EmptyJobEvaluated, Pos 11, 1 Bit : 0y0
  +0x0460 uint32_t DefaultPagePriority, Pos 12, 3 Bit : 0y101 (0x5)
  +0x0460 uint32_t PrimaryTokenFrozen, Pos 15, 1 Bit : 0y1
  +0x0460 uint32_t ProcessVerifierTarget, Pos 16, 1 Bit : 0y0
  +0x0460 uint32_t RestrictSetThreadContext, Pos 17, 1 Bit : 0y0
  +0x0460 uint32_t AffinityPermanent, Pos 18, 1 Bit : 0y0
  +0x0460 uint32_t AffinityUpdateEnable, Pos 19, 1 Bit : 0y0
  +0x0460 uint32_t PropagateNode, Pos 20, 1 Bit : 0y0
  +0x0460 uint32_t ExplicitAffinity, Pos 21, 1 Bit : 0y0
  +0x0460 uint32_t ProcessExecutionState, Pos 22, 2 Bit : 0y00 (0x0)
  +0x0460 uint32_t EnableReadVmLogging, Pos 24, 1 Bit : 0y0
  +0x0460 uint32_t EnableWriteVmLogging, Pos 25, 1 Bit : 0y1
  +0x0460 uint32_t FatalAccessTerminationRequested, Pos 26, 1 Bit : 0y0
  +0x0460 uint32_t DisableSystemAllowedCpuSet, Pos 27, 1 Bit : 0y0
  +0x0460 uint32_t ProcessStateChangeRequest, Pos 28, 2 Bit : 0y00 (0x0)
  +0x0460 uint32_t ProcessStateChangeInProgress, Pos 30, 1 Bit : 0y0
  +0x0460 uint32_t InPrivate, Pos 31, 1 Bit : 0y0
  +0x0464 uint32_t Flags : 0x144d0c01
  +0x0464 uint32_t CreateReported, Pos 0, 1 Bit : 0y1
  +0x0464 uint32_t NoDebugInherit, Pos 1, 1 Bit : 0y0
  +0x0464 uint32_t ProcessExiting, Pos 2, 1 Bit : 0y0
  +0x0464 uint32_t ProcessDelete, Pos 3, 1 Bit : 0y0
  +0x0464 uint32_t ManageExecutableMemoryWrites, Pos 4, 1 Bit : 0y0
  ...

You can also use expressions to map to the structures.

1: kHyperDbg> dt nt!_EPROCESS @rcx+10
 _EPROCESS
  +0x0000 _KPROCESS Pcb : _KPROCESS
  +0x0438 _EX_PUSH_LOCK ProcessLock : (null)
  +0x0440 void* UniqueProcessId : 00000000`00002240
  +0x0448 _LIST_ENTRY ActiveProcessLinks : _LIST_ENTRY [ ffff948c`bfbd0708 - ffff948c`c1424508 ]
  +0x0458 _EX_RUNDOWN_REF RundownProtect : (null)
  +0x0460 uint32_t Flags2 : 0x200d094
  +0x0460 uint32_t JobNotReallyActive, Pos 0, 1 Bit : 0y0
  +0x0460 uint32_t AccountingFolded, Pos 1, 1 Bit : 0y0
  +0x0460 uint32_t NewProcessReported, Pos 2, 1 Bit : 0y1
  +0x0460 uint32_t ExitProcessReported, Pos 3, 1 Bit : 0y0
  +0x0460 uint32_t ReportCommitChanges, Pos 4, 1 Bit : 0y1
  +0x0460 uint32_t LastReportMemory, Pos 5, 1 Bit : 0y0
  +0x0460 uint32_t ForceWakeCharge, Pos 6, 1 Bit : 0y0
  +0x0460 uint32_t CrossSessionCreate, Pos 7, 1 Bit : 0y1
  +0x0460 uint32_t NeedsHandleRundown, Pos 8, 1 Bit : 0y0
  +0x0460 uint32_t RefTraceEnabled, Pos 9, 1 Bit : 0y0
  +0x0460 uint32_t PicoCreated, Pos 10, 1 Bit : 0y0
  +0x0460 uint32_t EmptyJobEvaluated, Pos 11, 1 Bit : 0y0
  +0x0460 uint32_t DefaultPagePriority, Pos 12, 3 Bit : 0y101 (0x5)
  +0x0460 uint32_t PrimaryTokenFrozen, Pos 15, 1 Bit : 0y1
  +0x0460 uint32_t ProcessVerifierTarget, Pos 16, 1 Bit : 0y0
  +0x0460 uint32_t RestrictSetThreadContext, Pos 17, 1 Bit : 0y0
  +0x0460 uint32_t AffinityPermanent, Pos 18, 1 Bit : 0y0
  +0x0460 uint32_t AffinityUpdateEnable, Pos 19, 1 Bit : 0y0
  +0x0460 uint32_t PropagateNode, Pos 20, 1 Bit : 0y0
  +0x0460 uint32_t ExplicitAffinity, Pos 21, 1 Bit : 0y0
  +0x0460 uint32_t ProcessExecutionState, Pos 22, 2 Bit : 0y00 (0x0)
  +0x0460 uint32_t EnableReadVmLogging, Pos 24, 1 Bit : 0y0
  +0x0460 uint32_t EnableWriteVmLogging, Pos 25, 1 Bit : 0y1
  +0x0460 uint32_t FatalAccessTerminationRequested, Pos 26, 1 Bit : 0y0
  +0x0460 uint32_t DisableSystemAllowedCpuSet, Pos 27, 1 Bit : 0y0
  +0x0460 uint32_t ProcessStateChangeRequest, Pos 28, 2 Bit : 0y00 (0x0)
  +0x0460 uint32_t ProcessStateChangeInProgress, Pos 30, 1 Bit : 0y0
  +0x0460 uint32_t InPrivate, Pos 31, 1 Bit : 0y0
  +0x0464 uint32_t Flags : 0x144d0c01
  +0x0464 uint32_t CreateReported, Pos 0, 1 Bit : 0y1
  +0x0464 uint32_t NoDebugInherit, Pos 1, 1 Bit : 0y0
  +0x0464 uint32_t ProcessExiting, Pos 2, 1 Bit : 0y0
  +0x0464 uint32_t ProcessDelete, Pos 3, 1 Bit : 0y0
  +0x0464 uint32_t ManageExecutableMemoryWrites, Pos 4, 1 Bit : 0y0
  ...

The following command is used to show all structures by inlining each structure in an offset format.

HyperDbg> dt nt!_SID inline all
 _SID
  +0x0000 unsigned char Revision
  +0x0001 unsigned char SubAuthorityCount
 _SID_IDENTIFIER_AUTHORITY
  +0x0002 unsigned char Value[6]
 IdentifierAuthority
  +0x0008 unsigned long SubAuthority[1]

IOCTL

The IOCTL for this command is implemented like db, dc, dd, dq (read virtual memory) commands to read data from memory.

Remarks

For implementing this command, pdbex is integrated into HyperDbg.

This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None

Related

!dt (display and map physical memory to structures)

struct (make structures, enums, data types from symbols)

Mapping Data & Create Structures, and Enums From Symbols

Previousk, kd, kq (display stack backtrace)Nextstruct (make structures, enums, data types from symbols)

Last updated