struct (make structures, enums, data types from symbols)
Description of the 'struct' command in HyperDbg.

Command

struct

Syntax

struct [Module!SymbolName (string)] [padding Padding (yesno)] [offset Offset (yesno)] [bitfield Bitfield (yesno)] [native Native (yesno)] [decl Declaration (yesno)] [def Definitions (yesno)] [func Functions (yesno)] [pragma Pragma (yesno)] [prefix Prefix (string)] [suffix Suffix (string)] [inline Expantion (string)] [output FileName (string)]

Description

Displays structures, enums, and data types in a C (header) format.
You can use this command to create C (header) files from all of the symbols (structures, enums, data types) in the modules by using module!*. See examples for more information.

Parameters

[Module!SymbolName (string)]
Module name combined with the symbol name (separated by a ! sign).
[padding Padding (yesno)] (optional)
Create padding members. (default: yes)
[offset Offset (yesno)] (optional)
Show offsets. (default: yes)
[bitfield Bitfield (yesno)] (optional)
Allow bitfields in the union. (default: no)
[native Native (yesno)] (optional)
Use types from stdint.h instead of native types. (default: no)
[decl Declaration (yesno)] (optional)
Print declarations. (default: yes)
[def Definitions (yesno)] (optional)
Print definitions. (default: yes)
[func Functions (yesno)] (optional)
Print functions. (default: no)
[pragma Pragma (yesno)] (optional)
Print #pragma pack directives. (default: yes)
[prefix Prefix (string)] (optional)
Prefix for all symbols.
[suffix Suffix (string)] (optional)
Suffix for all symbols.
[inline Expantion (string)] (optional)
Specifies expansion of nested structures/unions. (default: unnamed)
none: only the top-most type is printed.
unnamed: unnamed types are nested.
all: all types are nested.
[output FileName (string)] (optional)
Specifies the output file if the user wants to save the printed data.

Examples

The following command is used to convert nt!_TOKEN into a C format code.
1
1: kHyperDbg> struct nt!_TOKEN
2
typedef struct _TOKEN
3
{
4
/* 0x0000 */ struct _TOKEN_SOURCE TokenSource;
5
/* 0x0010 */ struct _LUID TokenId;
6
/* 0x0018 */ struct _LUID AuthenticationId;
7
/* 0x0020 */ struct _LUID ParentTokenId;
8
/* 0x0028 */ union _LARGE_INTEGER ExpirationTime;
9
/* 0x0030 */ struct _ERESOURCE* TokenLock;
10
/* 0x0038 */ struct _LUID ModifiedId;
11
/* 0x0040 */ struct _SEP_TOKEN_PRIVILEGES Privileges;
12
/* 0x0058 */ struct _SEP_AUDIT_POLICY AuditPolicy;
13
/* 0x0077 */ char Padding_0;
14
/* 0x0078 */ uint32_t SessionId;
15
/* 0x007c */ uint32_t UserAndGroupCount;
16
/* 0x0080 */ uint32_t RestrictedSidCount;
17
/* 0x0084 */ uint32_t VariableLength;
18
/* 0x0088 */ uint32_t DynamicCharged;
19
/* 0x008c */ uint32_t DynamicAvailable;
20
/* 0x0090 */ uint32_t DefaultOwnerIndex;
21
/* 0x0094 */ long Padding_1;
22
/* 0x0098 */ struct _SID_AND_ATTRIBUTES* UserAndGroups;
23
/* 0x00a0 */ struct _SID_AND_ATTRIBUTES* RestrictedSids;
24
/* 0x00a8 */ void* PrimaryGroup;
25
/* 0x00b0 */ uint32_t* DynamicPart;
26
/* 0x00b8 */ struct _ACL* DefaultDacl;
27
/* 0x00c0 */ enum _TOKEN_TYPE TokenType;
28
/* 0x00c4 */ enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
29
/* 0x00c8 */ uint32_t TokenFlags;
30
/* 0x00cc */ uint8_t TokenInUse;
31
/* 0x00cd */ char Padding_2[3];
32
/* 0x00d0 */ uint32_t IntegrityLevelIndex;
33
/* 0x00d4 */ uint32_t MandatoryPolicy;
34
/* 0x00d8 */ struct _SEP_LOGON_SESSION_REFERENCES* LogonSession;
35
/* 0x00e0 */ struct _LUID OriginatingLogonSession;
36
/* 0x00e8 */ struct _SID_AND_ATTRIBUTES_HASH SidHash;
37
/* 0x01f8 */ struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash;
38
/* 0x0308 */ struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes;
39
/* 0x0310 */ void* Package;
40
/* 0x0318 */ struct _SID_AND_ATTRIBUTES* Capabilities;
41
/* 0x0320 */ uint32_t CapabilityCount;
42
/* 0x0324 */ long Padding_3;
43
/* 0x0328 */ struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash;
44
/* 0x0438 */ struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry;
45
/* 0x0440 */ struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry;
46
/* 0x0448 */ struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes;
47
/* 0x0450 */ void* TrustLevelSid;
48
/* 0x0458 */ struct _TOKEN* TrustLinkedToken;
49
/* 0x0460 */ void* IntegrityLevelSidValue;
50
/* 0x0468 */ struct _SEP_SID_VALUES_BLOCK* TokenSidValues;
51
/* 0x0470 */ struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry;
52
/* 0x0478 */ struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo;
53
/* 0x0480 */ struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry;
54
/* 0x0488 */ void* SessionObject;
55
/* 0x0490 */ uint64_t VariablePart;
56
} TOKEN, *PTOKEN; /* size: 0x0498 */
Copied!
You can aslo use this command to rebuild enums.
1
HyperDbg> struct nt!POWER_ACTION
2
enum POWER_ACTION
3
{
4
PowerActionNone = 0,
5
PowerActionReserved = 1,
6
PowerActionSleep = 2,
7
PowerActionHibernate = 3,
8
PowerActionShutdown = 4,
9
PowerActionShutdownReset = 5,
10
PowerActionShutdownOff = 6,
11
PowerActionWarmEject = 7,
12
PowerActionDisplayOff = 8,
13
};
Copied!
It's possible to dump all of the structures, enums, and data types into a header file.
1
1: kHyperDbg> struct nt!* output NtHeader.h
Copied!
The following command is used to inline each structure into the parent structure.
1
HyperDbg> struct nt!_SID inline all
2
typedef struct _SID
3
{
4
/* 0x0000 */ unsigned char Revision;
5
/* 0x0001 */ unsigned char SubAuthorityCount;
6
struct _SID_IDENTIFIER_AUTHORITY
7
{
8
/* 0x0002 */ unsigned char Value[6];
9
} /* size: 0x0006 */ IdentifierAuthority;
10
/* 0x0008 */ unsigned long SubAuthority[1];
11
} SID, *PSID; /* size: 0x000c */
Copied!
The following command is used to recursively dump the nt!_TOKEN structure and its sub-structures.
1
1: kHyperDbg> struct nt!_TOKEN def yes
2
#include <pshpack1.h>
3
typedef struct _LUID
4
{
5
/* 0x0000 */ unsigned long LowPart;
6
/* 0x0004 */ long HighPart;
7
} LUID, *PLUID; /* size: 0x0008 */
8
9
typedef struct _TOKEN_SOURCE
10
{
11
/* 0x0000 */ char SourceName[8];
12
/* 0x0008 */ struct _LUID SourceIdentifier;
13
} TOKEN_SOURCE, *PTOKEN_SOURCE; /* size: 0x0010 */
14
15
typedef union _LARGE_INTEGER
16
{
17
union
18
{
19
struct
20
{
21
/* 0x0000 */ unsigned long LowPart;
22
/* 0x0004 */ long HighPart;
23
}; /* size: 0x0008 */
24
struct
25
{
26
/* 0x0000 */ unsigned long LowPart;
27
/* 0x0004 */ long HighPart;
28
} /* size: 0x0008 */ u;
29
/* 0x0000 */ __int64 QuadPart;
30
}; /* size: 0x0008 */
31
} LARGE_INTEGER, *PLARGE_INTEGER; /* size: 0x0008 */
32
33
typedef struct _SEP_TOKEN_PRIVILEGES
34
{
35
/* 0x0000 */ unsigned __int64 Present;
36
/* 0x0008 */ unsigned __int64 Enabled;
37
/* 0x0010 */ unsigned __int64 EnabledByDefault;
38
} SEP_TOKEN_PRIVILEGES, *PSEP_TOKEN_PRIVILEGES; /* size: 0x0018 */
39
40
typedef struct _TOKEN_AUDIT_POLICY
41
{
42
/* 0x0000 */ unsigned char PerUserPolicy[30];
43
} TOKEN_AUDIT_POLICY, *PTOKEN_AUDIT_POLICY; /* size: 0x001e */
44
45
typedef struct _SEP_AUDIT_POLICY
46
{
47
/* 0x0000 */ struct _TOKEN_AUDIT_POLICY AdtTokenPolicy;
48
/* 0x001e */ unsigned char PolicySetStatus;
49
} SEP_AUDIT_POLICY, *PSEP_AUDIT_POLICY; /* size: 0x001f */
50
51
typedef enum _TOKEN_TYPE
52
{
53
TokenPrimary = 1,
54
TokenImpersonation = 2,
55
} TOKEN_TYPE, *PTOKEN_TYPE;
56
57
typedef enum _SECURITY_IMPERSONATION_LEVEL
58
{
59
SecurityAnonymous = 0,
60
SecurityIdentification = 1,
61
SecurityImpersonation = 2,
62
SecurityDelegation = 3,
63
} SECURITY_IMPERSONATION_LEVEL, *PSECURITY_IMPERSONATION_LEVEL;
64
65
typedef struct _SID_AND_ATTRIBUTES_HASH
66
{
67
/* 0x0000 */ unsigned long SidCount;
68
/* 0x0004 */ long Padding_0;
69
/* 0x0008 */ struct _SID_AND_ATTRIBUTES* SidAttr;
70
/* 0x0010 */ unsigned __int64 Hash[32];
71
} SID_AND_ATTRIBUTES_HASH, *PSID_AND_ATTRIBUTES_HASH; /* size: 0x0110 */
72
73
typedef struct _TOKEN
74
{
75
/* 0x0000 */ struct _TOKEN_SOURCE TokenSource;
76
/* 0x0010 */ struct _LUID TokenId;
77
/* 0x0018 */ struct _LUID AuthenticationId;
78
/* 0x0020 */ struct _LUID ParentTokenId;
79
/* 0x0028 */ union _LARGE_INTEGER ExpirationTime;
80
/* 0x0030 */ struct _ERESOURCE* TokenLock;
81
/* 0x0038 */ struct _LUID ModifiedId;
82
/* 0x0040 */ struct _SEP_TOKEN_PRIVILEGES Privileges;
83
/* 0x0058 */ struct _SEP_AUDIT_POLICY AuditPolicy;
84
/* 0x0077 */ char Padding_1;
85
/* 0x0078 */ unsigned long SessionId;
86
/* 0x007c */ unsigned long UserAndGroupCount;
87
/* 0x0080 */ unsigned long RestrictedSidCount;
88
/* 0x0084 */ unsigned long VariableLength;
89
/* 0x0088 */ unsigned long DynamicCharged;
90
/* 0x008c */ unsigned long DynamicAvailable;
91
/* 0x0090 */ unsigned long DefaultOwnerIndex;
92
/* 0x0094 */ long Padding_2;
93
/* 0x0098 */ struct _SID_AND_ATTRIBUTES* UserAndGroups;
94
/* 0x00a0 */ struct _SID_AND_ATTRIBUTES* RestrictedSids;
95
/* 0x00a8 */ void* PrimaryGroup;
96
/* 0x00b0 */ unsigned long* DynamicPart;
97
/* 0x00b8 */ struct _ACL* DefaultDacl;
98
/* 0x00c0 */ enum _TOKEN_TYPE TokenType;
99
/* 0x00c4 */ enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
100
/* 0x00c8 */ unsigned long TokenFlags;
101
/* 0x00cc */ unsigned char TokenInUse;
102
/* 0x00cd */ char Padding_3[3];
103
/* 0x00d0 */ unsigned long IntegrityLevelIndex;
104
/* 0x00d4 */ unsigned long MandatoryPolicy;
105
/* 0x00d8 */ struct _SEP_LOGON_SESSION_REFERENCES* LogonSession;
106
/* 0x00e0 */ struct _LUID OriginatingLogonSession;
107
/* 0x00e8 */ struct _SID_AND_ATTRIBUTES_HASH SidHash;
108
/* 0x01f8 */ struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash;
109
/* 0x0308 */ struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes;
110
/* 0x0310 */ void* Package;
111
/* 0x0318 */ struct _SID_AND_ATTRIBUTES* Capabilities;
112
/* 0x0320 */ unsigned long CapabilityCount;
113
/* 0x0324 */ long Padding_4;
114
/* 0x0328 */ struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash;
115
/* 0x0438 */ struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry;
116
/* 0x0440 */ struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry;
117
/* 0x0448 */ struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes;
118
/* 0x0450 */ void* TrustLevelSid;
119
/* 0x0458 */ struct _TOKEN* TrustLinkedToken;
120
/* 0x0460 */ void* IntegrityLevelSidValue;
121
/* 0x0468 */ struct _SEP_SID_VALUES_BLOCK* TokenSidValues;
122
/* 0x0470 */ struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry;
123
/* 0x0478 */ struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo;
124
/* 0x0480 */ struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry;
125
/* 0x0488 */ void* SessionObject;
126
/* 0x0490 */ unsigned __int64 VariablePart;
127
} TOKEN, *PTOKEN; /* size: 0x0498 */
128
129
#include <poppack.h>
Copied!

IOCTL

None

Remarks

For implementing this command, pdbex is integrated into HyperDbg.
This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None