struct (make structures, enums, data types from symbols)

Command
struct
Syntax
struct [Module!SymbolName (string)] [padding Padding (yesno)] [offset Offset (yesno)] [bitfield Bitfield (yesno)] [native Native (yesno)] [decl Declaration (yesno)] [def Definitions (yesno)] [func Functions (yesno)] [pragma Pragma (yesno)] [prefix Prefix (string)] [suffix Suffix (string)] [inline Expantion (string)] [output FileName (string)]
Description
Displays structures, enums, and data types in a C (header) format.
You can use this command to create C (header) files from all of the symbols (structures, enums, data types) in the modules by using module!*. See examples for more information.
Parameters
[Module!SymbolName (string)]
Module name combined with the symbol name (separated by a ! sign).
[padding Padding (yesno)] (optional)
Create padding members. (default: yes)
[offset Offset (yesno)] (optional)
Show offsets. (default: yes)
[bitfield Bitfield (yesno)] (optional)
Allow bitfields in the union. (default: no)
[native Native (yesno)] (optional)
Use types from stdint.h instead of native types. (default: no)
[decl Declaration (yesno)] (optional)
Print declarations. (default: yes)
[def Definitions (yesno)] (optional)
Print definitions. (default: yes)
[func Functions (yesno)] (optional)
Print functions. (default: no)
[pragma Pragma (yesno)] (optional)
Print #pragma pack directives. (default: yes)
[prefix Prefix (string)] (optional)
Prefix for all symbols.
[suffix Suffix (string)] (optional)
Suffix for all symbols.
[inline Expantion (string)] (optional)
Specifies expansion of nested structures/unions. (default: unnamed)
   none: only the top-most type is printed.
   unnamed: unnamed types are nested.
   all: all types are nested.
[output FileName (string)] (optional)
Specifies the output file if the user wants to save the printed data.
Examples
The following command is used to convert nt!_TOKEN into a C format code.
1
1: kHyperDbg> struct nt!_TOKEN
2
typedef struct _TOKEN
3
{
4
  /* 0x0000 */ struct _TOKEN_SOURCE TokenSource;
5
  /* 0x0010 */ struct _LUID TokenId;
6
  /* 0x0018 */ struct _LUID AuthenticationId;
7
  /* 0x0020 */ struct _LUID ParentTokenId;
8
  /* 0x0028 */ union _LARGE_INTEGER ExpirationTime;
9
  /* 0x0030 */ struct _ERESOURCE* TokenLock;
10
  /* 0x0038 */ struct _LUID ModifiedId;
11
  /* 0x0040 */ struct _SEP_TOKEN_PRIVILEGES Privileges;
12
  /* 0x0058 */ struct _SEP_AUDIT_POLICY AuditPolicy;
13
  /* 0x0077 */ char Padding_0;
14
  /* 0x0078 */ uint32_t SessionId;
15
  /* 0x007c */ uint32_t UserAndGroupCount;
16
  /* 0x0080 */ uint32_t RestrictedSidCount;
17
  /* 0x0084 */ uint32_t VariableLength;
18
  /* 0x0088 */ uint32_t DynamicCharged;
19
  /* 0x008c */ uint32_t DynamicAvailable;
20
  /* 0x0090 */ uint32_t DefaultOwnerIndex;
21
  /* 0x0094 */ long Padding_1;
22
  /* 0x0098 */ struct _SID_AND_ATTRIBUTES* UserAndGroups;
23
  /* 0x00a0 */ struct _SID_AND_ATTRIBUTES* RestrictedSids;
24
  /* 0x00a8 */ void* PrimaryGroup;
25
  /* 0x00b0 */ uint32_t* DynamicPart;
26
  /* 0x00b8 */ struct _ACL* DefaultDacl;
27
  /* 0x00c0 */ enum _TOKEN_TYPE TokenType;
28
  /* 0x00c4 */ enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
29
  /* 0x00c8 */ uint32_t TokenFlags;
30
  /* 0x00cc */ uint8_t TokenInUse;
31
  /* 0x00cd */ char Padding_2[3];
32
  /* 0x00d0 */ uint32_t IntegrityLevelIndex;
33
  /* 0x00d4 */ uint32_t MandatoryPolicy;
34
  /* 0x00d8 */ struct _SEP_LOGON_SESSION_REFERENCES* LogonSession;
35
  /* 0x00e0 */ struct _LUID OriginatingLogonSession;
36
  /* 0x00e8 */ struct _SID_AND_ATTRIBUTES_HASH SidHash;
37
  /* 0x01f8 */ struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash;
38
  /* 0x0308 */ struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes;
39
  /* 0x0310 */ void* Package;
40
  /* 0x0318 */ struct _SID_AND_ATTRIBUTES* Capabilities;
41
  /* 0x0320 */ uint32_t CapabilityCount;
42
  /* 0x0324 */ long Padding_3;
43
  /* 0x0328 */ struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash;
44
  /* 0x0438 */ struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry;
45
  /* 0x0440 */ struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry;
46
  /* 0x0448 */ struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes;
47
  /* 0x0450 */ void* TrustLevelSid;
48
  /* 0x0458 */ struct _TOKEN* TrustLinkedToken;
49
  /* 0x0460 */ void* IntegrityLevelSidValue;
50
  /* 0x0468 */ struct _SEP_SID_VALUES_BLOCK* TokenSidValues;
51
  /* 0x0470 */ struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry;
52
  /* 0x0478 */ struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo;
53
  /* 0x0480 */ struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry;
54
  /* 0x0488 */ void* SessionObject;
55
  /* 0x0490 */ uint64_t VariablePart;
56
} TOKEN, *PTOKEN; /* size: 0x0498 */
Copied!
You can aslo use this command to rebuild enums.
1
HyperDbg> struct nt!POWER_ACTION
2
enum POWER_ACTION
3
{
4
  PowerActionNone = 0,
5
  PowerActionReserved = 1,
6
  PowerActionSleep = 2,
7
  PowerActionHibernate = 3,
8
  PowerActionShutdown = 4,
9
  PowerActionShutdownReset = 5,
10
  PowerActionShutdownOff = 6,
11
  PowerActionWarmEject = 7,
12
  PowerActionDisplayOff = 8,
13
};
Copied!
It's possible to dump all of the structures, enums, and data types into a header file.
1
1: kHyperDbg> struct nt!* output NtHeader.h
Copied!
The following command is used to inline each structure into the parent structure.
1
HyperDbg> struct nt!_SID inline all
2
typedef struct _SID
3
{
4
  /* 0x0000 */ unsigned char Revision;
5
  /* 0x0001 */ unsigned char SubAuthorityCount;
6
  struct _SID_IDENTIFIER_AUTHORITY
7
  {
8
    /* 0x0002 */ unsigned char Value[6];
9
  } /* size: 0x0006 */ IdentifierAuthority;
10
  /* 0x0008 */ unsigned long SubAuthority[1];
11
} SID, *PSID; /* size: 0x000c */
Copied!
The following command is used to recursively dump the nt!_TOKEN structure and its sub-structures.
1
1: kHyperDbg> struct nt!_TOKEN def yes
2
#include <pshpack1.h>
3
typedef struct _LUID
4
{
5
  /* 0x0000 */ unsigned long LowPart;
6
  /* 0x0004 */ long HighPart;
7
} LUID, *PLUID; /* size: 0x0008 */
8
​
9
typedef struct _TOKEN_SOURCE
10
{
11
  /* 0x0000 */ char SourceName[8];
12
  /* 0x0008 */ struct _LUID SourceIdentifier;
13
} TOKEN_SOURCE, *PTOKEN_SOURCE; /* size: 0x0010 */
14
​
15
typedef union _LARGE_INTEGER
16
{
17
  union
18
  {
19
    struct
20
    {
21
      /* 0x0000 */ unsigned long LowPart;
22
      /* 0x0004 */ long HighPart;
23
    }; /* size: 0x0008 */
24
    struct
25
    {
26
      /* 0x0000 */ unsigned long LowPart;
27
      /* 0x0004 */ long HighPart;
28
    } /* size: 0x0008 */ u;
29
    /* 0x0000 */ __int64 QuadPart;
30
  }; /* size: 0x0008 */
31
} LARGE_INTEGER, *PLARGE_INTEGER; /* size: 0x0008 */
32
​
33
typedef struct _SEP_TOKEN_PRIVILEGES
34
{
35
  /* 0x0000 */ unsigned __int64 Present;
36
  /* 0x0008 */ unsigned __int64 Enabled;
37
  /* 0x0010 */ unsigned __int64 EnabledByDefault;
38
} SEP_TOKEN_PRIVILEGES, *PSEP_TOKEN_PRIVILEGES; /* size: 0x0018 */
39
​
40
typedef struct _TOKEN_AUDIT_POLICY
41
{
42
  /* 0x0000 */ unsigned char PerUserPolicy[30];
43
} TOKEN_AUDIT_POLICY, *PTOKEN_AUDIT_POLICY; /* size: 0x001e */
44
​
45
typedef struct _SEP_AUDIT_POLICY
46
{
47
  /* 0x0000 */ struct _TOKEN_AUDIT_POLICY AdtTokenPolicy;
48
  /* 0x001e */ unsigned char PolicySetStatus;
49
} SEP_AUDIT_POLICY, *PSEP_AUDIT_POLICY; /* size: 0x001f */
50
​
51
typedef enum _TOKEN_TYPE
52
{
53
  TokenPrimary = 1,
54
  TokenImpersonation = 2,
55
} TOKEN_TYPE, *PTOKEN_TYPE;
56
​
57
typedef enum _SECURITY_IMPERSONATION_LEVEL
58
{
59
  SecurityAnonymous = 0,
60
  SecurityIdentification = 1,
61
  SecurityImpersonation = 2,
62
  SecurityDelegation = 3,
63
} SECURITY_IMPERSONATION_LEVEL, *PSECURITY_IMPERSONATION_LEVEL;
64
​
65
typedef struct _SID_AND_ATTRIBUTES_HASH
66
{
67
  /* 0x0000 */ unsigned long SidCount;
68
  /* 0x0004 */ long Padding_0;
69
  /* 0x0008 */ struct _SID_AND_ATTRIBUTES* SidAttr;
70
  /* 0x0010 */ unsigned __int64 Hash[32];
71
} SID_AND_ATTRIBUTES_HASH, *PSID_AND_ATTRIBUTES_HASH; /* size: 0x0110 */
72
​
73
typedef struct _TOKEN
74
{
75
  /* 0x0000 */ struct _TOKEN_SOURCE TokenSource;
76
  /* 0x0010 */ struct _LUID TokenId;
77
  /* 0x0018 */ struct _LUID AuthenticationId;
78
  /* 0x0020 */ struct _LUID ParentTokenId;
79
  /* 0x0028 */ union _LARGE_INTEGER ExpirationTime;
80
  /* 0x0030 */ struct _ERESOURCE* TokenLock;
81
  /* 0x0038 */ struct _LUID ModifiedId;
82
  /* 0x0040 */ struct _SEP_TOKEN_PRIVILEGES Privileges;
83
  /* 0x0058 */ struct _SEP_AUDIT_POLICY AuditPolicy;
84
  /* 0x0077 */ char Padding_1;
85
  /* 0x0078 */ unsigned long SessionId;
86
  /* 0x007c */ unsigned long UserAndGroupCount;
87
  /* 0x0080 */ unsigned long RestrictedSidCount;
88
  /* 0x0084 */ unsigned long VariableLength;
89
  /* 0x0088 */ unsigned long DynamicCharged;
90
  /* 0x008c */ unsigned long DynamicAvailable;
91
  /* 0x0090 */ unsigned long DefaultOwnerIndex;
92
  /* 0x0094 */ long Padding_2;
93
  /* 0x0098 */ struct _SID_AND_ATTRIBUTES* UserAndGroups;
94
  /* 0x00a0 */ struct _SID_AND_ATTRIBUTES* RestrictedSids;
95
  /* 0x00a8 */ void* PrimaryGroup;
96
  /* 0x00b0 */ unsigned long* DynamicPart;
97
  /* 0x00b8 */ struct _ACL* DefaultDacl;
98
  /* 0x00c0 */ enum _TOKEN_TYPE TokenType;
99
  /* 0x00c4 */ enum _SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
100
  /* 0x00c8 */ unsigned long TokenFlags;
101
  /* 0x00cc */ unsigned char TokenInUse;
102
  /* 0x00cd */ char Padding_3[3];
103
  /* 0x00d0 */ unsigned long IntegrityLevelIndex;
104
  /* 0x00d4 */ unsigned long MandatoryPolicy;
105
  /* 0x00d8 */ struct _SEP_LOGON_SESSION_REFERENCES* LogonSession;
106
  /* 0x00e0 */ struct _LUID OriginatingLogonSession;
107
  /* 0x00e8 */ struct _SID_AND_ATTRIBUTES_HASH SidHash;
108
  /* 0x01f8 */ struct _SID_AND_ATTRIBUTES_HASH RestrictedSidHash;
109
  /* 0x0308 */ struct _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION* pSecurityAttributes;
110
  /* 0x0310 */ void* Package;
111
  /* 0x0318 */ struct _SID_AND_ATTRIBUTES* Capabilities;
112
  /* 0x0320 */ unsigned long CapabilityCount;
113
  /* 0x0324 */ long Padding_4;
114
  /* 0x0328 */ struct _SID_AND_ATTRIBUTES_HASH CapabilitiesHash;
115
  /* 0x0438 */ struct _SEP_LOWBOX_NUMBER_ENTRY* LowboxNumberEntry;
116
  /* 0x0440 */ struct _SEP_CACHED_HANDLES_ENTRY* LowboxHandlesEntry;
117
  /* 0x0448 */ struct _AUTHZBASEP_CLAIM_ATTRIBUTES_COLLECTION* pClaimAttributes;
118
  /* 0x0450 */ void* TrustLevelSid;
119
  /* 0x0458 */ struct _TOKEN* TrustLinkedToken;
120
  /* 0x0460 */ void* IntegrityLevelSidValue;
121
  /* 0x0468 */ struct _SEP_SID_VALUES_BLOCK* TokenSidValues;
122
  /* 0x0470 */ struct _SEP_LUID_TO_INDEX_MAP_ENTRY* IndexEntry;
123
  /* 0x0478 */ struct _SEP_TOKEN_DIAG_TRACK_ENTRY* DiagnosticInfo;
124
  /* 0x0480 */ struct _SEP_CACHED_HANDLES_ENTRY* BnoIsolationHandlesEntry;
125
  /* 0x0488 */ void* SessionObject;
126
  /* 0x0490 */ unsigned __int64 VariablePart;
127
} TOKEN, *PTOKEN; /* size: 0x0498 */
128
​
129
#include <poppack.h>
Copied!
IOCTL
None
Remarks
For implementing this command, pdbex is integrated into HyperDbg.
This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.
Requirements
None
Related
​dt (display and map virtual memory to structures)​
​!dt (display and map physical memory to structures)​
​Mapping Data & Create Structures, and Enums From Symbols​

dt (display and map virtual memory to structures)

sleep (wait for specific time in the .script command)

Last modified 28d ago

Copy link

Edit on GitHub

Contents