!dt (display and map physical memory to structures)

Command
!dt
Syntax
!dt [Module!SymbolName (string)] [AddressExpression (string)] [padding Padding (yesno)] [offset Offset (yesno)] [bitfield Bitfield (yesno)] [native Native (yesno)] [decl Declaration (yesno)] [def Definitions (yesno)] [func Functions (yesno)] [pragma Pragma (yesno)] [prefix Prefix (string)] [suffix Suffix (string)] [inline Expantion (string)] [output FileName (string)]
Description
Displays data structures in an offset format, maps a physical address to a structure and shows the different fields and their values.
You can use the 'struct' command to make C (header) code structures, enums, and data types from the symbols.
Parameters
[Module!SymbolName (string)]
Module name combined with the symbol name (separated by a ! sign).
[AddressExpression (string)] (optional)
Address or an expression that evaluates as a physical address. If you leave this argument empty, the symbol data is shown without mapping to data.
[padding Padding (yesno)] (optional)
Create padding members. (default: yes)
[offset Offset (yesno)] (optional)
Show offsets. (default: yes)
[bitfield Bitfield (yesno)] (optional)
Allow bitfields in the union. (default: no)
[native Native (yesno)] (optional)
Use types from stdint.h instead of native types. (default: no)
[decl Declaration (yesno)] (optional)
Print declarations. (default: yes)
[def Definitions (yesno)] (optional)
Print definitions. (default: yes)
[func Functions (yesno)] (optional)
Print functions. (default: no)
[pragma Pragma (yesno)] (optional)
Print #pragma pack directives. (default: yes)
[prefix Prefix (string)] (optional)
Prefix for all symbols.
[suffix Suffix (string)] (optional)
Suffix for all symbols.
[inline Expantion (string)] (optional)
Specifies expansion of nested structures/unions. (default: unnamed)
   none: only the top-most type is printed.
   unnamed: unnamed types are nested.
   all: all types are nested.
[output FileName (string)] (optional)
Specifies the output file if the user wants to save the printed data.
Examples
The following command is used to map the physical address at ac09080 to the nt!_EPROCESS structure.
1
1: kHyperDbg> !dt nt!_EPROCESS ac09080
2
 _EPROCESS
3
  +0x0000 _KPROCESS Pcb : _KPROCESS
4
  +0x0438 _EX_PUSH_LOCK ProcessLock : (null)
5
  +0x0440 void* UniqueProcessId : 00000000`00002240
6
  +0x0448 _LIST_ENTRY ActiveProcessLinks : _LIST_ENTRY [ ffff948c`bfbd0708 - ffff948c`c1424508 ]
7
  +0x0458 _EX_RUNDOWN_REF RundownProtect : (null)
8
  +0x0460 uint32_t Flags2 : 0x200d094
9
  +0x0460 uint32_t JobNotReallyActive, Pos 0, 1 Bit : 0y0
10
  +0x0460 uint32_t AccountingFolded, Pos 1, 1 Bit : 0y0
11
  +0x0460 uint32_t NewProcessReported, Pos 2, 1 Bit : 0y1
12
  +0x0460 uint32_t ExitProcessReported, Pos 3, 1 Bit : 0y0
13
  +0x0460 uint32_t ReportCommitChanges, Pos 4, 1 Bit : 0y1
14
  +0x0460 uint32_t LastReportMemory, Pos 5, 1 Bit : 0y0
15
  +0x0460 uint32_t ForceWakeCharge, Pos 6, 1 Bit : 0y0
16
  +0x0460 uint32_t CrossSessionCreate, Pos 7, 1 Bit : 0y1
17
  +0x0460 uint32_t NeedsHandleRundown, Pos 8, 1 Bit : 0y0
18
  +0x0460 uint32_t RefTraceEnabled, Pos 9, 1 Bit : 0y0
19
  +0x0460 uint32_t PicoCreated, Pos 10, 1 Bit : 0y0
20
  +0x0460 uint32_t EmptyJobEvaluated, Pos 11, 1 Bit : 0y0
21
  +0x0460 uint32_t DefaultPagePriority, Pos 12, 3 Bit : 0y101 (0x5)
22
  +0x0460 uint32_t PrimaryTokenFrozen, Pos 15, 1 Bit : 0y1
23
  +0x0460 uint32_t ProcessVerifierTarget, Pos 16, 1 Bit : 0y0
24
  +0x0460 uint32_t RestrictSetThreadContext, Pos 17, 1 Bit : 0y0
25
  +0x0460 uint32_t AffinityPermanent, Pos 18, 1 Bit : 0y0
26
  +0x0460 uint32_t AffinityUpdateEnable, Pos 19, 1 Bit : 0y0
27
  +0x0460 uint32_t PropagateNode, Pos 20, 1 Bit : 0y0
28
  +0x0460 uint32_t ExplicitAffinity, Pos 21, 1 Bit : 0y0
29
  +0x0460 uint32_t ProcessExecutionState, Pos 22, 2 Bit : 0y00 (0x0)
30
  +0x0460 uint32_t EnableReadVmLogging, Pos 24, 1 Bit : 0y0
31
  +0x0460 uint32_t EnableWriteVmLogging, Pos 25, 1 Bit : 0y1
32
  +0x0460 uint32_t FatalAccessTerminationRequested, Pos 26, 1 Bit : 0y0
33
  +0x0460 uint32_t DisableSystemAllowedCpuSet, Pos 27, 1 Bit : 0y0
34
  +0x0460 uint32_t ProcessStateChangeRequest, Pos 28, 2 Bit : 0y00 (0x0)
35
  +0x0460 uint32_t ProcessStateChangeInProgress, Pos 30, 1 Bit : 0y0
36
  +0x0460 uint32_t InPrivate, Pos 31, 1 Bit : 0y0
37
  +0x0464 uint32_t Flags : 0x144d0c01
38
  +0x0464 uint32_t CreateReported, Pos 0, 1 Bit : 0y1
39
  +0x0464 uint32_t NoDebugInherit, Pos 1, 1 Bit : 0y0
40
  +0x0464 uint32_t ProcessExiting, Pos 2, 1 Bit : 0y0
41
  +0x0464 uint32_t ProcessDelete, Pos 3, 1 Bit : 0y0
42
  +0x0464 uint32_t ManageExecutableMemoryWrites, Pos 4, 1 Bit : 0y0
43
  ...
Copied!
IOCTL
The IOCTL for this command is implemented like !db, !dc, !dd, !dq (read physical memory) commands to read data from memory.
Remarks
For implementing this command, pdbex is integrated into HyperDbg.
This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.
Requirements
None
Related
​dt (display and map virtual memory to structures)​
​struct (make structures, enums, data types from symbols)​
​Mapping Data & Create Structures, and Enums From Symbols​

!u, !u2 (disassemble physical address)

!epthook (hidden hook with EPT - stealth breakpoints)

Last modified 2mo ago

Copy link

Edit on GitHub

Contents