!dt (display and map physical memory to structures)
Description of the '!dt' command in HyperDbg.
Previous!u, !u64, !u2, !u32 (disassemble physical address)Next!track (track and map function calls and returns to the symbols)
Last updated
Description of the '!dt' command in HyperDbg.
Last updated
!dt
!dt [Module!SymbolName (string)] [AddressExpression (string)] [padding Padding (yesno)] [offset Offset (yesno)] [bitfield Bitfield (yesno)] [native Native (yesno)] [decl Declaration (yesno)] [def Definitions (yesno)] [func Functions (yesno)] [pragma Pragma (yesno)] [prefix Prefix (string)] [suffix Suffix (string)] [inline Expantion (string)] [output FileName (string)]
Displays data structures in an offset format, maps a physical address to a structure and shows the different fields and their values.
You can use the '' command to make C (header) code structures, enums, and data types from the symbols.
[Module!SymbolName (string)]
Module name combined with the symbol name (separated by a ! sign).
[AddressExpression (string)] (optional)
Address or an expression that evaluates as a physical address. If you leave this argument empty, the symbol data is shown without mapping to data.
[padding Padding (yesno)] (optional)
Create padding members. (default: yes)
[offset Offset (yesno)] (optional)
Show offsets. (default: yes)
[bitfield Bitfield (yesno)] (optional)
Allow bitfields in the union. (default: no)
[native Native (yesno)] (optional)
Use types from stdint.h instead of native types. (default: no)
[decl Declaration (yesno)] (optional)
Print declarations. (default: yes)
[def Definitions (yesno)] (optional)
Print definitions. (default: yes)
[func Functions (yesno)] (optional)
Print functions. (default: no)
[pragma Pragma (yesno)] (optional)
Print #pragma pack directives. (default: yes)
[prefix Prefix (string)] (optional)
Prefix for all symbols.
[suffix Suffix (string)] (optional)
Suffix for all symbols.
[inline Expantion (string)] (optional)
Specifies expansion of nested structures/unions. (default: unnamed)
none: only the top-most type is printed.
unnamed: unnamed types are nested.
all: all types are nested.
[output FileName (string)] (optional)
Specifies the output file if the user wants to save the printed data.
The following command is used to map the physical address at ac09080 to the nt!_EPROCESS structure.
This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.
None
The IOCTL for this command is implemented like commands to read data from memory.
For implementing this command, is integrated into HyperDbg.