Results 1 to 6 of 6

Thread: Windbg “dt” output converter

  1. #1
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Blog Entries

    Windbg “dt” output converter

    How many times did you create a structure starting from Windbg's dt command output? It sometimes happens especially if you use Ida or if you need to code something. It’s something that makes me feel unhappy. It’s a boring job for sure, particularly when you have to deal with big structures (i.e. ethread). There are some ready made definitions online, but there’s not a standard definition for a single structure. Most of the time it depends on the OS you are running on.

    All I want to do is to convert dt’s output into a struct definition. The output to convert is something like (obtained by Windbg using “dt _list_entry” command):
    +0×000 Flink            : Ptr32 _LIST_ENTRY
    +0×004 Blink            : Ptr32 _LIST_ENTRY
    And this is what I want to generate:
    typedef struct _LIST_ENTRY
    struct _LIST_ENTRY* Flink;    // 0×000
    struct _LIST_ENTRY* Blink;    // 0×004
    I’m not a Windbg guru and I don’t know if there is a quickest way, so the idea is to write something able to perform (almost all) the convertion.

    The gui is pretty simple, it contains two edit boxes and two buttons, nothing more. The convertion process starts by pressing the “Convert” button, the program converts the data stored inside the clipboard. The left box will be filled with the clipboard’s contents while the other box will contain the converted structure. What to store inside the clipboard? Look at the picture below:

    Selected text is what you have to store into clipboard, everything starts from ‘_’ character. Once you have saved the text you can convert the structure. Here’s the result:

    The edit box is editable, it’s necessary because most of the time it’s hard to predict the right type to display. I don’t know if it’s possible to perform a perfect convertion, the aim of this tool is to speed up the convertion process. With some minor changes you should be able to obtain a perfect convertion.

    This tool is not totally complete, I have some more things to add. As usual I didn’t test it too much because I prefer to fix it when a bug occours. Anyway, it seems to work fine and you can contact me for comment/criticism/suggestion/etcetc.

    ps. HAPPY NEW YEAR!!!

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Ring -1
    Blog Entries
    And it's added to the CRCETL:

    You should be able to track all updates of it from that URL from now on.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    Thanks for the tool contribution Zai!


  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Oh SuuhWeet.. I was looking under the Xmas tree for this

    A couple of little bugs to mention.

    UChar and Char should be converted to UCHAR and CHAR so IDA doesn't complain.
    Uint4B is converted to ULONG OK, but there are also instances of Int4B (see _KTHREAD) which should be converted to LONG.

    I'm not complaining, more of a warning at this point, but using the r(ecursive) option of dt doesn't seem to produce accurate results, i.e. converting
    dt -r _KTHREAD
    The DISPATCHER_HEADER and LIST_ENTRY substructure unions don't look quite right (duplicating the existing indentations would be nice too if you ever look at this)

    Thanks for this Zairon.


  5. #5
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Blog Entries
    dt -r _KTHREAD
    The conversion is made on simple dt command, that's why you got a strange result. I chose to work on this output because I prefer to use separated structures. Just out of curiosity, do you all prefer "dt -r" output?

    I'll work on your suggestions. Thx

  6. #6
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    Just out of curiosity, do you all prefer "dt -r" output?
    hehe i vote yes

    now if you are working on -r then i would say you can try forcing -o on users as well which might lessen some burden on parsing
    as -o output forces windbg to display it without the offsets like +0000 + 0x2000 + blah blah etc

    0:000> dt -o ntdll!_kapc_state
       ApcListHead      : [2] _LIST_ENTRY
       Process          : Ptr32 _KPROCESS
       KernelApcInProgress : UChar
       KernelApcPending : UChar
       UserApcPending   : UChar

    actually i had an excel macro doing some of this crap cant find it atm

    worked like this

    .logopen foo.txt
    dt -o ntdll!_somestruct

    open excel --> find the log file and open
    import data (text file)
    selimited by other : semicolon --> import as text
    delete first 2 lines
    delete last 2 lines
    select first column copy paste it to 3rd column and delete first column
    delete sheet 2 and sheet 3
    save sheet 1 as text (tab delimited)

     [2] _LIST_ENTRY	   ApcListHead      
     Ptr32 _KPROCESS	   Process          
     UChar	   KernelApcInProgress 
     UChar	   KernelApcPending 
     UChar	   UserApcPending
    then find replace on the text file

    nice work there Zairon
    Last edited by blabberer; January 2nd, 2008 at 11:31.

Similar Threads

  1. HTML to TXT converter (slightly special)
    By Aimless in forum Off Topic
    Replies: 9
    Last Post: February 14th, 2010, 20:05
  2. Universal HASP Dump->To->Reg converter
    By sataron in forum Advanced Reversing and Programming
    Replies: 56
    Last Post: April 1st, 2008, 18:13
  3. IDC to UDD converter?
    By taylorjonl in forum Tools of Our Trade (TOT) Messageboard
    Replies: 7
    Last Post: April 24th, 2005, 02:23
  4. Hasp4 dmp to reg converter HaspPro.Emul
    By DongleGuru in forum The Newbie Forum
    Replies: 28
    Last Post: July 24th, 2004, 08:43


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts