Kernel Data Structures – dt nt!_* and dt nt!_ -r

It’s Monday morning, and my week is going to be very busy, so I thought I’ll write a small and simple blog post today. Kernel Data Structures contain lots of useful information when debugging, but it’s understanding which data structures correspond to what situation and dump file and how to open these data structures.

I highly recommend checking this website out for Kernel Data Structures and some debugging examples, it’s such a excellent resource – Code Machine Articles – Kernel Data Structures

Some of the data structures which are available in WinDbg are available on the Windows Driver Development Kit documentation.

Okay, the dt nt!_* command lists all the available data structure prototypes, which WinDbg can open and format for you to understand, I find this especially useful for learning which data structures are relevant and what additional information they may contain.

The above screenshot is only partially the output of the command, but due to size limitations of the Snipping Tool, it’s what I could manage to upload the most of.

Let’s look into the _POOL_BLOCK_HEAD data structure, which contains two substructures which are _POOL_HEADER and _LIST_ENTRY. We need to enter the following command: dt nt!_POOL_BLOCK_HEAD.

We could open the two structures individually with two separate commands using the same method, however, the better method is to use the -r switch, which will also open all substructures within the specified structure.

The first block is the _POOL_HEADER data structure, and when the output is aligned to the right, this is the beginning of the _LIST_ENTRY data structure.

 

Advertisements

About 0x14c

I'm a Computer Science student and writer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in WinDbg. Bookmark the permalink.

One Response to Kernel Data Structures – dt nt!_* and dt nt!_ -r

  1. VnSpl0it says:

    Great, Thanks !

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s