Search This Blog

Friday, 19 September 2014

WinDbg : The Difference Between The Dot (.) & The Arrow (->) In The dt Command


WinDbg : The Difference Between The Dot (.) & The Arrow (->) In The dt Command 


Commands used:

We have seen that the dot (.) after the name of a structure member name will make the dt command expand the sub-structure. 

kd> dt nt!_EPROCESS pcb.
   +0x000 Pcb  : 
      +0x000 Header : _DISPATCHER_HEADER
      +0x010 ProfileListHead : _LIST_ENTRY
      +0x018 DirectoryTableBase : Uint4B

<Output Snipped to Save Space>

The same seem to be achieved with the arrow (->) as well.

kd> dt nt!_EPROCESS pcb->*
   +0x000 Pcb   : 
      +0x000 Header : _DISPATCHER_HEADER
      +0x010 ProfileListHead : _LIST_ENTRY
      +0x018 DirectoryTableBase : Uint4B

<Output Snipped to Save Space>

So The question arises what then is the difference, if at all between these. Well, on the first level a single . is equivalent to ->*. The differences arise with multiple levels.

. (dot) will recursively expand structures within structures and can be used like ...... (dot dot dot dot). Four dots in a row will expand till the 4th level nested structure, while -> will deference a pointer and you may need a name for it. 

In the below examples we will be using the pseudo register $Proc. To learn more about pseudo registers, please read this post.

lkd> $nodot

lkd> dt nt!_EPROCESS @$proc -y pc.H
   +0x000 Pcb  :
      +0x000 Header : _DISPATCHER_HEADER

lkd> $single dot

lkd> dt nt!_EPROCESS @$proc -y pc.H.
   +0x000 Pcb   :
      +0x000 Header :
         +0x000 Type  : 0x3 ''
         +0x001 Absolute : 0 ''
         +0x002 Size  : 0x1b ''
         +0x003 Inserted : 0 ''
         +0x004 SignalState : 0n0
         +0x008 WaitListHead : _LIST_ENTRY [ 0x866dd6d0 - 0x866dd6d0 ]

lkd> $single dot is equivalent to ->*

lkd> dt nt!_EPROCESS @$proc -y pc.H->*
   +0x000 Pcb    :
      +0x000 Header :
         +0x000 Type   : 0x3 ''
         +0x001 Absolute : 0 ''
         +0x002 Size   : 0x1b ''
         +0x003 Inserted : 0 ''
         +0x004 SignalState : 0n0
         +0x008 WaitListHead : _LIST_ENTRY [ 0x866dd6d0 - 0x866dd6d0 ]

lkd> $double dot will expand _list_entry

lkd> dt nt!_EPROCESS @$proc -y pc.H..
   +0x000 Pcb    :
      +0x000 Header :
         +0x000 Type   : 0x3 ''
         +0x001 Absolute : 0 ''
         +0x002 Size   : 0x1b ''
         +0x003 Inserted : 0 ''
         +0x004 SignalState : 0n0
         +0x008 WaitListHead :  [ 0x866dd6d0 - 0x866dd6d0 ]
            +0x000 Flink  : 0x866dd6d0 _LIST_ENTRY [ 0x866dd6d0 - 0x866dd6d0 ]
            +0x004 Blink  : 0x866dd6d0 _LIST_ENTRY [ 0x866dd6d0 - 0x866dd6d0 ]

lkd> dt nt!_EPROCESS @$proc -y pc.H->W.
   +0x000 Pcb      :
      +0x000 Header   :
         +0x008 WaitListHead :  [ 0x866dd6d0 - 0x866dd6d0 ]
            +0x000 Flink    : 0x866dd6d0 _LIST_ENTRY [ 0x866dd6d0 - 0x866dd6d0 ]
            +0x004 Blink    : 0x866dd6d0 _LIST_ENTRY [ 0x866dd6d0 - 0x866dd6d0 ]

lkd> dt nt!_EPROCESS @$proc -y pc.H->W->*
   +0x000 Pcb       :
      +0x000 Header    :
         +0x008 WaitListHead :  [ 0x866dd6d0 - 0x866dd6d0 ]
            +0x000 Flink     : 0x866dd6d0 _LIST_ENTRY [ 0x866dd6d0 -
0x866dd6d0 ]
            +0x004 Blink     : 0x866dd6d0 _LIST_ENTRY [ 0x866dd6d0 -
0x866dd6d0 ]

lkd> dt nt!_EPROCESS @$proc -y pc.H->W..
   +0x000 Pcb       :
      +0x000 Header    :
         +0x008 WaitListHead :  [ 0x866dd6d0 - 0x866dd6d0 ]
            +0x000 Flink     :
            +0x004 Blink     :
Cannot find specified field members



Posted by at
Labels: , , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)