how to make dt display structure.member inside another structure

raj_r · November 6, 2008, 7:54am

does any one know how i can make windbg diplay a substructures member

for example

lkd> dt nt!_kthread apcstate apcstate.process poi(ffdff124)
+0x034 ApcState : _KAPC_STATE
+0x010 Process : 0x859d15c8 _KPROCESS

now i need to get the DirectoryTableBase of this process

this works

lkd> dt nt!_kprocess DirectoryTablebase 859d15c8
+0x018 DirectoryTableBase : [2] 0xf180260

lkd> !process 859d15c8
PROCESS 859d15c8 SessionId: 0 Cid: 0878 Peb: 7ffdb000 ParentCid: 06d4
DirBase: 0f180260 ObjectTable: e10b5168 HandleCount: 73.
Image: windbg.exe
VadRoot 864ecc98 Vads 76 Clone 0 Private 1542. Modified 2138. Locked 1.

but this does not

lkd> dt nt!_kthread apcstate apcstate.process.DirectoryTableBase poi(ffdff124)
+0x034 ApcState : _KAPC_STATE
+0x010 Process :
lkd> dt nt!_kthread apcstate apcstate.process.directorytablebase poi(ffdff124)
+0x034 ApcState : _KAPC_STATE
+0x010 Process

any ideas how i can force it some level deeper and not just stop at
first level down ? :

gokul_tv · November 6, 2008, 8:16am

Try ‘-b’ switch in dt command.

You may want to look into the WinDbg documentation, before asking help in
the post. The winDbg documentation for ‘dt’ command says clearly,
*-b* Display blocks recursively. If a displayed structure contains
substructures, it is expanded recursively to arbitrary depths and displayed
in full. Pointers are expanded only if they are in the *original* structure,
not in substructures.

–
Regards,
T.V.Gokul.

raj_r · November 6, 2008, 8:39am

On 11/6/08, Gokul TV wrote:
>
> Try ‘-b’ switch in dt command.

thanks -b doesnt display the substructure member

lkd> dt nt!_kthread apcstate apcstate.process.DirectoryTableBase
poi(ffdff124)
+0x034 ApcState : _KAPC_STATE
+0x010 Process :
lkd> dt -b nt!_kthread apcstate apcstate.process.DirectoryTableBase
poi(ffdff124)
+0x034 ApcState : _KAPC_STATE
+0x010 Process

gokul_tv · November 6, 2008, 8:53am

If you want to expand ‘KTHREAD’ use *dt -b nt!_KTHREAD*; if you want to
expand _KAPC_STATE use *dt -b nt!_KAPC_STATE*.

If I understand correctly, you want to look into the APC_STATE structure
that is embedded in KTHREAD right? In such case, just use * dt -b
nt!_KTHREAD * This will recursively expand all teh sub-structure of
KTHREAD, which in-turn includes KAPC_STATE.

Regards,
T.V.Gokul.

jimd · November 6, 2008, 9:00am

Did you try dt -r ?
-r[l] Recursively dump the subtypes (fields) upto l levels.

On Thu, Nov 6, 2008 at 8:38 AM, raj_r wrote:

>
>
> On 11/6/08, Gokul TV wrote:
>>
>> Try ‘-b’ switch in dt command.
>
>
> thanks -b doesnt display the substructure member
>
> lkd> dt nt!_kthread apcstate apcstate.process.DirectoryTableBase
> poi(ffdff124)
> +0x034 ApcState : _KAPC_STATE
> +0x010 Process :
> lkd> dt -b nt!_kthread apcstate apcstate.process.DirectoryTableBase
> poi(ffdff124)
> +0x034 ApcState : _KAPC_STATE
> +0x010 Process
>
>
> — You are currently subscribed to windbg as: xxxxx@jimdonelson.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com

raj_r · November 6, 2008, 9:14am

On 11/6/08, Gokul TV wrote:
> If you want to expand ‘KTHREAD’ use dt -b nt!_KTHREAD; if you want to expand
> _KAPC_STATE use dt -b nt!_KAPC_STATE.
>
> If I understand correctly, you want to look into the APC_STATE structure
> that is embedded in KTHREAD right? In such case, just use dt -b nt!_KTHREAD
> This will recursively expand all teh sub-structure of KTHREAD, which
> in-turn includes KAPC_STATE.

sorry i believe i havent been able to explain my requirement properly

i want to look into the DirectoryTableBase of _KPROCESS in _KAPC_STATE
of _KTHREAD

and i dont want to give any

hope that explains my query a bit more properly

regards

raj_r

raj_r · November 6, 2008, 9:20am

On 11/6/08, Jim Donelson wrote:
> Did you try dt -r ?
> -r[l] Recursively dump the subtypes (fields) upto l levels.
>
>
yeah that -r[#] doesnt help either

anyway i was hating to hack some unreadable unrememberable script to
get what i want but it seems there is no otherway to make it display
things automatically
ill try copy pasting some thing into a .foreach script to isolate the
_kprocess and pass it as an argument to another dt

regards

raj_r

raj_r · November 6, 2008, 11:34am

here is a convoluted .foreach script that i cobbled together

if anyone can tell me a better clearer and easier way it would be most welcome

kd> dt nt!_kthread apcstate apcstate.process poi(ffdff124) ; .foreach
/pS 7 /ps 1 (place { dt nt!_kthread apcstate apcstate.process
poi(ffdff124) } ) {.echo place; r $t0 = place ; dt nt!_kprocess
DirectoryTableBase @$t0 ; !process @$t0 0}

+0x034 ApcState : _KAPC_STATE
+0x010 Process : 0x81189230 _KPROCESS
0x81189230
+0x018 DirectoryTableBase : [2] 0x83d3000
PROCESS 81189230 SessionId: 0 Cid: 06b4 Peb: 7ffd6000 ParentCid: 04bc
DirBase: 083d3000 ObjectTable: e1867278 HandleCount: 27.
Image: calc.exe

regrards

raj_r

On 11/6/08, raj_r wrote:
> On 11/6/08, Jim Donelson wrote:
> > Did you try dt -r ?
> > -r[l] Recursively dump the subtypes (fields) upto l levels.
> >
> >
> yeah that -r[#] doesnt help either
>
> anyway i was hating to hack some unreadable unrememberable script to
> get what i want but it seems there is no otherway to make it display
> things automatically
> ill try copy pasting some thing into a .foreach script to isolate the
> _kprocess and pass it as an argument to another dt
>
> regards
>
> raj_r
>