How many times did you create a structure starting from Windbg's dt command output? It sometimes happens especially if you use Ida or if you need to code something. It’s something that makes me feel unhappy. It’s a boring job for sure, particularly when you have to deal with big structures (i.e. ethread). There are some ready made definitions online, but there’s not a standard definition for a single structure. Most of the time it depends on the OS you are running on.

All I want to do is to convert dt’s output into a struct definition. The output to convert is something like (obtained by Windbg using “dt _list_entry” command):

Code:

ntdll!_LIST_ENTRY

+0×000 Flink            : Ptr32 _LIST_ENTRY

+0×004 Blink            : Ptr32 _LIST_ENTRY

And this is what I want to generate:

I’m not a Windbg guru and I don’t know if there is a quickest way, so the idea is to write something able to perform (almost all) the convertion.

The gui is pretty simple, it contains two edit boxes and two buttons, nothing more. The convertion process starts by pressing the “Convert” button, the program converts the data stored inside the clipboard. The left box will be filled with the clipboard’s contents while the other box will contain the converted structure. What to store inside the clipboard? Look at the picture below:

http://zairon.files.wordpress.com/2007/12/dt_clipboard.jpg

Selected text is what you have to store into clipboard, everything starts from ‘_’ character. Once you have saved the text you can convert the structure. Here’s the result:

http://zairon.files.wordpress.com/2007/12/dt_convertion.jpg

The edit box is editable, it’s necessary because most of the time it’s hard to predict the right type to display. I don’t know if it’s possible to perform a perfect convertion, the aim of this tool is to speed up the convertion process. With some minor changes you should be able to obtain a perfect convertion.

This tool is not totally complete, I have some more things to add. As usual I didn’t test it too much because I prefer to fix it when a bug occours. Anyway, it seems to work fine and you can contact me for comment/criticism/suggestion/etcetc.

ps. HAPPY NEW YEAR!!!

And it's added to the CRCETL:

http://www.woodmann.com/collaborative/tools/WinDbg_Struct_Converter

You should be able to track all updates of it from that URL from now on.

Thanks for the tool contribution Zai!

Regards,

Oh SuuhWeet.. I was looking under the Xmas tree for this

A couple of little bugs to mention.


UChar and Char should be converted to UCHAR and CHAR so IDA doesn't complain.
Uint4B is converted to ULONG OK, but there are also instances of Int4B (see _KTHREAD) which should be converted to LONG.

I'm not complaining, more of a warning at this point, but using the r(ecursive) option of dt doesn't seem to produce accurate results, i.e. converting
dt -r _KTHREAD
The DISPATCHER_HEADER and LIST_ENTRY substructure unions don't look quite right (duplicating the existing indentations would be nice too if you ever look at this)

Thanks for this Zairon.

Kayaker

The conversion is made on simple dt command, that's why you got a strange result. I chose to work on this output because I prefer to use separated structures. Just out of curiosity, do you all prefer "dt -r" output?

I'll work on your suggestions. Thx

hehe i vote yes

now if you are working on -r then i would say you can try forcing -o on users as well which might lessen some burden on parsing
as -o output forces windbg to display it without the offsets like +0000 + 0x2000 + blah blah etc




actually i had an excel macro doing some of this crap cant find it atm

worked like this

.logopen foo.txt
dt -o ntdll!_somestruct
.logclose

open excel --> find the log file and open
import data (text file)
selimited by other : semicolon --> import as text
delete first 2 lines
delete last 2 lines
select first column copy paste it to 3rd column and delete first column
delete sheet 2 and sheet 3
save sheet 1 as text (tab delimited)



then find replace on the text file

nice work there Zairon