WinDbg common View Commands

1, DT View structure content

DT + struct name or dt + struct name + address

kd> DT _object_headernt!_object_header   +0x000 pointercount     : int4b   +0x004 handlecount      : Int4B   +0x004 nexttofree       : Ptr32 Void   +0x008 Type             : Ptr32 _object_type   +0x00c nameinfooffset   : UChar   +0x00d Handleinfooffset:uchar   +0x00e quotainfooffset  : UChar   +0x00f Flags            : UChar   + 0x010 objectcreateinfo:ptr32 _object_create_information   +0x010 quotablockcharged:ptr32 Void   +0x014 Securitydescriptor:ptr32 Void   +0x018 Body             : _quad

kd> DT _object_header 0x88132d58  //This address my native address of an object header Nt!_object_header   +0x000 pointercount     : 2   +0x004 Handlecount      : 0   +0x004 nexttofree       : (null)    +0x008 Type             : 0x884ee288 _object_type   +0x00c Nameinfooffset   : 0x10 '   +0x00d handleinfooffset:0 '   +0x00e quotainfooffset  : 0x20 '   + 0x00f Flags            : 0x1a '   +0x010 objectcreateinfo:0x00000001 _object_create_information   +0x010 quotablockcharged:0x00000001    +0x014 SecurityDescriptor: (null)    +0x018 Body             : _quad

kd> DT _object_header_name_info 0x88132d48  //object name Nt!_object_header_name_info   +0x000 Directory        : 0xe10067f0 _object_directory   +0x004 Name             : _unicode_string "Keread"   +0x00c queryreferences  : 1

kd> DT _unicode_string 0x88132d4cnt!_unicode_string "Keread"   +0x000 Length           : 0xc   +0x002 maximumlength    : 0xc   +0x004 Buffer           : 0xe2164968  "Keread"

2, DD and so on the memory address of the contents of four bytes and so on display

DD + Address

DD e2164968e2164968  0065004b 00650052 00640061 5112730de2164978  00080403 e24e4d43 e2164a80 e216b008e2164988  00000000 417b0026 36334444 2d384141e2164998  41313537 3735342d 32412d39 442d3636e21649a8  35463636 43323032 7d424243 00000000e21649b8  0c080408 e24e4d43 00010001 3aabe829e21649c8 00000000 417b0026  43364344 2d383842e21649d8  43343234 4431312d 35392d32 302d4132

DD e2164968 L10    //Not  small L--l10e2164968 0065004b 00650052 00640061 5112730de2164978 00080403 e24e4d43 E2 164A80 e216b008e2164988 00000000 417b0026 36334444 2d384141e2164998 41313537 3735342d 32412d39 442d3636

3. Da, du will read the contents of the memory address in ASCII or Unicode form

<span style= "font-family:arial, Helvetica, Sans-serif; font-size:12px; " >kd> da e2164968</span>

e2164968  "K" kd> da e2164969e2164969  "" Kd> da e216496ae216496a  "E" kd> da e216496be216496b  "" Kd> da e216496ce216496c  "R" kd> da e216496de216496d "  " kd> da e216496ee216496e  "E" kd> da e216496fe216496f "  " kd> da e2164970e2164970  "a"

Kd> du e2164968e2164968  "Keread 猍 Confucianism?.?.?.?."

Some of the common commands are not tested individually:

1. Da is read in ASCII string
2. DB reads in single-byte and ASCII strings
3. DC reads in 4-byte and ASCII strings
4. dd reads in 4 bytes
5. DD reads in double floating-point (8-byte) format
6. DF reads in single floating-point (4-byte) format
7. DP reads by pointer (32-bit system reads 4 bytes, 64-bit system reads 8-byte) format
8. DQ reads in 8 bytes
9. Du is read as a Unicode string
10. DW reads in 2 bytes
11. DW reads in 2-byte and ASCII strings
12. Dyb in single-byte and binary reads
13. Dyd according to 4 bytes and binary read

WinDbg common View Commands