Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

How to read a variable which is part of a global structure through a debug extension?

pillowyMantispillowyMantis Member Posts: 2

Hi there, I am connected to a kernel and I am writing a debug extension for a driver, I have loaded the symbols for the driver and there's this global structure x which contains a pointer to an instance of a class y. I can dereference this pointer, typecast the pointer as the instance y and read it fine from the watch window of windg. But I have trouble doing it through the debug extension I am writing, I can read the symbol address for x using IDebugSymbols3::GetOffsetByName and get the pointer value using ReadTypedDataVirtual but am unable to access this instance of y since its not exactly a . Does anyone know how I can access this variable(instance of y) since it doesn't actually have a symbol name? Thanks, I am trying to use dbgeng.h


  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302

    Not sure I follow...Classes should have type information in the PDB (module!ClassName), though I'm not sure if that's what you're asking? A concrete example would help.

    However, have you looked at the new Javascript interface to the debugger? Much easier than writing a C++ extension.


  • pillowyMantispillowyMantis Member Posts: 2

    I would like to typecast a pointer as an instance of a class from within a windbg extension. Is it possible? Because it can be done from the watch window

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,302

    I think ExtRemoteTyped from extengcpp is what you want.

    I suspect Javascript will be way easier though. See host.createTypedObject


  • raj_rraj_r Member - All Emails Posts: 983
    edited January 27

    I am unable to Visualize your exactly a . sentence
    but here is an extension code that uses ExtRemoteTyped
    to cast a void * to a type * and print out the structured Data

        #include <engextcpp.cpp>
        class EXT_CLASS : public ExtExtension
        EXT_COMMAND( mydt, "mydt", "{;e,o,[email protected]$peb;!mydt;}" )
            //if Address not given like !mydt 12345678 Address defaults to @$peb PseudoRegister
            ExtRemoteTyped Peb("(ntdll!_PEB*)@$extin", GetUnnamedArgU64(0));
            //will print only the Address of current _PEB
                ExtRemoteTyped ProcessHeap = Peb.Field("ProcessHeap");
                // prints dt ntdll!_PEB ProcessHeap @$peb NoType Info as PVOID
                    ULONG64 v_off = ProcessHeap.m_Offset;
                    Out("%I64x\n" , v_off);
                    ULONG64 v_data = ProcessHeap.m_Data;
                    Out("%I64x\n" , v_data);
                    ExtRemoteTyped MyHeap("(ntdll!_HEAP*)@$extin", v_data);
                    ExtRemoteTyped MyHeapCounts = MyHeap.Field("Counters");
                    // print like dt ntdll!_HEAP Counters->* @@c++(@$peb->ProcessHeap)

    built using vs2017 community as x86 and win 10 18362 headers and libs

    @echo off
    set "INCLUDE= %INCLUDE%;E:\windjs\windbg_18362\inc"
    set "LIB=%LIB%;E:\windjs\windbg_18362\lib\x86"
    set "LINKLIBS=user32.lib kernel32.lib dbgeng.lib dbghelp.lib"
    cl /LD /nologo /W4 /Od  /Zi /EHsc mydt.cpp /link /nologo
    /EXPORT:DebugExtensionInitialize /Export:mydt /Export:help /RELEASE

    executed results


    E:\windbg_18362\inc\engextcpp.cpp(1849): warning C4245: ItoI64 -/+ mismatch
       Creating library mydt.lib and object mydt.exp

    cdb -c ".load .\mydt;!mydt;q" cdb

    0:000> cdb: Reading initial command '.load .\mydt;!mydt;q'
    0x7ffd8000              ->>> Peb
    void * 0x00160000       ->>> ProcessHeap
    7ffd8018                ->>> Peb + #FieldOffset("_PEB","ProcessHeap")
    160000                  ->>> ULONG64
    struct _HEAP_COUNTERS
       +0x000 TotalMemoryReserved : 0x100000
       +0x004 TotalMemoryCommitted : 0xa000
       +0x008 TotalMemoryLargeUCR : 0xf6000
       +0x00c TotalSizeInVirtualBlocks : 0
       +0x010 TotalSegments    : 1
       +0x014 TotalUCRs        : 1
       +0x018 CommittOps       : 5
       +0x01c DeCommitOps      : 0
       +0x020 LockAcquires     : 0
       +0x024 LockCollisions   : 0
       +0x028 CommitRate       : 5
       +0x02c DecommittRate    : 0
       +0x030 CommitFailures   : 0
       +0x034 InBlockCommitFailures : 0
       +0x038 CompactHeapCalls : 0
       +0x03c CompactedUCRs    : 0
       +0x040 AllocAndFreeOps  : 0
       +0x044 InBlockDeccommits : 0
       +0x048 InBlockDeccomitSize : 0
       +0x04c HighWatermarkSize : 0x9f88
       +0x050 LastPolledSize   : 0x9900
    Post edited by raj_r on
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA