Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


WinDbg dt help

fredantomfredantom Member Posts: 8
edited October 2019 in WINDBG

I'm trying to view the data structure of _DEVICE_OBJECT > DeviceExtension ... As seen below.

But how would i now go about getting the structure of DeviceExtension?
(I tried to do "dt nt!_DEVICE_OBJECT -b" but It doesn't get the structure of DeviceExtension)

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,483

    The type of the DeviceExtension is up to each individual driver. The DEVICE_OBJECT holds an opaque pointer to it as a convenience, but there's no standard for what it contains. That's why it is shown as a void*.

    If this is your driver, then you know the type of the device extension, and you can use "dt yourdriver!MY_DEVICE_CONTEXT" to view it.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • fredantomfredantom Member Posts: 8
    edited October 2019

    @Tim_Roberts said:
    The type of the DeviceExtension is up to each individual driver. The DEVICE_OBJECT holds an opaque pointer to it as a convenience, but there's no standard for what it contains. That's why it is shown as a void*.

    If this is your driver, then you know the type of the device extension, and you can use "dt yourdriver!MY_DEVICE_CONTEXT" to view it.

    How would I get the structure if it wasn't my driver? For example: "dt somedriver!X" then what should x be if I had no insight to how the driver was written?

    As seen here:

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,887

    How would I get the structure if it wasn't my driver

    Well, you don't. The data structure definition isn't even necessarily public.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • fredantomfredantom Member Posts: 8

    @Peter_Viscarola_(OSR) said:

    How would I get the structure if it wasn't my driver

    Well, you don't. The data structure definition isn't even necessarily public.

    Peter

    What if you knew the type of the device (+0x048 DeviceType : Uint4B) would it then be possible to somehow reverse the structure of DeviceExtension?

    For example: #define FILE_DEVICE_DISK 0x00000007 (https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/specifying-device-types)

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,483

    Absolutely not. You have to have the symbols for the driver. There is no other way.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • fredantomfredantom Member Posts: 8

    @Tim_Roberts said:
    Absolutely not. You have to have the symbols for the driver. There is no other way.

    But, then I'm right back to my second question: How can I get the DeviceExtension of a driver that isn't mine in windbg (look at second screenshot i posted).

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,483

    Is there something unclear about "you don't" and "there is no other way"?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,887

    How can I get the DeviceExtension of a driver that isn't mine in windbg

    You can not. The content and format of a DeviceExtension is up to the developer who writes the driver. It’s not standard. It’s not documented. It’s not available. It’s private.

    Have a nice day.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA