WinDbg dt help

I’m trying to view the data structure of _DEVICE_OBJECT > DeviceExtension … As seen below.

But how would i now go about getting the structure of DeviceExtension?
(I tried to do “dt nt!_DEVICE_OBJECT -b” but It doesn’t get the structure of DeviceExtension)

The type of the DeviceExtension is up to each individual driver. The DEVICE_OBJECT holds an opaque pointer to it as a convenience, but there’s no standard for what it contains. That’s why it is shown as a void*.

If this is your driver, then you know the type of the device extension, and you can use “dt yourdriver!MY_DEVICE_CONTEXT” to view it.

@Tim_Roberts said:
The type of the DeviceExtension is up to each individual driver. The DEVICE_OBJECT holds an opaque pointer to it as a convenience, but there’s no standard for what it contains. That’s why it is shown as a void*.

If this is your driver, then you know the type of the device extension, and you can use “dt yourdriver!MY_DEVICE_CONTEXT” to view it.

How would I get the structure if it wasn’t my driver? For example: “dt somedriver!X” then what should x be if I had no insight to how the driver was written?

As seen here:

How would I get the structure if it wasn’t my driver

Well, you don’t. The data structure definition isn’t even necessarily public.

Peter

@“Peter_Viscarola_(OSR)” said:

How would I get the structure if it wasn’t my driver

Well, you don’t. The data structure definition isn’t even necessarily public.

Peter

What if you knew the type of the device (+0x048 DeviceType : Uint4B) would it then be possible to somehow reverse the structure of DeviceExtension?

For example: #define FILE_DEVICE_DISK 0x00000007 (https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/specifying-device-types)

Absolutely not. You have to have the symbols for the driver. There is no other way.

@Tim_Roberts said:
Absolutely not. You have to have the symbols for the driver. There is no other way.

But, then I’m right back to my second question: How can I get the DeviceExtension of a driver that isn’t mine in windbg (look at second screenshot i posted).

Is there something unclear about “you don’t” and “there is no other way”?

How can I get the DeviceExtension of a driver that isn’t mine in windbg

You can not. The content and format of a DeviceExtension is up to the developer who writes the driver. It’s not standard. It’s not documented. It’s not available. It’s private.

Have a nice day.

Peter