I’m trying to view the data structure of _DEVICE_OBJECT > DeviceExtension … As seen below.
But how would i now go about getting the structure of DeviceExtension?
(I tried to do “dt nt!_DEVICE_OBJECT -b” but It doesn’t get the structure of DeviceExtension)
The type of the DeviceExtension is up to each individual driver. The DEVICE_OBJECT holds an opaque pointer to it as a convenience, but there’s no standard for what it contains. That’s why it is shown as a void*.
If this is your driver, then you know the type of the device extension, and you can use “dt yourdriver!MY_DEVICE_CONTEXT” to view it.
@Tim_Roberts said:
The type of the DeviceExtension is up to each individual driver. The DEVICE_OBJECT holds an opaque pointer to it as a convenience, but there’s no standard for what it contains. That’s why it is shown as a void*.
If this is your driver, then you know the type of the device extension, and you can use “dt yourdriver!MY_DEVICE_CONTEXT” to view it.
How would I get the structure if it wasn’t my driver? For example: “dt somedriver!X” then what should x be if I had no insight to how the driver was written?
As seen here:
How would I get the structure if it wasn’t my driver
Well, you don’t. The data structure definition isn’t even necessarily public.
Peter
@“Peter_Viscarola_(OSR)” said:
How would I get the structure if it wasn’t my driver
Well, you don’t. The data structure definition isn’t even necessarily public.
Peter
What if you knew the type of the device (+0x048 DeviceType : Uint4B) would it then be possible to somehow reverse the structure of DeviceExtension?
For example: #define FILE_DEVICE_DISK 0x00000007 (https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/specifying-device-types)
Absolutely not. You have to have the symbols for the driver. There is no other way.
@Tim_Roberts said:
Absolutely not. You have to have the symbols for the driver. There is no other way.
But, then I’m right back to my second question: How can I get the DeviceExtension of a driver that isn’t mine in windbg (look at second screenshot i posted).
Is there something unclear about “you don’t” and “there is no other way”?
How can I get the DeviceExtension of a driver that isn’t mine in windbg
You can not. The content and format of a DeviceExtension is up to the developer who writes the driver. It’s not standard. It’s not documented. It’s not available. It’s private.
Have a nice day.
Peter