Using dt with symbols from modules that are not loaded yet

nir9 · May 2, 2025, 8:31pm

Currently, whenever I want to use symbols from modules that are not loaded yet along with dt I use a trick in which I force ".reload" the module to a random address in memory just to have access to it while using commands like "x" or "dt", for example running something like this while debugging winload:

.reload /f ntoskrnl.exe=0x12345678
dt nt!_LOADER_PARAMETER_BLOCK @rcx
.reload /u nt

I was wondering if there is any nicer way to gain access to symbols from not yet loaded symbols, without requiring a dummy loading and unloading?

Thanks,

Scott_Noone_OSR · May 2, 2025, 8:48pm

No, that's by far going to be the easiest thing...

Other options are going to require you to have a C header with the type.

For example, you could use the Synthetic Type support (which is, shall we say, not super convenient):

WinDbg-Samples/SyntheticTypes/readme.md at master · microsoft/WinDbg-Samples · GitHub

That doesn't get you dt support though. Another option is to add the types to the winload PDB:

Fixing Broken Debugger Extensions – OSR

In the end though I don't think either of these is going to be easier than what you're doing...

nir9 · May 3, 2025, 5:47am

Got it thanks! And also, thanks for the links, the OSR article is very interesting.