dbgeng hands it down to dbghelp for retrieving the types see the call stack below
0:000> k
Child-SP RetAddr Call Site
0000007c`f4eb7750 00007ffd`cc1a9575 dbghelp!SymGetTypeInfo+0x1b2
0000007c`f4eb77c0 00007ffd`cc1abbd8 dbgeng!DbgTypes::ProcessUDType+0xc05
0000007c`f4eb79a0 00007ffd`cc1a4d64 dbgeng!DbgTypes::ProcessType+0x3a0
0000007c`f4eb7b40 00007ffd`cc1afb6b dbgeng!DbgDerivedType::DumpType+0x30
0000007c`f4eb7b70 00007ffd`cc1b0c94 dbgeng!DumpTypeAndReturnInfo+0x74f
0000007c`f4eb8da0 00007ffd`cc1b29ab dbgeng!SymbolTypeDumpNew+0x1cc
0000007c`f4eb9e60 00007ffd`cc1281b0 dbgeng!SymbolTypeDumpEx+0x757
0000007c`f4ebc9a0 00007ffd`cc13329d dbgeng!ParseDumpCommand+0x890
0000007c`f4ebcf00 00007ffd`cc134586 dbgeng!ProcessCommands+0x99d
0000007c`f4ebcff0 00007ffd`cc056bf2 dbgeng!ProcessCommandsAndCatch+0x86
0000007c`f4ebd040 00007ffd`cc056f14 dbgeng!Execute+0x346
0000007c`f4ebd550 00007ff6`dde766de dbgeng!DebugClient::ExecuteWide+0x94
0000007c`f4ebd5b0 00007ff6`dde793bb cdb!MainLoop+0x532
0000007c`f4ebf630 00007ff6`dde7c82d cdb!wmain+0x4df
0000007c`f4ebf8d0 00007ffe`0f2a7344 cdb!__wmainCRTStartup+0x14d
0000007c`f4ebf910 00007ffe`106626b1 KERNEL32!BaseThreadInitThunk+0x14
0000007c`f4ebf940 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:000>
a short code using dbghelp.dll for displaying the names of children of struct _PEB in ntdll.pdb as follows
omitted error checking using hardcoded values
#include <stdio.h>
#include <windows.h>
#include <dbghelp.h>
#pragma comment(lib, "dbghelp.lib")
#define ModLoadAddr 0x100000000
#define ModSizeArbit 0x10000000
#define symbuffsize 0x1000
// copy any ntdll.pdb into exe's directory
int main(void)
{
BYTE SymInfoBuff[symbuffsize] = {0};
PSYMBOL_INFO psym = (PSYMBOL_INFO)&SymInfoBuff;
psym->SizeOfStruct = sizeof(SYMBOL_INFO);
psym->MaxNameLen = MAX_SYM_NAME;
HANDLE hCurrentProcess = GetCurrentProcess();
BOOL syminitres = SymInitialize(hCurrentProcess, NULL, FALSE);
if (syminitres)
{
DWORD64 symloadmodres = SymLoadModuleEx(hCurrentProcess, NULL, "ntdll.pdb",
NULL, ModLoadAddr, ModSizeArbit, NULL, 0);
if (symloadmodres)
{
SymGetTypeFromName(hCurrentProcess, symloadmodres, "_PEB", psym);
printf("Type Name = %s\t Type Index = %x\n", psym->Name, psym->TypeIndex);
TI_FINDCHILDREN_PARAMS childs = {0};
SymGetTypeInfo(hCurrentProcess, symloadmodres, psym->TypeIndex,
TI_GET_CHILDRENCOUNT, &childs.Count);
printf("child count = 0x%x\n", childs.Count);
printf("ChildIndex\tTypeIndex\tChildSymName\n");
BOOL symtypechild = SymGetTypeInfo(hCurrentProcess, symloadmodres,
psym->TypeIndex, TI_FINDCHILDREN, &childs);
WCHAR symnamebuff[symbuffsize] = {0};
PWCHAR ChildSymNameBuff = (PWCHAR)&symnamebuff;
for (DWORD i = 0; i < childs.Count; i++)
{
memset(symnamebuff, 0, sizeof(symnamebuff));
symtypechild = SymGetTypeInfo(hCurrentProcess, symloadmodres,
childs.ChildId[i], TI_GET_SYMNAME, &ChildSymNameBuff);
printf("0x%08x\t0x%08x\t%S\n", i, childs.ChildId[i], ChildSymNameBuff);
}
}
}
}
compiling with
cl /Zi /W4 /Od /analyze /nologo dt.cpp /link /release
executing should yield
dt.exe
Type Name = _PEB Type Index = 1
child count = 0x73
ChildIndex TypeIndex ChildSymName
0x00000000 0x00000002 InheritedAddressSpace
0x00000001 0x00000003 ReadImageFileExecOptions
0x00000002 0x00000004 BeingDebugged
0x00000003 0x00000005 BitField
0x00000004 0x00000006 ImageUsesLargePages
0x00000005 0x00000007 IsProtectedProcess
0x00000006 0x00000008 IsImageDynamicallyRelocated
0x00000007 0x00000009 SkipPatchingUser32Forwarders
0x00000008 0x0000000a IsPackagedProcess
0x00000009 0x0000000b IsAppContainer
0x0000000a 0x0000000c IsProtectedProcessLight
0x0000000b 0x0000000d IsLongPathAwareProcess
0x0000000c 0x0000000e Padding0
0x0000000d 0x0000000f Mutant
0x0000000e 0x00000010 ImageBaseAddress
0x0000000f 0x00000011 Ldr
0x00000010 0x00000012 ProcessParameters
0x00000011 0x00000013 SubSystemData
0x00000012 0x00000014 ProcessHeap
0x00000013 0x00000015 FastPebLock
0x00000014 0x00000016 AtlThunkSListPtr
0x00000015 0x00000017 IFEOKey
0x00000016 0x00000018 CrossProcessFlags
0x00000017 0x00000019 ProcessInJob
0x00000018 0x0000001a ProcessInitializing
0x00000019 0x0000001b ProcessUsingVEH
0x0000001a 0x0000001c ProcessUsingVCH
0x0000001b 0x0000001d ProcessUsingFTH
0x0000001c 0x0000001e ProcessPreviouslyThrottled
0x0000001d 0x0000001f ProcessCurrentlyThrottled
0x0000001e 0x00000020 ProcessImagesHotPatched
0x0000001f 0x00000021 ReservedBits0
0x00000020 0x00000022 Padding1
0x00000021 0x00000023 KernelCallbackTable
0x00000022 0x00000024 UserSharedInfoPtr
0x00000023 0x00000025 SystemReserved
0x00000024 0x00000026 AtlThunkSListPtr32
0x00000025 0x00000027 ApiSetMap
0x00000026 0x00000028 TlsExpansionCounter
0x00000027 0x00000029 Padding2
0x00000028 0x0000002a TlsBitmap
0x00000029 0x0000002b TlsBitmapBits
0x0000002a 0x0000002c ReadOnlySharedMemoryBase
0x0000002b 0x0000002d SharedData
0x0000002c 0x0000002e ReadOnlyStaticServerData
0x0000002d 0x0000002f AnsiCodePageData
0x0000002e 0x00000030 OemCodePageData
0x0000002f 0x00000031 UnicodeCaseTableData
0x00000030 0x00000032 NumberOfProcessors
0x00000031 0x00000033 NtGlobalFlag
0x00000032 0x00000034 CriticalSectionTimeout
0x00000033 0x00000035 HeapSegmentReserve
0x00000034 0x00000036 HeapSegmentCommit
0x00000035 0x00000037 HeapDeCommitTotalFreeThreshold
0x00000036 0x00000038 HeapDeCommitFreeBlockThreshold
0x00000037 0x00000039 NumberOfHeaps
0x00000038 0x0000003a MaximumNumberOfHeaps
0x00000039 0x0000003b ProcessHeaps
0x0000003a 0x0000003c GdiSharedHandleTable
0x0000003b 0x0000003d ProcessStarterHelper
0x0000003c 0x0000003e GdiDCAttributeList
0x0000003d 0x0000003f Padding3
0x0000003e 0x00000040 LoaderLock
0x0000003f 0x00000041 OSMajorVersion
0x00000040 0x00000042 OSMinorVersion
0x00000041 0x00000043 OSBuildNumber
0x00000042 0x00000044 OSCSDVersion
0x00000043 0x00000045 OSPlatformId
0x00000044 0x00000046 ImageSubsystem
0x00000045 0x00000047 ImageSubsystemMajorVersion
0x00000046 0x00000048 ImageSubsystemMinorVersion
0x00000047 0x00000049 Padding4
0x00000048 0x0000004a ActiveProcessAffinityMask
0x00000049 0x0000004b GdiHandleBuffer
0x0000004a 0x0000004c PostProcessInitRoutine
0x0000004b 0x0000004d TlsExpansionBitmap
0x0000004c 0x0000004e TlsExpansionBitmapBits
0x0000004d 0x0000004f SessionId
0x0000004e 0x00000050 Padding5
0x0000004f 0x00000051 AppCompatFlags
0x00000050 0x00000052 AppCompatFlagsUser
0x00000051 0x00000053 pShimData
0x00000052 0x00000054 AppCompatInfo
0x00000053 0x00000055 CSDVersion
0x00000054 0x00000056 ActivationContextData
0x00000055 0x00000057 ProcessAssemblyStorageMap
0x00000056 0x00000058 SystemDefaultActivationContextData
0x00000057 0x00000059 SystemAssemblyStorageMap
0x00000058 0x0000005a MinimumStackCommit
0x00000059 0x0000005b SparePointers
0x0000005a 0x0000005c SpareUlongs
0x0000005b 0x0000005d WerRegistrationData
0x0000005c 0x0000005e WerShipAssertPtr
0x0000005d 0x0000005f pUnused
0x0000005e 0x00000060 pImageHeaderHash
0x0000005f 0x00000061 TracingFlags
0x00000060 0x00000062 HeapTracingEnabled
0x00000061 0x00000063 CritSecTracingEnabled
0x00000062 0x00000064 LibLoaderTracingEnabled
0x00000063 0x00000065 SpareTracingBits
0x00000064 0x00000066 Padding6
0x00000065 0x00000067 CsrServerReadOnlySharedMemoryBase
0x00000066 0x00000068 TppWorkerpListLock
0x00000067 0x00000069 TppWorkerpList
0x00000068 0x0000006a WaitOnAddressHashTable
0x00000069 0x0000006b TelemetryCoverageHeader
0x0000006a 0x0000006c CloudFileFlags
0x0000006b 0x0000006d CloudFileDiagFlags
0x0000006c 0x0000006e PlaceholderCompatibilityMode
0x0000006d 0x0000006f PlaceholderCompatibilityModeReserved
0x0000006e 0x00000070 LeapSecondData
0x0000006f 0x00000071 LeapSecondFlags
0x00000070 0x00000072 SixtySecondEnabled
0x00000071 0x00000073 Reserved
0x00000072 0x00000074 NtGlobalFlag2