It happens sometimes that during crash dump analysis or debugging session I forget exact structure name when I want to use it in dt WinDbg command. In this case wildcards help me: dt module!*, for example,
0:000> dt ntdll!*
ntdll!LIST_ENTRY64
ntdll!LIST_ENTRY32
ntdll!_ULARGE_INTEGER
ntdll!_LIST_ENTRY
ntdll!_IMAGE_NT_HEADERS
ntdll!_IMAGE_FILE_HEADER
ntdll!_IMAGE_OPTIONAL_HEADER
ntdll!_IMAGE_NT_HEADERS
ntdll!_LARGE_INTEGER
ntdll!_LUID
ntdll!_KPRCB
ntdll!_KTHREAD
ntdll!_KPROCESSOR_STATE
ntdll!_KSPIN_LOCK_QUEUE
ntdll!_KNODE
ntdll!_PP_LOOKASIDE_LIST
ntdll!_KPRCB
ntdll!_KDPC_DATA
ntdll!_KEVENT
ntdll!_KDPC
ntdll!_SINGLE_LIST_ENTRY
ntdll!_FX_SAVE_AREA
ntdll!_PROCESSOR_POWER_STATE
ntdll!_KPRCB
ntdll!_KPCR
ntdll!_NT_TIB
ntdll!_EXCEPTION_REGISTRATION_RECORD
ntdll!_KIDTENTRY
ntdll!_KGDTENTRY
ntdll!_KTSS
ntdll!_KPCR
ntdll!_KAPC
ntdll!_SINGLE_LIST_ENTRY
ntdll!_KDPC_IMPORTANCE
ntdll!_KDPC
ntdll!_DISPATCHER_HEADER
ntdll!_KAPC_STATE
ntdll!_KWAIT_BLOCK
ntdll!_KGATE
ntdll!_KQUEUE
ntdll!_KTIMER
ntdll!_KTRAP_FRAME
ntdll!_KPROCESS
ntdll!_KSEMAPHORE
ntdll!_KTHREAD
ntdll!_KSPIN_LOCK_QUEUE_NUMBER
ntdll!_FAST_MUTEX
ntdll!_SLIST_HEADER
ntdll!_NPAGED_LOOKASIDE_LIST
ntdll!_GENERAL_LOOKASIDE
ntdll!_NPAGED_LOOKASIDE_LIST
ntdll!_PAGED_LOOKASIDE_LIST
ntdll!_PP_NPAGED_LOOKASIDE_NUMBER
ntdll!_POOL_TYPE
ntdll!_GENERAL_LOOKASIDE
ntdll!_EX_RUNDOWN_REF
ntdll!_EX_FAST_REF
ntdll!_EX_PUSH_LOCK
ntdll!_EX_PUSH_LOCK_WAIT_BLOCK
ntdll!_EX_PUSH_LOCK_CACHE_AWARE
ntdll!_ETHREAD
ntdll!_TERMINATION_PORT
ntdll!_CLIENT_ID
ntdll!_PS_IMPERSONATION_INFORMATION
ntdll!_DEVICE_OBJECT
ntdll!_EPROCESS
ntdll!_ETHREAD
ntdll!_HANDLE_TABLE
ntdll!_KGUARDED_MUTEX
ntdll!_MM_AVL_TABLE
ntdll!_EJOB
ntdll!_EPROCESS_QUOTA_BLOCK
ntdll!_PAGEFAULT_HISTORY
ntdll!_HARDWARE_PTE_X86
ntdll!_PEB
ntdll!_SE_AUDIT_PROCESS_CREATION_INFO
ntdll!_MMSUPPORT
ntdll!_EPROCESS
ntdll!_OBJECT_HEADER
ntdll!_OBJECT_TYPE
ntdll!_OBJECT_CREATE_INFORMATION
ntdll!_QUAD
ntdll!_OBJECT_HEADER
ntdll!_OBJECT_HEADER_QUOTA_INFO
ntdll!_OBJECT_HEADER_HANDLE_INFO
ntdll!_OBJECT_HANDLE_COUNT_DATABASE
ntdll!_OBJECT_HANDLE_COUNT_ENTRY
ntdll!_OBJECT_HEADER_HANDLE_INFO
ntdll!_OBJECT_HEADER_NAME_INFO
ntdll!_OBJECT_DIRECTORY
ntdll!_UNICODE_STRING
ntdll!_OBJECT_HEADER_NAME_INFO
ntdll!_OBJECT_HEADER_CREATOR_INFO
ntdll!_OBJECT_ATTRIBUTES
ntdll!_ERESOURCE
ntdll!_OBJECT_TYPE_INITIALIZER
ntdll!_OBJECT_TYPE
ntdll!_OBJECT_HANDLE_INFORMATION
ntdll!_PERFINFO_GROUPMASK
ntdll!_KGUARDED_MUTEX
ntdll!_DISPATCHER_HEADER
ntdll!_PF_SCENARIO_TYPE
ntdll!_HANDLE_TRACE_DEBUG_INFO
ntdll!_HANDLE_TABLE
ntdll!_KWAIT_BLOCK
ntdll!_MMSUPPORT_FLAGS
ntdll!_MMWSL
ntdll!_MMSUPPORT
ntdll!_EPROCESS_QUOTA_ENTRY
ntdll!_EPROCESS_QUOTA_BLOCK
ntdll!_UNICODE_STRING
ntdll!_NT_TIB
ntdll!_PS_JOB_TOKEN_FILTER
ntdll!_IO_COUNTERS
ntdll!_EJOB
ntdll!_PEB_LDR_DATA
ntdll!_RTL_USER_PROCESS_PARAMETERS
ntdll!_RTL_CRITICAL_SECTION
ntdll!_PEB_FREE_BLOCK
ntdll!_ACTIVATION_CONTEXT_DATA
ntdll!_ASSEMBLY_STORAGE_MAP
ntdll!_PEB
ntdll!_KGATE
ntdll!_IMAGE_FILE_HEADER
ntdll!_RTL_STACK_TRACE_ENTRY
ntdll!_PEB_FREE_BLOCK
ntdll!_KSPIN_LOCK_QUEUE
ntdll!_PP_LOOKASIDE_LIST
ntdll!_KEXECUTE_OPTIONS
ntdll!_KPROCESS
ntdll!_PEB_LDR_DATA
ntdll!_DPH_BLOCK_INFORMATION
ntdll!_SECURITY_IMPERSONATION_LEVEL
ntdll!_PS_IMPERSONATION_INFORMATION
ntdll!_EPROCESS_QUOTA_ENTRY
ntdll!_FNSAVE_FORMAT
ntdll!_FX_SAVE_AREA
ntdll!PROCESSOR_IDLE_TIMES
ntdll!PROCESSOR_PERF_STATE
ntdll!_PROCESSOR_POWER_STATE
ntdll!_IO_COUNTERS
ntdll!_KiIoAccessMap
ntdll!_KTSS
ntdll!_KIDTENTRY
ntdll!_MMSUPPORT_FLAGS
ntdll!_HEAP
ntdll!_HEAP_ENTRY
ntdll!_HEAP_TAG_ENTRY
ntdll!_HEAP_UCR_SEGMENT
ntdll!_HEAP_UNCOMMMTTED_RANGE
ntdll!_HEAP_SEGMENT
ntdll!_HEAP_PSEUDO_TAG_ENTRY
ntdll!_HEAP_LOCK
ntdll!_HEAP
ntdll!_TERMINATION_PORT
ntdll!LSA_FOREST_TRUST_RECORD_TYPE
ntdll!_HEAP_UNCOMMMTTED_RANGE
ntdll!_OBJECT_HANDLE_COUNT_DATABASE
ntdll!_FNSAVE_FORMAT
ntdll!PROCESSOR_PERF_STATE
ntdll!PROCESSOR_IDLE_TIMES
ntdll!_HANDLE_TRACE_DB_ENTRY
ntdll!_HANDLE_TRACE_DEBUG_INFO
ntdll!_PROCESS_WS_WATCH_INFORMATION
ntdll!_PAGEFAULT_HISTORY
ntdll!_SECURITY_QUALITY_OF_SERVICE
ntdll!_OBJECT_CREATE_INFORMATION
ntdll!_MMADDRESS_NODE
ntdll!_MM_AVL_TABLE
ntdll!_HARDWARE_PTE_X86
ntdll!_HEAP_ENTRY
ntdll!_GENERIC_MAPPING
ntdll!_OBJECT_DUMP_CONTROL
ntdll!_OB_OPEN_REASON
ntdll!_ACCESS_STATE
ntdll!_SECURITY_OPERATION_CODE
ntdll!_OBJECT_NAME_INFORMATION
ntdll!_OBJECT_TYPE_INITIALIZER
ntdll!_LARGE_INTEGER
ntdll!_RTL_TRACE_BLOCK
ntdll!_HEAP_UCR_SEGMENT
ntdll!_KEXECUTE_OPTIONS
ntdll!_OWNER_ENTRY
ntdll!_ERESOURCE
ntdll!_GENERIC_MAPPING
ntdll!_SID_AND_ATTRIBUTES
ntdll!_LUID_AND_ATTRIBUTES
ntdll!_PS_JOB_TOKEN_FILTER
ntdll!_MEMORY_CACHING_TYPE_ORIG
ntdll!_KiIoAccessMap
ntdll!_EXCEPTION_DISPOSITION
ntdll!_EXCEPTION_RECORD
ntdll!_CONTEXT
ntdll!_EXCEPTION_REGISTRATION_RECORD
ntdll!_DRIVER_OBJECT
ntdll!_IRP
ntdll!_IO_TIMER
ntdll!_VPB
ntdll!_WAIT_CONTEXT_BLOCK
ntdll!_KDEVICE_QUEUE
ntdll!_DEVOBJ_EXTENSION
ntdll!_DEVICE_OBJECT
ntdll!_PROCESS_WS_WATCH_INFORMATION
ntdll!_SECURITY_QUALITY_OF_SERVICE
ntdll!_FLOATING_SAVE_AREA
ntdll!_CONTEXT
ntdll!_IMAGE_DATA_DIRECTORY
ntdll!_IMAGE_OPTIONAL_HEADER
ntdll!_KUSER_SHARED_DATA
ntdll!_KSYSTEM_TIME
ntdll!_NT_PRODUCT_TYPE
ntdll!_ALTERNATIVE_ARCHITECTURE_TYPE
ntdll!_KUSER_SHARED_DATA
ntdll!_QUAD
ntdll!_KAPC_STATE
ntdll!_MODE
ntdll!_HEAP_PSEUDO_TAG_ENTRY
ntdll!_RTL_CRITICAL_SECTION_DEBUG
ntdll!_RTL_CRITICAL_SECTION
ntdll!_HEAP_SEGMENT
ntdll!_KTRAP_FRAME
ntdll!_KGDTENTRY
ntdll!_KDEVICE_QUEUE_ENTRY
ntdll!_IO_ALLOCATION_ACTION
ntdll!_WAIT_CONTEXT_BLOCK
ntdll!_KTIMER
ntdll!_MDL
ntdll!_IO_STATUS_BLOCK
ntdll!_IO_STACK_LOCATION
ntdll!_FILE_OBJECT
ntdll!_IRP
ntdll!_VPB
ntdll!_KOBJECTS
ntdll!_KSEMAPHORE
ntdll!_MMADDRESS_NODE
ntdll!_CURDIR
ntdll!_RTL_DRIVE_LETTER_CURDIR
ntdll!_RTL_USER_PROCESS_PARAMETERS
ntdll!_OWNER_ENTRY
ntdll!_SE_AUDIT_PROCESS_CREATION_INFO
ntdll!_OBJECT_HANDLE_COUNT_ENTRY
ntdll!_CLIENT_ID
ntdll!_RTL_TRACE_DATABASE
ntdll!_RTL_TRACE_SEGMENT
ntdll!_RTL_TRACE_DATABASE
ntdll!_HEAP_LOCK
ntdll!_HANDLE_TRACE_DB_ENTRY
ntdll!ReplacesCorHdrNumericDefines
ntdll!_MEMORY_TYPE
ntdll!_IO_TIMER
ntdll!_FXSAVE_FORMAT
ntdll!_OBJECT_DIRECTORY_ENTRY
ntdll!_DEVICE_MAP
ntdll!_OBJECT_DIRECTORY
ntdll!_STACK_TRACE_DATABASE
ntdll!_KDPC_DATA
ntdll!_STRING
ntdll!_RTL_DRIVE_LETTER_CURDIR
ntdll!_SID_AND_ATTRIBUTES
ntdll!_DPH_HEAP_ROOT
ntdll!_DPH_HEAP_BLOCK
ntdll!_RTL_AVL_TABLE
ntdll!_DPH_HEAP_ROOT
ntdll!_DEVICE_OBJECT_POWER_EXTENSION
ntdll!_DEVOBJ_EXTENSION
ntdll!_FLOATING_SAVE_AREA
ntdll!_KSYSTEM_TIME
ntdll!_KQUEUE
ntdll!_RTL_BALANCED_LINKS
ntdll!_RTL_GENERIC_COMPARE_RESULTS
ntdll!_RTL_AVL_TABLE
ntdll!_HEAP_TAG_ENTRY
ntdll!_RTL_CRITICAL_SECTION_DEBUG
ntdll!_MDL
ntdll!_DPH_HEAP_BLOCK
ntdll!_PS_QUOTA_TYPE
ntdll!_flags
ntdll!_KNODE
ntdll!_LDR_DATA_TABLE_ENTRY
ntdll!_ACTIVATION_CONTEXT
ntdll!_LDR_DATA_TABLE_ENTRY
ntdll!_TEB
ntdll!_ACTIVATION_CONTEXT_STACK
ntdll!_GDI_TEB_BATCH
ntdll!_TEB_ACTIVE_FRAME
ntdll!_TEB
ntdll!_KEVENT
ntdll!_IO_STATUS_BLOCK
ntdll!_RTL_TRACE_SEGMENT
ntdll!_SECURITY_SUBJECT_CONTEXT
ntdll!_INITIAL_PRIVILEGE_SET
ntdll!_PRIVILEGE_SET
ntdll!_ACCESS_STATE
ntdll!_KSPECIAL_REGISTERS
ntdll!_KPROCESSOR_STATE
ntdll!_STRING
ntdll!_flags
ntdll!_REG_NOTIFY_CLASS
ntdll!_OBJECT_DUMP_CONTROL
ntdll!_SECURITY_SUBJECT_CONTEXT
ntdll!_RTL_ACTIVATION_CONTEXT_STACK_FRAME
ntdll!_ACTIVATION_CONTEXT_STACK
ntdll!_MMSYSTEM_PTE_POOL_TYPE
ntdll!_KDEVICE_QUEUE
ntdll!_LUID_AND_ATTRIBUTES
ntdll!_EXCEPTION_RECORD
ntdll!_INITIAL_PRIVILEGE_SET
ntdll!_TEB_ACTIVE_FRAME_CONTEXT
ntdll!_TEB_ACTIVE_FRAME
ntdll!_OBJECT_NAME_INFORMATION
ntdll!_SECTION_OBJECT_POINTERS
ntdll!_IO_COMPLETION_CONTEXT
ntdll!_FILE_OBJECT
ntdll!_IO_COMPLETION_CONTEXT
ntdll!_DRIVER_EXTENSION
ntdll!_FAST_IO_DISPATCH
ntdll!_DRIVER_OBJECT
ntdll!_IO_CLIENT_EXTENSION
ntdll!_FS_FILTER_CALLBACKS
ntdll!_DRIVER_EXTENSION
ntdll!_TEB_ACTIVE_FRAME_CONTEXT
ntdll!_IMAGE_DATA_DIRECTORY
ntdll!_CURDIR
ntdll!_GDI_TEB_BATCH
ntdll!_RTL_BALANCED_LINKS
ntdll!_KDEVICE_QUEUE_ENTRY
ntdll!_SECTION_OBJECT_POINTERS
ntdll!_IO_CLIENT_EXTENSION
ntdll!_IO_SECURITY_CONTEXT
ntdll!_NAMED_PIPE_CREATE_PARAMETERS
ntdll!_MAILSLOT_CREATE_PARAMETERS
ntdll!_FILE_INFORMATION_CLASS
ntdll!_FSINFOCLASS
ntdll!_SCSI_REQUEST_BLOCK
ntdll!_FILE_GET_QUOTA_INFORMATION
ntdll!_DEVICE_RELATION_TYPE
ntdll!_GUID
ntdll!_INTERFACE
ntdll!_DEVICE_CAPABILITIES
ntdll!_IO_RESOURCE_REQUIREMENTS_LIST
ntdll!BUS_QUERY_ID_TYPE
ntdll!DEVICE_TEXT_TYPE
ntdll!_DEVICE_USAGE_NOTIFICATION_TYPE
ntdll!_SYSTEM_POWER_STATE
ntdll!_POWER_SEQUENCE
ntdll!_POWER_STATE_TYPE
ntdll!_POWER_STATE
ntdll!POWER_ACTION
ntdll!_CM_RESOURCE_LIST
ntdll!_IO_STACK_LOCATION
ntdll!_INTERFACE
ntdll!_DEVICE_POWER_STATE
ntdll!_POWER_STATE
ntdll!_FS_FILTER_CALLBACK_DATA
ntdll!_FS_FILTER_CALLBACKS
ntdll!_DEVICE_MAP
ntdll!_INTERFACE_TYPE
ntdll!_IO_RESOURCE_LIST
ntdll!_IO_RESOURCE_REQUIREMENTS_LIST
ntdll!_SID
ntdll!_FILE_GET_QUOTA_INFORMATION
ntdll!_FS_FILTER_PARAMETERS
ntdll!_FS_FILTER_CALLBACK_DATA
ntdll!_FILE_BASIC_INFORMATION
ntdll!_FILE_STANDARD_INFORMATION
ntdll!_FILE_NETWORK_OPEN_INFORMATION
ntdll!_COMPRESSED_DATA_INFO
ntdll!_FAST_IO_DISPATCH
ntdll!_OBJECT_DIRECTORY_ENTRY
ntdll!_FILE_BASIC_INFORMATION
ntdll!_PRIVILEGE_SET
ntdll!_IO_SECURITY_CONTEXT
ntdll!_DESCRIPTOR
ntdll!_KSPECIAL_REGISTERS
ntdll!_RTL_ACTIVATION_CONTEXT_STACK_FRAME
ntdll!_MAILSLOT_CREATE_PARAMETERS
ntdll!_NAMED_PIPE_CREATE_PARAMETERS
ntdll!_IO_RESOURCE_DESCRIPTOR
ntdll!_IO_RESOURCE_LIST
ntdll!_FILE_NETWORK_OPEN_INFORMATION
ntdll!_CM_FULL_RESOURCE_DESCRIPTOR
ntdll!_CM_RESOURCE_LIST
ntdll!_POWER_SEQUENCE
ntdll!_IO_RESOURCE_DESCRIPTOR
ntdll!_FS_FILTER_SECTION_SYNC_TYPE
ntdll!_FS_FILTER_PARAMETERS
ntdll!_COMPRESSED_DATA_INFO
ntdll!_FILE_STANDARD_INFORMATION
ntdll!_DESCRIPTOR
ntdll!_GUID
ntdll!_SID_IDENTIFIER_AUTHORITY
ntdll!_SID
ntdll!_SID_IDENTIFIER_AUTHORITY
ntdll!_CM_PARTIAL_RESOURCE_LIST
ntdll!_CM_FULL_RESOURCE_DESCRIPTOR
ntdll!_DEVICE_CAPABILITIES
ntdll!_CM_PARTIAL_RESOURCE_DESCRIPTOR
ntdll!_CM_PARTIAL_RESOURCE_LIST
ntdll!_CM_PARTIAL_RESOURCE_DESCRIPTOR
ntdll!__unnamed
You might have noticed that many structures are listed twice in the output. Actually all of them appear twice and there are many __unnamed (I edited the output before posting to save space). I was wondering why they are listed twice and after some research I found that Visual Studio contains DIA SDK (Debug Interface Access SDK) and you can build DIA2Dump sample to dump PDB files. Unfortunately this tool displays them twice too without any hints:
UDT : LIST_ENTRY32
Data : this+0×0, Member, Type: unsigned long, Flink
Data : this+0×4, Member, Type: unsigned long, Blink
UDT : LIST_ENTRY32
Data : this+0×0, Member, Type: unsigned long, Flink
Data : this+0×4, Member, Type: unsigned long, Blink
__unnamed datatype is for unions, for example:
0:000> dt -r _ULARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Uint4B
+0x000 u : __unnamed
+0×000 LowPart : Uint4B
+0×004 HighPart : Uint4B
+0×000 QuadPart : Uint8B
Here’s the definition taken from winnt.h:
typedef union _ULARGE_INTEGER
{
struct
{
DWORD LowPart;
DWORD HighPart;
};
struct
{
DWORD LowPart;
DWORD HighPart;
} u;
ULONGLONG QuadPart;
} ULARGE_INTEGER, *PULARGE_INTEGER;
- Dmitry Vostokov -
