Comments on: Exported NTDLL and kernel structures https://www.dumpanalysis.org/blog/index.php/2007/02/10/exported-ntdll-and-kernel-structures/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Tue, 05 May 2026 17:51:10 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/02/10/exported-ntdll-and-kernel-structures/#comment-27733 Dmitry Vostokov Mon, 19 May 2008 13:36:33 +0000 https://www.dumpanalysis.org/blog/index.php/2007/02/10/exported-ntdll-and-kernel-structures/#comment-27733 If you mean the fact that wildcards don't work in 6.9.3.113 version of WinDbg then I haven't reported it yet. If you mean the fact that wildcards don’t work in 6.9.3.113 version of WinDbg then I haven’t reported it yet.

]]> By: Nick https://www.dumpanalysis.org/blog/index.php/2007/02/10/exported-ntdll-and-kernel-structures/#comment-27732 Nick Mon, 19 May 2008 13:22:30 +0000 https://www.dumpanalysis.org/blog/index.php/2007/02/10/exported-ntdll-and-kernel-structures/#comment-27732 Did you report this to Microsoft? Did you report this to Microsoft?

]]> By: nickdigital https://www.dumpanalysis.org/blog/index.php/2007/02/10/exported-ntdll-and-kernel-structures/#comment-846 nickdigital Tue, 27 Mar 2007 22:37:13 +0000 https://www.dumpanalysis.org/blog/index.php/2007/02/10/exported-ntdll-and-kernel-structures/#comment-846 In case anyone is interested, the output from the above is 275 unique data types... PROCESSOR_IDLE_TIMES _CLIENT_ID _CM_PARTIAL_RESOURCE_LIST _CONTEXT _CURDIR _DESCRIPTOR _DISPATCHER_HEADER _ERESOURCE _EX_FAST_REF _EX_PUSH_LOCK _EX_RUNDOWN_REF _FAST_MUTEX _FLOATING_SAVE_AREA _FNSAVE_FORMAT _FS_FILTER_PARAMETERS _FXSAVE_FORMAT _FX_SAVE_AREA _GDI_TEB_BATCH _GENERAL_LOOKASIDE _GENERIC_MAPPING _HARDWARE_PTE_X86 _HEAP_ENTRY _IMAGE_FILE_HEADER _IMAGE_OPTIONAL_HEADER _INITIAL_PRIVILEGE_SET _IO_COUNTERS _IO_STATUS_BLOCK _KAPC _KAPC_STATE _KDEVICE_QUEUE _KDEVICE_QUEUE_ENTRY _KDPC _KEVENT _KEXECUTE_OPTIONS _KGATE _KGDTENTRY _KGUARDED_MUTEX _KIDTENTRY _KPRCB _KPROCESS _KPROCESSOR_STATE _KSEMAPHORE _KSPECIAL_REGISTERS _KSYSTEM_TIME _KTHREAD _KTIMER _LARGE_INTEGER _LIST_ENTRY _LUID _MMADDRESS_NODE _MMSUPPORT _MMSUPPORT_FLAGS _MM_AVL_TABLE _NT_TIB _OBJECT_HANDLE_COUNT_ENTRY _OBJECT_TYPE_INITIALIZER _POWER_STATE _PRIVILEGE_SET _PROCESSOR_POWER_STATE _QUAD _RTL_AVL_TABLE _RTL_BALANCED_LINKS _RTL_CRITICAL_SECTION _SECURITY_QUALITY_OF_SERVICE _SECURITY_SUBJECT_CONTEXT _SE_AUDIT_PROCESS_CREATION_INFO _SID _SID_IDENTIFIER_AUTHORITY _SINGLE_LIST_ENTRY _SLIST_HEADER _STRING _ULARGE_INTEGER _UNICODE_STRING _WAIT_CONTEXT_BLOCK __unnamed _flags LIST_ENTRY32 LIST_ENTRY64 PROCESSOR_IDLE_TIMES PROCESSOR_PERF_STATE _ACCESS_STATE _ACTIVATION_CONTEXT _ACTIVATION_CONTEXT_DATA _ACTIVATION_CONTEXT_STACK _ASSEMBLY_STORAGE_MAP _CLIENT_ID _CM_FULL_RESOURCE_DESCRIPTOR _CM_PARTIAL_RESOURCE_DESCRIPTOR _CM_PARTIAL_RESOURCE_LIST _CM_RESOURCE_LIST _COMPRESSED_DATA_INFO _CONTEXT _CURDIR _DESCRIPTOR _DEVICE_CAPABILITIES _DEVICE_MAP _DEVICE_OBJECT _DEVICE_OBJECT_POWER_EXTENSION _DEVOBJ_EXTENSION _DISPATCHER_HEADER _DPH_BLOCK_INFORMATION _DPH_HEAP_BLOCK _DPH_HEAP_ROOT _DRIVER_EXTENSION _DRIVER_OBJECT _EJOB _EPROCESS _EPROCESS_QUOTA_BLOCK _EPROCESS_QUOTA_ENTRY _ERESOURCE _ETHREAD _EXCEPTION_RECORD _EXCEPTION_REGISTRATION_RECORD _EX_FAST_REF _EX_PUSH_LOCK _EX_PUSH_LOCK_CACHE_AWARE _EX_PUSH_LOCK_WAIT_BLOCK _EX_RUNDOWN_REF _FAST_IO_DISPATCH _FAST_MUTEX _FILE_BASIC_INFORMATION _FILE_GET_QUOTA_INFORMATION _FILE_NETWORK_OPEN_INFORMATION _FILE_OBJECT _FILE_STANDARD_INFORMATION _FLOATING_SAVE_AREA _FNSAVE_FORMAT _FS_FILTER_CALLBACKS _FS_FILTER_CALLBACK_DATA _FS_FILTER_PARAMETERS _FXSAVE_FORMAT _FX_SAVE_AREA _GDI_TEB_BATCH _GENERAL_LOOKASIDE _GENERIC_MAPPING _GUID _HANDLE_TABLE _HANDLE_TRACE_DB_ENTRY _HANDLE_TRACE_DEBUG_INFO _HARDWARE_PTE_X86 _HEAP _HEAP_ENTRY _HEAP_LOCK _HEAP_PSEUDO_TAG_ENTRY _HEAP_SEGMENT _HEAP_TAG_ENTRY _HEAP_UCR_SEGMENT _HEAP_UNCOMMMTTED_RANGE _IMAGE_DATA_DIRECTORY _IMAGE_FILE_HEADER _IMAGE_NT_HEADERS _IMAGE_OPTIONAL_HEADER _INITIAL_PRIVILEGE_SET _INTERFACE _IO_CLIENT_EXTENSION _IO_COMPLETION_CONTEXT _IO_COUNTERS _IO_RESOURCE_DESCRIPTOR _IO_RESOURCE_LIST _IO_RESOURCE_REQUIREMENTS_LIST _IO_SECURITY_CONTEXT _IO_STACK_LOCATION _IO_STATUS_BLOCK _IO_TIMER _IRP _KAPC _KAPC_STATE _KDEVICE_QUEUE _KDEVICE_QUEUE_ENTRY _KDPC _KDPC_DATA _KEVENT _KEXECUTE_OPTIONS _KGATE _KGDTENTRY _KGUARDED_MUTEX _KIDTENTRY _KNODE _KPCR _KPRCB _KPROCESS _KPROCESSOR_STATE _KQUEUE _KSEMAPHORE _KSPECIAL_REGISTERS _KSPIN_LOCK_QUEUE _KSYSTEM_TIME _KTHREAD _KTIMER _KTRAP_FRAME _KTSS _KUSER_SHARED_DATA _KWAIT_BLOCK _KiIoAccessMap _LARGE_INTEGER _LDR_DATA_TABLE_ENTRY _LIST_ENTRY _LUID _LUID_AND_ATTRIBUTES _MAILSLOT_CREATE_PARAMETERS _MDL _MMADDRESS_NODE _MMSUPPORT _MMSUPPORT_FLAGS _MMWSL _MM_AVL_TABLE _NAMED_PIPE_CREATE_PARAMETERS _NPAGED_LOOKASIDE_LIST _NT_TIB _OBJECT_ATTRIBUTES _OBJECT_CREATE_INFORMATION _OBJECT_DIRECTORY _OBJECT_DIRECTORY_ENTRY _OBJECT_DUMP_CONTROL _OBJECT_HANDLE_COUNT_DATABASE _OBJECT_HANDLE_COUNT_ENTRY _OBJECT_HANDLE_INFORMATION _OBJECT_HEADER _OBJECT_HEADER_CREATOR_INFO _OBJECT_HEADER_HANDLE_INFO _OBJECT_HEADER_NAME_INFO _OBJECT_HEADER_QUOTA_INFO _OBJECT_NAME_INFORMATION _OBJECT_TYPE _OBJECT_TYPE_INITIALIZER _OWNER_ENTRY _PAGED_LOOKASIDE_LIST _PAGEFAULT_HISTORY _PEB _PEB_FREE_BLOCK _PEB_LDR_DATA _PERFINFO_GROUPMASK _POWER_SEQUENCE _POWER_STATE _PP_LOOKASIDE_LIST _PRIVILEGE_SET _PROCESSOR_POWER_STATE _PROCESS_WS_WATCH_INFORMATION _PS_IMPERSONATION_INFORMATION _PS_JOB_TOKEN_FILTER _QUAD _RTL_ACTIVATION_CONTEXT_STACK_FRAME _RTL_AVL_TABLE _RTL_BALANCED_LINKS _RTL_CRITICAL_SECTION _RTL_CRITICAL_SECTION_DEBUG _RTL_DRIVE_LETTER_CURDIR _RTL_STACK_TRACE_ENTRY _RTL_TRACE_BLOCK _RTL_TRACE_DATABASE _RTL_TRACE_SEGMENT _RTL_USER_PROCESS_PARAMETERS _SCSI_REQUEST_BLOCK _SECTION_OBJECT_POINTERS _SECURITY_QUALITY_OF_SERVICE _SECURITY_SUBJECT_CONTEXT _SE_AUDIT_PROCESS_CREATION_INFO _SID _SID_AND_ATTRIBUTES _SID_IDENTIFIER_AUTHORITY _SINGLE_LIST_ENTRY _SLIST_HEADER _STACK_TRACE_DATABASE _STRING _TEB _TEB_ACTIVE_FRAME _TEB_ACTIVE_FRAME_CONTEXT _TERMINATION_PORT _ULARGE_INTEGER _UNICODE_STRING _VPB _WAIT_CONTEXT_BLOCK __unnamed _flags In case anyone is interested, the output from the above is 275 unique data types…
PROCESSOR_IDLE_TIMES
_CLIENT_ID
_CM_PARTIAL_RESOURCE_LIST
_CONTEXT
_CURDIR
_DESCRIPTOR
_DISPATCHER_HEADER
_ERESOURCE
_EX_FAST_REF
_EX_PUSH_LOCK
_EX_RUNDOWN_REF
_FAST_MUTEX
_FLOATING_SAVE_AREA
_FNSAVE_FORMAT
_FS_FILTER_PARAMETERS
_FXSAVE_FORMAT
_FX_SAVE_AREA
_GDI_TEB_BATCH
_GENERAL_LOOKASIDE
_GENERIC_MAPPING
_HARDWARE_PTE_X86
_HEAP_ENTRY
_IMAGE_FILE_HEADER
_IMAGE_OPTIONAL_HEADER
_INITIAL_PRIVILEGE_SET
_IO_COUNTERS
_IO_STATUS_BLOCK
_KAPC
_KAPC_STATE
_KDEVICE_QUEUE
_KDEVICE_QUEUE_ENTRY
_KDPC
_KEVENT
_KEXECUTE_OPTIONS
_KGATE
_KGDTENTRY
_KGUARDED_MUTEX
_KIDTENTRY
_KPRCB
_KPROCESS
_KPROCESSOR_STATE
_KSEMAPHORE
_KSPECIAL_REGISTERS
_KSYSTEM_TIME
_KTHREAD
_KTIMER
_LARGE_INTEGER
_LIST_ENTRY
_LUID
_MMADDRESS_NODE
_MMSUPPORT
_MMSUPPORT_FLAGS
_MM_AVL_TABLE
_NT_TIB
_OBJECT_HANDLE_COUNT_ENTRY
_OBJECT_TYPE_INITIALIZER
_POWER_STATE
_PRIVILEGE_SET
_PROCESSOR_POWER_STATE
_QUAD
_RTL_AVL_TABLE
_RTL_BALANCED_LINKS
_RTL_CRITICAL_SECTION
_SECURITY_QUALITY_OF_SERVICE
_SECURITY_SUBJECT_CONTEXT
_SE_AUDIT_PROCESS_CREATION_INFO
_SID
_SID_IDENTIFIER_AUTHORITY
_SINGLE_LIST_ENTRY
_SLIST_HEADER
_STRING
_ULARGE_INTEGER
_UNICODE_STRING
_WAIT_CONTEXT_BLOCK
__unnamed
_flags
LIST_ENTRY32
LIST_ENTRY64
PROCESSOR_IDLE_TIMES
PROCESSOR_PERF_STATE
_ACCESS_STATE
_ACTIVATION_CONTEXT
_ACTIVATION_CONTEXT_DATA
_ACTIVATION_CONTEXT_STACK
_ASSEMBLY_STORAGE_MAP
_CLIENT_ID
_CM_FULL_RESOURCE_DESCRIPTOR
_CM_PARTIAL_RESOURCE_DESCRIPTOR
_CM_PARTIAL_RESOURCE_LIST
_CM_RESOURCE_LIST
_COMPRESSED_DATA_INFO
_CONTEXT
_CURDIR
_DESCRIPTOR
_DEVICE_CAPABILITIES
_DEVICE_MAP
_DEVICE_OBJECT
_DEVICE_OBJECT_POWER_EXTENSION
_DEVOBJ_EXTENSION
_DISPATCHER_HEADER
_DPH_BLOCK_INFORMATION
_DPH_HEAP_BLOCK
_DPH_HEAP_ROOT
_DRIVER_EXTENSION
_DRIVER_OBJECT
_EJOB
_EPROCESS
_EPROCESS_QUOTA_BLOCK
_EPROCESS_QUOTA_ENTRY
_ERESOURCE
_ETHREAD
_EXCEPTION_RECORD
_EXCEPTION_REGISTRATION_RECORD
_EX_FAST_REF
_EX_PUSH_LOCK
_EX_PUSH_LOCK_CACHE_AWARE
_EX_PUSH_LOCK_WAIT_BLOCK
_EX_RUNDOWN_REF
_FAST_IO_DISPATCH
_FAST_MUTEX
_FILE_BASIC_INFORMATION
_FILE_GET_QUOTA_INFORMATION
_FILE_NETWORK_OPEN_INFORMATION
_FILE_OBJECT
_FILE_STANDARD_INFORMATION
_FLOATING_SAVE_AREA
_FNSAVE_FORMAT
_FS_FILTER_CALLBACKS
_FS_FILTER_CALLBACK_DATA
_FS_FILTER_PARAMETERS
_FXSAVE_FORMAT
_FX_SAVE_AREA
_GDI_TEB_BATCH
_GENERAL_LOOKASIDE
_GENERIC_MAPPING
_GUID
_HANDLE_TABLE
_HANDLE_TRACE_DB_ENTRY
_HANDLE_TRACE_DEBUG_INFO
_HARDWARE_PTE_X86
_HEAP
_HEAP_ENTRY
_HEAP_LOCK
_HEAP_PSEUDO_TAG_ENTRY
_HEAP_SEGMENT
_HEAP_TAG_ENTRY
_HEAP_UCR_SEGMENT
_HEAP_UNCOMMMTTED_RANGE
_IMAGE_DATA_DIRECTORY
_IMAGE_FILE_HEADER
_IMAGE_NT_HEADERS
_IMAGE_OPTIONAL_HEADER
_INITIAL_PRIVILEGE_SET
_INTERFACE
_IO_CLIENT_EXTENSION
_IO_COMPLETION_CONTEXT
_IO_COUNTERS
_IO_RESOURCE_DESCRIPTOR
_IO_RESOURCE_LIST
_IO_RESOURCE_REQUIREMENTS_LIST
_IO_SECURITY_CONTEXT
_IO_STACK_LOCATION
_IO_STATUS_BLOCK
_IO_TIMER
_IRP
_KAPC
_KAPC_STATE
_KDEVICE_QUEUE
_KDEVICE_QUEUE_ENTRY
_KDPC
_KDPC_DATA
_KEVENT
_KEXECUTE_OPTIONS
_KGATE
_KGDTENTRY
_KGUARDED_MUTEX
_KIDTENTRY
_KNODE
_KPCR
_KPRCB
_KPROCESS
_KPROCESSOR_STATE
_KQUEUE
_KSEMAPHORE
_KSPECIAL_REGISTERS
_KSPIN_LOCK_QUEUE
_KSYSTEM_TIME
_KTHREAD
_KTIMER
_KTRAP_FRAME
_KTSS
_KUSER_SHARED_DATA
_KWAIT_BLOCK
_KiIoAccessMap
_LARGE_INTEGER
_LDR_DATA_TABLE_ENTRY
_LIST_ENTRY
_LUID
_LUID_AND_ATTRIBUTES
_MAILSLOT_CREATE_PARAMETERS
_MDL
_MMADDRESS_NODE
_MMSUPPORT
_MMSUPPORT_FLAGS
_MMWSL
_MM_AVL_TABLE
_NAMED_PIPE_CREATE_PARAMETERS
_NPAGED_LOOKASIDE_LIST
_NT_TIB
_OBJECT_ATTRIBUTES
_OBJECT_CREATE_INFORMATION
_OBJECT_DIRECTORY
_OBJECT_DIRECTORY_ENTRY
_OBJECT_DUMP_CONTROL
_OBJECT_HANDLE_COUNT_DATABASE
_OBJECT_HANDLE_COUNT_ENTRY
_OBJECT_HANDLE_INFORMATION
_OBJECT_HEADER
_OBJECT_HEADER_CREATOR_INFO
_OBJECT_HEADER_HANDLE_INFO
_OBJECT_HEADER_NAME_INFO
_OBJECT_HEADER_QUOTA_INFO
_OBJECT_NAME_INFORMATION
_OBJECT_TYPE
_OBJECT_TYPE_INITIALIZER
_OWNER_ENTRY
_PAGED_LOOKASIDE_LIST
_PAGEFAULT_HISTORY
_PEB
_PEB_FREE_BLOCK
_PEB_LDR_DATA
_PERFINFO_GROUPMASK
_POWER_SEQUENCE
_POWER_STATE
_PP_LOOKASIDE_LIST
_PRIVILEGE_SET
_PROCESSOR_POWER_STATE
_PROCESS_WS_WATCH_INFORMATION
_PS_IMPERSONATION_INFORMATION
_PS_JOB_TOKEN_FILTER
_QUAD
_RTL_ACTIVATION_CONTEXT_STACK_FRAME
_RTL_AVL_TABLE
_RTL_BALANCED_LINKS
_RTL_CRITICAL_SECTION
_RTL_CRITICAL_SECTION_DEBUG
_RTL_DRIVE_LETTER_CURDIR
_RTL_STACK_TRACE_ENTRY
_RTL_TRACE_BLOCK
_RTL_TRACE_DATABASE
_RTL_TRACE_SEGMENT
_RTL_USER_PROCESS_PARAMETERS
_SCSI_REQUEST_BLOCK
_SECTION_OBJECT_POINTERS
_SECURITY_QUALITY_OF_SERVICE
_SECURITY_SUBJECT_CONTEXT
_SE_AUDIT_PROCESS_CREATION_INFO
_SID
_SID_AND_ATTRIBUTES
_SID_IDENTIFIER_AUTHORITY
_SINGLE_LIST_ENTRY
_SLIST_HEADER
_STACK_TRACE_DATABASE
_STRING
_TEB
_TEB_ACTIVE_FRAME
_TEB_ACTIVE_FRAME_CONTEXT
_TERMINATION_PORT
_ULARGE_INTEGER
_UNICODE_STRING
_VPB
_WAIT_CONTEXT_BLOCK
__unnamed
_flags

]]> By: nickdigital https://www.dumpanalysis.org/blog/index.php/2007/02/10/exported-ntdll-and-kernel-structures/#comment-845 nickdigital Tue, 27 Mar 2007 22:26:43 +0000 https://www.dumpanalysis.org/blog/index.php/2007/02/10/exported-ntdll-and-kernel-structures/#comment-845 Ahh, very nice tip, I had never come across the DIA2Dump sample. You spice this up a litte by using another Microsoft tools, logparser to filter out the duplicates and then sort Alphabetically... c:\>"C:\Program Files\Microsoft Visual Studio 8\DIA SDK\Samples\DIA2Dump\Release\Dia2Dump.e xe" -t C:\websymbols\ntdll.pdb\DCE823FCF71A4BF5AA489994520EA18F2\ntdll.pdb | logparser.exe -i:TEXTLI NE -o:CSV "Select DISTINCT EXTRACT_SUFFIX(TEXT,0,':') AS Type From STDIN WHERE TEXT LIKE '%UDT%' ORD ER BY Type ASC" Ahh, very nice tip, I had never come across the DIA2Dump sample. You spice this up a litte by using another Microsoft tools, logparser to filter out the duplicates and then sort Alphabetically…

c:\>”C:\Program Files\Microsoft Visual Studio 8\DIA SDK\Samples\DIA2Dump\Release\Dia2Dump.e
xe” -t C:\websymbols\ntdll.pdb\DCE823FCF71A4BF5AA489994520EA18F2\ntdll.pdb | logparser.exe -i:TEXTLI
NE -o:CSV “Select DISTINCT EXTRACT_SUFFIX(TEXT,0,’:') AS Type From STDIN WHERE TEXT LIKE ‘%UDT%’ ORD
ER BY Type ASC”

]]>