{"id":16714056,"url":"https://github.com/therealdreg/windbgtocstruct","last_synced_at":"2025-03-21T20:33:40.078Z","repository":{"id":61047507,"uuid":"547202129","full_name":"therealdreg/windbgtocstruct","owner":"therealdreg","description":"Helper Script to convert a Windbg dumped structure (using the 'dt' command) into a C structure. It creates dummy structs for you if needed","archived":false,"fork":false,"pushed_at":"2023-08-11T06:27:59.000Z","size":23,"stargazers_count":26,"open_issues_count":0,"forks_count":8,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-10-13T20:49:02.545Z","etag":null,"topics":["c","debugging-tool","python3","struct","windbg","windows"],"latest_commit_sha":null,"homepage":"https://rootkit.es/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/therealdreg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":["therealdreg"],"patreon":"dreg","custom":["https://www.paypal.me/therealdreg"]}},"created_at":"2022-10-07T09:47:08.000Z","updated_at":"2024-05-29T03:29:27.000Z","dependencies_parsed_at":"2022-10-09T05:13:37.006Z","dependency_job_id":null,"html_url":"https://github.com/therealdreg/windbgtocstruct","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fwindbgtocstruct","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fwindbgtocstruct/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fwindbgtocstruct/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fwindbgtocstruct/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/therealdreg","download_url":"https://codeload.github.com/therealdreg/windbgtocstruct/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221818885,"owners_count":16885847,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","debugging-tool","python3","struct","windbg","windows"],"created_at":"2024-10-12T20:49:03.126Z","updated_at":"2024-10-28T10:49:44.133Z","avatar_url":"https://github.com/therealdreg.png","language":"Python","readme":"# windbgtocstruct\nHelper Script to convert a Windbg dumped structure (using the 'dt' command) into a C structure. It creates dummy structs for you if needed.\n\n```\n windbgtocstruct\n https://github.com/therealdreg/windbgtocstruct\n GNU General Public License v3.0\n -\n Mod by David Reguera Garcia aka Dreg\n Twitter @therealdreg\n https://www.fr33project.org\n dreg@fr33project.org\n https://github.com/therealdreg\n -\n Based from Windbg2Struct By Aidan Khoury (dude719)\n Twitter @aidankhoury\n https://github.com/ajkhoury/Windbg2Struct\n```\n\nIf you don't need all the sub/structures defined in your headers, use this project (**Python3**)\n\n## Example of Use\n\nGet the size of an struct executing: **?? sizeof(_PEB)** on Windbg:\n```\n?? sizeof(_PEB)\nunsigned int 0x400\n```\n\nExecute **dt _PEB** on Windbg:\n```\ndt nt!_PEB\n +0x000 InheritedAddressSpace : UChar\n +0x001 ReadImageFileExecOptions : UChar\n +0x002 BeingDebugged : UChar\n +0x003 BitField : UChar\n +0x003 ImageUsesLargePages : Pos 0, 1 Bit\n +0x003 IsProtectedProcess : Pos 1, 1 Bit\n +0x003 IsImageDynamicallyRelocated : Pos 2, 1 Bit\n +0x003 SkipPatchingUser32Forwarders : Pos 3, 1 Bit\n +0x003 IsPackagedProcess : Pos 4, 1 Bit\n +0x003 IsAppContainer : Pos 5, 1 Bit\n +0x003 IsProtectedProcessLight : Pos 6, 1 Bit\n +0x003 SpareBits : Pos 7, 1 Bit\n +0x004 Padding0 : [4] UChar\n +0x008 Mutant : Ptr64 Void\n +0x010 ImageBaseAddress : Ptr64 Void\n +0x018 Ldr : Ptr64 _PEB_LDR_DATA\n +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS\n +0x028 SubSystemData : Ptr64 Void\n +0x030 ProcessHeap : Ptr64 Void\n +0x038 FastPebLock : Ptr64 _RTL_CRITICAL_SECTION\n +0x040 AtlThunkSListPtr : Ptr64 Void\n +0x048 IFEOKey : Ptr64 Void\n +0x050 CrossProcessFlags : Uint4B\n +0x050 ProcessInJob : Pos 0, 1 Bit\n +0x050 ProcessInitializing : Pos 1, 1 Bit\n +0x050 ProcessUsingVEH : Pos 2, 1 Bit\n +0x050 ProcessUsingVCH : Pos 3, 1 Bit\n +0x050 ProcessUsingFTH : Pos 4, 1 Bit\n +0x050 ReservedBits0 : Pos 5, 27 Bits\n +0x054 Padding1 : [4] UChar\n +0x058 KernelCallbackTable : Ptr64 Void\n +0x058 UserSharedInfoPtr : Ptr64 Void\n +0x060 SystemReserved : [1] Uint4B\n +0x064 AtlThunkSListPtr32 : Uint4B\n +0x068 ApiSetMap : Ptr64 Void\n +0x070 TlsExpansionCounter : Uint4B\n +0x074 Padding2 : [4] UChar\n +0x078 TlsBitmap : Ptr64 Void\n +0x080 TlsBitmapBits : [2] Uint4B\n +0x088 ReadOnlySharedMemoryBase : Ptr64 Void\n +0x090 SparePvoid0 : Ptr64 Void\n +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void\n +0x0a0 AnsiCodePageData : Ptr64 Void\n +0x0a8 OemCodePageData : Ptr64 Void\n +0x0b0 UnicodeCaseTableData : Ptr64 Void\n +0x0b8 NumberOfProcessors : Uint4B\n +0x0bc NtGlobalFlag : Uint4B\n +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER\n +0x0c8 HeapSegmentReserve : Uint8B\n +0x0d0 HeapSegmentCommit : Uint8B\n +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B\n +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B\n +0x0e8 NumberOfHeaps : Uint4B\n +0x0ec MaximumNumberOfHeaps : Uint4B\n +0x0f0 ProcessHeaps : Ptr64 Ptr64 Void\n +0x0f8 GdiSharedHandleTable : Ptr64 Void\n +0x100 ProcessStarterHelper : Ptr64 Void\n +0x108 GdiDCAttributeList : Uint4B\n +0x10c Padding3 : [4] UChar\n +0x110 LoaderLock : Ptr64 _RTL_CRITICAL_SECTION\n +0x118 OSMajorVersion : Uint4B\n +0x11c OSMinorVersion : Uint4B\n +0x120 OSBuildNumber : Uint2B\n +0x122 OSCSDVersion : Uint2B\n +0x124 OSPlatformId : Uint4B\n +0x128 ImageSubsystem : Uint4B\n +0x12c ImageSubsystemMajorVersion : Uint4B\n +0x130 ImageSubsystemMinorVersion : Uint4B\n +0x134 Padding4 : [4] UChar\n +0x138 ActiveProcessAffinityMask : Uint8B\n +0x140 GdiHandleBuffer : [60] Uint4B\n +0x230 PostProcessInitRoutine : Ptr64 void \n +0x238 TlsExpansionBitmap : Ptr64 Void\n +0x240 TlsExpansionBitmapBits : [32] Uint4B\n +0x2c0 SessionId : Uint4B\n +0x2c4 Padding5 : [4] UChar\n +0x2c8 AppCompatFlags : _ULARGE_INTEGER\n +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER\n +0x2d8 pShimData : Ptr64 Void\n +0x2e0 AppCompatInfo : Ptr64 Void\n +0x2e8 CSDVersion : _UNICODE_STRING\n +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA\n +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP\n +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA\n +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP\n +0x318 MinimumStackCommit : Uint8B\n +0x320 FlsCallback : Ptr64 _FLS_CALLBACK_INFO\n +0x328 FlsListHead : _LIST_ENTRY\n +0x338 FlsBitmap : Ptr64 Void\n +0x340 FlsBitmapBits : [4] Uint4B\n +0x350 FlsHighIndex : Uint4B\n +0x358 WerRegistrationData : Ptr64 Void\n +0x360 WerShipAssertPtr : Ptr64 Void\n +0x368 pUnused : Ptr64 Void\n +0x370 pImageHeaderHash : Ptr64 Void\n +0x378 TracingFlags : Uint4B\n +0x378 HeapTracingEnabled : Pos 0, 1 Bit\n +0x378 CritSecTracingEnabled : Pos 1, 1 Bit\n +0x378 LibLoaderTracingEnabled : Pos 2, 1 Bit\n +0x378 SpareTracingBits : Pos 3, 29 Bits\n +0x37c Padding6 : [4] UChar\n +0x380 CsrServerReadOnlySharedMemoryBase : Uint8B\n +0x388 TppWorkerpListLock : Uint8B\n +0x390 TppWorkerpList : _LIST_ENTRY\n```\n\nExecute **python windbgtocstruct.py SIZE_OF_STRUCT**\n```\npython windbgtocstruct.py 0x400\n```\n\nPaste **Windbg dt output** and press enter two times\n\nDone! this should be the C code generated: \n```\n#include \u003cWindows.h\u003e\n#pragma pack(push)\n#pragma pack(1)\n\n#define SIZEOF__PEB 0x400\n\ntypedef struct _PEB\n{\n UCHAR InheritedAddressSpace; // 0x0\n UCHAR ReadImageFileExecOptions; // 0x1\n UCHAR BeingDebugged; // 0x2\n union aNoN_1\n {\n UCHAR BitField; // 0x3\n struct aNoN_2\n {\n UCHAR ImageUsesLargePages : 1; // 0x3\n UCHAR IsProtectedProcess : 1; // 0x3\n UCHAR IsImageDynamicallyRelocated : 1; // 0x3\n UCHAR SkipPatchingUser32Forwarders : 1; // 0x3\n UCHAR IsPackagedProcess : 1; // 0x3\n UCHAR IsAppContainer : 1; // 0x3\n UCHAR IsProtectedProcessLight : 1; // 0x3\n UCHAR SpareBits : 1; // 0x3\n } aNoN_3;\n } aNoN_4;\n UCHAR Padding0[4]; // 0x4\n PVOID Mutant; // 0x8\n PVOID ImageBaseAddress; // 0x10\n struct _PEB_LDR_DATA* Ldr; // 0x18\n struct _RTL_USER_PROCESS_PARAMETERS* ProcessParameters; // 0x20\n PVOID SubSystemData; // 0x28\n PVOID ProcessHeap; // 0x30\n struct _RTL_CRITICAL_SECTION* FastPebLock; // 0x38\n PVOID AtlThunkSListPtr; // 0x40\n PVOID IFEOKey; // 0x48\n union aNoN_6\n {\n ULONG CrossProcessFlags; // 0x50\n struct aNoN_7\n {\n ULONG ProcessInJob : 1; // 0x50\n ULONG ProcessInitializing : 1; // 0x50\n ULONG ProcessUsingVEH : 1; // 0x50\n ULONG ProcessUsingVCH : 1; // 0x50\n ULONG ProcessUsingFTH : 1; // 0x50\n ULONG ReservedBits0 : 27; // 0x50\n } aNoN_8;\n } aNoN_9;\n UCHAR Padding1[4]; // 0x54\n PVOID KernelCallbackTable; // 0x58\n PVOID UserSharedInfoPtr; // 0x58\n ULONG SystemReserved[1]; // 0x60\n ULONG AtlThunkSListPtr32; // 0x64\n PVOID ApiSetMap; // 0x68\n ULONG TlsExpansionCounter; // 0x70\n UCHAR Padding2[4]; // 0x74\n PVOID TlsBitmap; // 0x78\n ULONG TlsBitmapBits[2]; // 0x80\n PVOID ReadOnlySharedMemoryBase; // 0x88\n PVOID SparePvoid0; // 0x90\n PVOID* ReadOnlyStaticServerData; // 0x98\n PVOID AnsiCodePageData; // 0xA0\n PVOID OemCodePageData; // 0xA8\n PVOID UnicodeCaseTableData; // 0xB0\n ULONG NumberOfProcessors; // 0xB8\n ULONG NtGlobalFlag; // 0xBC\n struct _LARGE_INTEGER CriticalSectionTimeout; // 0xC0\n ULONG64 HeapSegmentReserve; // 0xC8\n ULONG64 HeapSegmentCommit; // 0xD0\n ULONG64 HeapDeCommitTotalFreeThreshold; // 0xD8\n ULONG64 HeapDeCommitFreeBlockThreshold; // 0xE0\n ULONG NumberOfHeaps; // 0xE8\n ULONG MaximumNumberOfHeaps; // 0xEC\n PVOID* ProcessHeaps; // 0xF0\n PVOID GdiSharedHandleTable; // 0xF8\n PVOID ProcessStarterHelper; // 0x100\n ULONG GdiDCAttributeList; // 0x108\n UCHAR Padding3[4]; // 0x10C\n struct _RTL_CRITICAL_SECTION* LoaderLock; // 0x110\n ULONG OSMajorVersion; // 0x118\n ULONG OSMinorVersion; // 0x11C\n USHORT OSBuildNumber; // 0x120\n USHORT OSCSDVersion; // 0x122\n ULONG OSPlatformId; // 0x124\n ULONG ImageSubsystem; // 0x128\n ULONG ImageSubsystemMajorVersion; // 0x12C\n ULONG ImageSubsystemMinorVersion; // 0x130\n UCHAR Padding4[4]; // 0x134\n ULONG64 ActiveProcessAffinityMask; // 0x138\n ULONG GdiHandleBuffer[60]; // 0x140\n void* PostProcessInitRoutine; // 0x230\n PVOID TlsExpansionBitmap; // 0x238\n ULONG TlsExpansionBitmapBits[32]; // 0x240\n ULONG SessionId; // 0x2C0\n UCHAR Padding5[4]; // 0x2C4\n struct _ULARGE_INTEGER AppCompatFlags; // 0x2C8\n struct _ULARGE_INTEGER AppCompatFlagsUser; // 0x2D0\n PVOID pShimData; // 0x2D8\n PVOID AppCompatInfo; // 0x2E0\n struct _UNICODE_STRING CSDVersion; // 0x2E8\n struct _ACTIVATION_CONTEXT_DATA* ActivationContextData; // 0x2F8\n struct _ASSEMBLY_STORAGE_MAP* ProcessAssemblyStorageMap; // 0x300\n struct _ACTIVATION_CONTEXT_DATA* SystemDefaultActivationContextData; // 0x308\n struct _ASSEMBLY_STORAGE_MAP* SystemAssemblyStorageMap; // 0x310\n ULONG64 MinimumStackCommit; // 0x318\n struct _FLS_CALLBACK_INFO* FlsCallback; // 0x320\n struct _LIST_ENTRY FlsListHead; // 0x328\n PVOID FlsBitmap; // 0x338\n ULONG FlsBitmapBits[4]; // 0x340\n ULONG FlsHighIndex; // 0x350\n PVOID WerRegistrationData; // 0x358\n PVOID WerShipAssertPtr; // 0x360\n PVOID pUnused; // 0x368\n PVOID pImageHeaderHash; // 0x370\n union aNoN_11\n {\n ULONG TracingFlags; // 0x378\n struct aNoN_12\n {\n ULONG HeapTracingEnabled : 1; // 0x378\n ULONG CritSecTracingEnabled : 1; // 0x378\n ULONG LibLoaderTracingEnabled : 1; // 0x378\n ULONG SpareTracingBits : 29; // 0x378\n } aNoN_13;\n } aNoN_14;\n UCHAR Padding6[4]; // 0x37C\n ULONG64 CsrServerReadOnlySharedMemoryBase; // 0x380\n ULONG64 TppWorkerpListLock; // 0x388\n struct _LIST_ENTRY TppWorkerpList; // 0x390\n} PEB, *PPEB;\n\n// Dummy structs:\nstruct _PEB_LDR_DATA\n{\n UCHAR data[1];\n};\n\nstruct _RTL_USER_PROCESS_PARAMETERS\n{\n UCHAR data[1];\n};\n\nstruct _RTL_CRITICAL_SECTION\n{\n UCHAR data[1];\n};\n\nstruct _LARGE_INTEGER\n{\n UCHAR data[8];\n};\n\nstruct _ULARGE_INTEGER\n{\n UCHAR data[8];\n};\n\nstruct _UNICODE_STRING\n{\n UCHAR data[16];\n};\n\nstruct _ACTIVATION_CONTEXT_DATA\n{\n UCHAR data[1];\n};\n\nstruct _ASSEMBLY_STORAGE_MAP\n{\n UCHAR data[1];\n};\n\nstruct _FLS_CALLBACK_INFO\n{\n UCHAR data[1];\n};\n\nstruct _LIST_ENTRY\n{\n UCHAR data[16];\n};\n\n\n#pragma pack(pop)\n```\n\nCopy C code to your project and remove already defined dummy structs.\n\n**WARNING:** Dont use sizeof(STRUCT), because the last member of the struct can be non-completed. Use **SIZEOF__PEB** generated by the script\n\nExample:\n```\nPPEB peb_ptr = malloc(SIZEOF__PEB);\n....\nExternalApiUsingPEB(arg1, arg2, ..., SIZEOF__PEB, peb_ptr, ...);\n```\n\n## TODO\n\n* Still not able to properly handle nested unions and structs.\n\n## Related\n\n* https://github.com/ajkhoury/Windbg2Struct\n\n* https://github.com/markhc/windbg_to_c","funding_links":["https://github.com/sponsors/therealdreg","https://patreon.com/dreg","https://www.paypal.me/therealdreg"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fwindbgtocstruct","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftherealdreg%2Fwindbgtocstruct","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fwindbgtocstruct/lists"}