0cchext插件实用命令dttoc

最近给0cchext添加了一个实用的逆向命令,dttoc,这个命令可以把dt命令输出的结构体转化为C的结构,方便我们做逆向还原工作。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
0:000> !0cchext.dttoc nt!_peb
struct _PEB {
BYTE InheritedAddressSpace;
BYTE ReadImageFileExecOptions;
BYTE BeingDebugged;
union {
BYTE BitField;
struct {
BYTE ImageUsesLargePages:1;
BYTE IsProtectedProcess:1;
BYTE IsImageDynamicallyRelocated:1;
BYTE SkipPatchingUser32Forwarders:1;
BYTE IsPackagedProcess:1;
BYTE IsAppContainer:1;
BYTE IsProtectedProcessLight:1;
BYTE IsLongPathAwareProcess:1;
};
};
VOID* Mutant;
VOID* ImageBaseAddress;
_PEB_LDR_DATA* Ldr;
_RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
VOID* SubSystemData;
VOID* ProcessHeap;
_RTL_CRITICAL_SECTION* FastPebLock;
_SLIST_HEADER* AtlThunkSListPtr;
VOID* IFEOKey;
union {
DWORD CrossProcessFlags;
struct {
DWORD ProcessInJob:1;
DWORD ProcessInitializing:1;
DWORD ProcessUsingVEH:1;
DWORD ProcessUsingVCH:1;
DWORD ProcessUsingFTH:1;
DWORD ReservedBits0:27;
};
};
union {
VOID* KernelCallbackTable;
VOID* UserSharedInfoPtr;
};
DWORD SystemReserved[1];
_SLIST_HEADER* AtlThunkSListPtr32;
VOID* ApiSetMap;
DWORD TlsExpansionCounter;
VOID* TlsBitmap;
DWORD TlsBitmapBits[2];
VOID* ReadOnlySharedMemoryBase;
VOID* SparePvoid0;
VOID** ReadOnlyStaticServerData;
VOID* AnsiCodePageData;
VOID* OemCodePageData;
VOID* UnicodeCaseTableData;
DWORD NumberOfProcessors;
DWORD NtGlobalFlag;
_LARGE_INTEGER CriticalSectionTimeout;
DWORD HeapSegmentReserve;
DWORD HeapSegmentCommit;
DWORD HeapDeCommitTotalFreeThreshold;
DWORD HeapDeCommitFreeBlockThreshold;
DWORD NumberOfHeaps;
DWORD MaximumNumberOfHeaps;
VOID** ProcessHeaps;
VOID* GdiSharedHandleTable;
VOID* ProcessStarterHelper;
DWORD GdiDCAttributeList;
_RTL_CRITICAL_SECTION* LoaderLock;
DWORD OSMajorVersion;
DWORD OSMinorVersion;
WORD OSBuildNumber;
WORD OSCSDVersion;
DWORD OSPlatformId;
DWORD ImageSubsystem;
DWORD ImageSubsystemMajorVersion;
DWORD ImageSubsystemMinorVersion;
DWORD ActiveProcessAffinityMask;
DWORD GdiHandleBuffer[34];
void* PostProcessInitRoutine;
VOID* TlsExpansionBitmap;
DWORD TlsExpansionBitmapBits[32];
DWORD SessionId;
_ULARGE_INTEGER AppCompatFlags;
_ULARGE_INTEGER AppCompatFlagsUser;
VOID* pShimData;
VOID* AppCompatInfo;
_UNICODE_STRING CSDVersion;
_ACTIVATION_CONTEXT_DATA* ActivationContextData;
_ASSEMBLY_STORAGE_MAP* ProcessAssemblyStorageMap;
_ACTIVATION_CONTEXT_DATA* SystemDefaultActivationContextData;
_ASSEMBLY_STORAGE_MAP* SystemAssemblyStorageMap;
DWORD MinimumStackCommit;
_FLS_CALLBACK_INFO* FlsCallback;
_LIST_ENTRY FlsListHead;
VOID* FlsBitmap;
DWORD FlsBitmapBits[4];
DWORD FlsHighIndex;
VOID* WerRegistrationData;
VOID* WerShipAssertPtr;
VOID* pUnused;
VOID* pImageHeaderHash;
union {
DWORD TracingFlags;
struct {
QWORD HeapTracingEnabled:1;
QWORD CritSecTracingEnabled:1;
QWORD LibLoaderTracingEnabled:1;
QWORD SpareTracingBits:29;
};
};
QWORD CsrServerReadOnlySharedMemoryBase;
DWORD TppWorkerpListLock;
_LIST_ENTRY TppWorkerpList;
VOID* WaitOnAddressHashTable[128];
};

Debugging