A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #26486  by myid
 Mon Aug 10, 2015 12:36 am
Hi, we all know that we can get unexported function address via symbol file, but how to get structure info via symbol file?
I want to print structure info like WINDBG.
More simply, I want to get member offset of a structure (For example, ActiveProcessLinks offset of EPROCESS).
 #26488  by myid
 Mon Aug 10, 2015 7:12 am
nullptr wrote:Try SymbolTypeViewer 1.0.0.6
http://www.laboskopia.com/download/Symb ... 0_beta.zip
I have solved this problem. I get member name and member offset via use DBGHELP API.
But I cannot get the "struct ptr type" like WINDBG. For example:
Code: Select all
   +0x1c0 QuotaBlock       : Ptr64 _EPROCESS_QUOTA_BLOCK
   +0x1c8 CpuQuotaBlock    : Ptr64 _PS_CPU_QUOTA_BLOCK
:x