WinDbg: How do I programmatically parse output from `dt`?

Question

The WinDbg dt command is very useful for displaying type information, and I commonly use dt -a <memory-address> <type> to output type information for an array of elements.

How do I programmatically manipulate the values output by dt? Specifically, for each element in the array, I'd like to output the bit shifted value of each element in the array (??(array-element)>>1 for each value in the array). I've tried this for an array of 100 elements (with an example array memory address of 0xDEADBEEF, with datatype MY_TYPE):

.for (r $t0=0; @$t0<0n100; r $t0=@$t0+1) { ??(dt 0xDEADBEEF)+(@@c++(sizeof(MY_TYPE))*@$t0) MY_TYPE)>>1 }

Essentially, for each element in the array, I'd like to print the output of dt, with the numerical value shifted by 1.

Answer 1

NatVis is now the solution for this type of problem:

https://www.osr.com/blog/2015/11/06/fun-windbg-natvis-support/

Basically you use XML to describe how you want the structure displayed and then display it using dx instead of dt.

Answer 2

You can use qwo, as it reads from memory:

.for (r $t0=0; @$t0<0n100; r $t0=@$t0+1) { r @$t1 = qwo(DEADBEEF+(@$t0*@@c++(sizeof(MY_TYPE))));?@$t1>>1 }

Since qwo is a memory-reading function, the value can be manipulated programmatically.

Answer 3

Try to use pykd. It give you python API for debug angine of the windbg. You can work with typed variable in two way:

1. Simple way: parsing.

   dtoutput = pykd.dbgCommand("dt _MYTYPE address")

   callDtParser(dtoutput) # parse text as you can: re ....

2. Right way: pykd.typedVar

   myvar = pykd.typedVar("_MYTYPE", address )

   print myvar.arrayField[10] >> 2 # compare with C

How to install pykd ( with bootstarpper ) https://pykd.codeplex.com/releases/view/614442

Tip: don't use python 2.7.11 - it has a bug and does not work in embedding application ( you can fix it by changing default python registartion )