t_dump
Descriptor of dump window. Dump window is a custom table that displays contents of memory block or file in some human-readable format (integer, hexadecimal, text, float, disassembly or structure). Plugins
should not attempt to modify this structure directly.
typedef
struct t_dump
{
// Descriptor of dump data and window
ulong
base;
// Start of memory block or file
ulong
size;
// Size of memory block or file
ulong
dumptype;
// Dump type, DU_xxx+count+size=DUMP_xxx
ulong
menutype;
// Menu type, set of DMT_xxx
ulong
itemwidth;
// Width of one item, characters
ulong
threadid;
// Use decoding and registers if not 0
t_table
table;
// Dump window is a custom table
ulong
addr;
// Address of first visible byte
ulong
sel0;
// Address of first selected byte
ulong
sel1;
// Last selected byte (not included!)
ulong
selstart;
// Addr of first byte of selection start
ulong
selend;
// Addr of first byte of selection end
uchar
*filecopy;
// Copy of the file or NULL
wchar_t
path[MAXPATH]; // Name of
displayed file
uchar
*backup;
// Old backup of memory/file or NULL
wchar_t strname[SHORTNAME]; // Name of the structure to decode
uchar
*decode;
// Local decoding information or NULL
wchar_t
bkpath[MAXPATH]; // Name of last used
backup file
int
relreg;
// Addresses relative to register
ulong
reladdr;
// Addresses relative to this address
ulong
hilitereg;
// One of OP_SOMEREG if reg highlighting
int
hiregindex;
// Index of register to highlight
ulong
graylimit;
// Gray data below this address
DUMPSELFUNC
*dumpselfunc; //
Callback indicating change of sel0
} t_dump;
Members:
base
Start address of the displayed memory block. For files, this item is always 0. For memory dumps, this item may be 0! To distinguish whether dump displays file or memory, use filecopy (NULL: memory, not NULL: file dump)
size
Size of the displayed memory block or file, bytes
dumptype
Type of the dump, combination of flags DU_xxx + item count + item size, or one of the predefined combinations DUMP_xxx. Use Setdumptype() to change:
DU_SMALL
- specifies small-footprint embedded dump window, like in Call
DLL. Set of allowed menu commands is trimmed for this purpose
DU_FIXADDR - first visible address is fixed and can be changed only by the user. Implements Lock stack in stack dumps
DU_BACKUP - window displays backup instead of the real data
DU_USEDEC - requests to use decoding data, if available. Applies only to the memory dumps of type DU_DISASM or DU_DECODE
DU_COMMENT - requests memory dumps of type DU_DISASM or DU_DECODE to display comments in the Comments column (default)
DU_SOURCE - requests memory dumps of type DU_DISASM or DU_DECODE to display source code in the Comments columnDU_DISCARD - dump window is temporary and will be closed of Esc is pressed. Any nontrivial operation resets this flag
DU_PROFILE - requests memory dumps of type DU_DISASM to display profiling dataDU_TYPEMASK - mask for dump type:
DU_HEXTEXT - hexadecimal byte dump with ASCII text
DU_HEXUNI - hexadecimal byte dump with UNICODE text
DU_TEXT - ASCII character dump
DU_UNICODE - UNICODE character dump
DU_INT - signed integer dump
DU_UINT - unsigned integer dump
DU_IHEX - hexadecimal integer dump
DU_FLOAT - floating-point dump
DU_ADDR - address dump with comments DU_ADRASC - address dump with ASCII text and comments DU_ADRUNI - address dump with UNICODE text and comments
DU_DISASM - disassembly
DU_DECODE - decoded data (similar to DU_DISASM, used for example for structure dumps)
DU_COUNTMASK - mask to extract number of items displayed on the line. Set to 1 for DU_DISASM or DU_DECODEDU_SIZEMASK - mask to extract size of single item. Set to MAXCMDSIZE (16) for DU_DISASM or DU_DECODEFor the list of available shortcuts DUMP_xxx, see plugin.h
menutype
Set of flags DMT_xxx that enable or disable some menu items:
DMT_FIXTYPE - type of the dump is fixed and can't be changed
DMT_STRUCT - this is the dump of the structure
DMT_CPUMASK - dump belongs to CPU window pane, namely:
DMT_CPUDASM - CPU Disassembler pane
DMT_CPUDUMP - CPU Dump pane
DMT_CPUSTACK - CPU Stack pane
itemwidth
Width of the single dump item in the main column on the screen, characters. Frequently ignored by OllyDbg
threadid
Identifier of the associated thread, or 0 if there is no associated thread
table
Custom table associated with the dump window
addr
Address (memory) or offset (file) of the first visible byte displayed in the dump window
sel0
Address (memory) or offset (file) of the first selected byte (included)
sel1
Address (memory) or offset (file) of the last selected byte (not included). If sel0==sel1, there is no selection
selstart
Address (memory) or offset (file) where selection was started. Used when user changes selection with mouse or keyboard
selend
Address (memory) or offset (file) where selection was ended. Used when user changes selection with mouse or keyboard
filecopy
NULL if dump displays contents of memory. Otherwise, points to the buffer of size size which contains internal copy of the displayed file. Comparing filecopy with NULL is the only way to distinguish whether dump displays memory or file
path
Name of the displayed file on the disk
backup
Pointer to the memory block of size size
containing local backup (previous contents) of the memory or file, or
NULL if there is no local backup. Note that backups declared here are
local to the dump and used only if threadid is 0. Dumps with associated threads use global backups which are kept in the memory descriptors
strname
If
dump decodes contents of the structure, name of the structure.
Otherwise, empty string. This item is ignored if dump type is not DU_DECODE
decode
Pointer to the memory block of size size containing local decoding information (a sequence of bytes DEC_xxx,
one for each corresponding data byte) or NULL if local decoding
information is unavailable. Local decoding is used mostly by the
structure dumps. There is also global decoding data which is kept in memory descriptors
bkpath
Name of the last selected backup file, or empty string if dump has not yet accessed backup files
relreg
Index of the register (one of REG_xxx) used to display relative addresses, or REG_UNDEF if register-relative addressing is turned off. Applies only to memory dumps with associated thread. Has priority over reladdr
reladdr
Address or offset used to display relative addresses, or 0 if relative addressing is turned off
hilitereg
Type of the register that must be highlighted in the Disassembler dump, one of the constants OP_xxx or 0 if regiser highlighting is turned off. Register highlighting has priority over the syntax highlighting specified in t_dump.table.hilite
hiliteindex
Index of the register of type hilitereg that must be highlighted in the Disassembler dump. If hilitereg is OP_REGISTER, use constants REG_xxx. Note that partial registers are also highlighted (for example, DH and DX will be highlighted if EDX is specified)
graylimit
Address of the limit of reliable data. Bytes with addresses below graylimit will be grayed. Used in stack dumps to indicate that addresses below ESP are volatile
dumpselfunc
Pointer to the callback function of type DUMPSELFUNC that receives notifications whenever selection in dump window changes, or NULL if notification is not necessary
See
also: