t_dump

Descriptor of dump window. Dump window is a custom table that displays contents of memory block or file in some human-readable format (integer, hexadecimal, text, float, disassembly or structure). Plugins should not attempt to modify this structure directly.

typedef struct t_dump {                // Descriptor of dump data and window
  ulong          base;                 // Start of memory block or file
  ulong          size;                 // Size of memory block or file
  ulong          dumptype;             // Dump type, DU_xxx+count+size=DUMP_xxx
  ulong          menutype;             // Menu type, set of DMT_xxx
  ulong          itemwidth;            // Width of one item, characters
  ulong          threadid;             // Use decoding and registers if not 0
  t_table        table;                // Dump window is a custom table
  ulong          addr;                 // Address of first visible byte
  ulong          sel0;                 // Address of first selected byte
  ulong          sel1;                 // Last selected byte (not included!)
  ulong          selstart;             // Addr of first byte of selection start
  ulong          selend;               // Addr of first byte of selection end
  uchar          *filecopy;            // Copy of the file or NULL
  wchar_t        path[MAXPATH];        // Name of displayed file
  uchar          *backup;              // Old backup of memory/file or NULL
  wchar_t        strname[SHORTNAME];   // Name of the structure to decode
  uchar          *decode;              // Local decoding information or NULL
  wchar_t        bkpath[MAXPATH];      // Name of last used backup file
  int            relreg;               // Addresses relative to register
  ulong          reladdr;              // Addresses relative to this address
  ulong          hilitereg;            // One of OP_SOMEREG if reg highlighting
  int            hiregindex;           // Index of register to highlight
  ulong          graylimit;            // Gray data below this address
  DUMPSELFUNC    *dumpselfunc;         // Callback indicating change of sel0
} t_dump;


Members:

base
Start address of the displayed memory block. For files, this item is always 0. For memory dumps, this item may be 0! To distinguish whether dump displays file or memory, use filecopy (NULL: memory, not NULL: file dump)
size
Size of the displayed memory block or file, bytes
dumptype
Type of the dump, combination of flags DU_xxx + item count + item size, or one of the predefined combinations DUMP_xxx. Use Setdumptype() to change:
DU_SMALL - specifies small-footprint embedded dump window, like in Call DLL. Set of allowed menu commands is trimmed for this purpose
DU_FIXADDR - first visible address is fixed and can be changed only by the user. Implements Lock stack in stack dumps
DU_BACKUP - window displays backup instead of the real data
DU_USEDEC - requests to use decoding data, if available. Applies only to the memory dumps of type DU_DISASM or DU_DECODE
DU_COMMENT - requests memory dumps of type DU_DISASM or DU_DECODE to display comments in the Comments column (default)
DU_SOURCE
- requests memory dumps of type DU_DISASM or DU_DECODE to display source code in the Comments column
DU_DISCARD - dump window is temporary and will be closed of Esc is pressed. Any nontrivial operation resets this flag
DU_PROFILE
requests memory dumps of type DU_DISASM to display profiling data
DU_TYPEMASK - mask for dump type:
   DU_HEXTEXT - hexadecimal byte dump with ASCII text
   DU_HEXUNI - hexadecimal byte dump with UNICODE text
   DU_TEXT - ASCII character dump
   DU_UNICODE - UNICODE character dump
   DU_INT - signed integer dump
   DU_UINT - unsigned integer dump
   DU_IHEX - hexadecimal integer dump
   DU_FLOAT - floating-point dump
   DU_ADDR - address dump
with comments
   DU_ADRASC - address dump with ASCII text and comments
   DU_ADRUNI - address dump with UNICODE text and comments
   DU_DISASM - disassembly
   DU_DECODE - decoded data (similar to DU_DISASM, used for example for structure dumps)
DU_COUNTMASK - mask to extract number of items displayed on the line. Set to 1 for
DU_DISASM or DU_DECODE
DU_SIZEMASK - mask to extract size of single item. Set to MAXCMDSIZE (16) for DU_DISASM or DU_DECODE
For the list of available shortcuts DUMP_xxx, see plugin.h
menutype
Set of flags DMT_xxx that enable or disable some menu items:
DMT_FIXTYPE - type of the dump is fixed and can't be changed
DMT_STRUCT - this is the dump of the structure
DMT_CPUMASK - dump belongs to CPU window pane, namely:
   DMT_CPUDASM - CPU Disassembler pane
   DMT_CPUDUMP - CPU Dump pane
   DMT_CPUSTACK - CPU Stack pane
itemwidth
Width of the single dump item in the main column on the screen, characters. Frequently ignored by OllyDbg
threadid
Identifier of the associated thread, or 0 if there is no associated thread
table
Custom table associated with the dump window
addr
Address (memory) or offset (file) of the first visible byte displayed in the dump window
sel0
Address (memory) or offset (file) of the first selected byte (included)
sel1
Address (memory) or offset (file) of the last selected byte (not included). If sel0==sel1, there is no selection
selstart
Address (memory) or offset (file) where selection was started. Used when user changes selection with mouse or keyboard
selend
Address (memory) or offset (file) where selection was ended. Used when user changes selection with mouse or keyboard
filecopy
NULL if dump displays contents of memory. Otherwise, points to the buffer of size size which contains internal copy of the displayed file. Comparing filecopy with NULL is the only way to distinguish whether dump displays memory or file
path
Name of the displayed file on the disk
backup
Pointer to the memory block of size size containing local backup (previous contents) of the memory or file, or NULL if there is no local backup. Note that backups declared here are local to the dump and used only if threadid is 0. Dumps with associated threads use global backups which are kept in the memory descriptors
strname
If dump decodes contents of the structure, name of the structure. Otherwise, empty string. This item is ignored if dump type is not DU_DECODE
decode
Pointer to the memory block of size size containing local decoding information (a sequence of bytes DEC_xxx, one for each corresponding data byte) or NULL if local decoding information is unavailable. Local decoding is used mostly by the structure dumps. There is also global decoding data which is kept in memory descriptors
bkpath
Name of the last selected backup file, or empty string if dump has not yet accessed backup files
relreg
Index of the register (one of REG_xxx) used to display relative addresses, or REG_UNDEF if register-relative addressing is turned off. Applies only to memory dumps with associated thread. Has priority over reladdr
reladdr
Address or offset used to display relative addresses, or 0 if relative addressing is turned off
hilitereg
Type of the register that must be highlighted in the Disassembler dump, one of the constants OP_xxx or 0 if regiser highlighting is turned off. Register highlighting has priority over the syntax highlighting specified in t_dump.table.hilite
hiliteindex
Index of the register of type hilitereg that must be highlighted in the Disassembler dump. If hilitereg is OP_REGISTER, use constants REG_xxx. Note that partial registers are also highlighted (for example, DH and DX will be highlighted if EDX is specified)
graylimit
Address of the limit of reliable data. Bytes with addresses below graylimit will be grayed. Used in stack dumps to indicate that addresses below ESP are volatile
dumpselfunc
Pointer to the callback function of type DUMPSELFUNC that receives notifications whenever selection in dump window changes, or NULL if notification is not necessary


See also:
Dumps, tables