Microsoft KB Archive/128372

{|
 * width="100%"|

HOWTO: Remove Symbols from Device Drivers

 * }

Q128372

-

The information in this article applies to:


 * Microsoft Win32 Device Driver Kit (DDK) for Windows NT, versions 3.5, 3.51

-

SUMMARY
When device drivers are built on Windows NT, the driver binary contains debugging symbols. These symbols are present even when the driver has been built in the "free" environment. The procedure in this article shows you how to remove the symbols from the device driver binary.

MORE INFORMATION
NOTE: This same procedure can also be used to reset the driver checksum if it is invalid.

Step-by-Step Procedure
 Get the driver base address (image base) by executing this command:

dumpbin /headers DRIVER_NAME | more

where:

 DRIVER_NAME is the name of the driver's binary image (including the path if it is not in the current directory)

This will dump the driver headers and pipe the output through the MORE command. Strip the symbols from the driver and place them in a DBG file by executing this command:

rebase -b IMAGE_BASE -x DBG_PATH DRIVER_NAME"

where:

 IMAGE_BASE is the preferred base address of the driver. For kernel mode drivers, this is usually 0x10000. DBG_PATH is the directory to place the DBG file. For ease of use, use "." to specify the current directory. DRIVER_NAME is the name of the driver's binary image (including the path if it is not in the current directory) </li></ol>

Step-by-Step Example
<ol>  Get the driver base address:

dumpbin /headers driver.sys | more

The sample output as follows:

<pre class="FIXEDTEXT">   ---

Microsoft (R) COFF Binary File Dumper Version 2.50 Copyright (C) Microsoft Corp 1992-94. All rights reserved.

Dump of file driver.sys

NT signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES 14C machine (i386) 6 number of sections 2F295879 time date stamp Fri Jan 27 12:32:57 1995 0 file pointer to symbol table 0 number of symbols E0 size of optional header 102 characteristics Executable 32 bit word machine

OPTIONAL HEADER VALUES 10B magic # 2.50 linker version 33C0 size of code 1500 size of initialized data 0 size of uninitialized data 280 address of entry point 280 base of code 3640 base of data - new - 10000 image base

... Additional information deleted ...

---

Notice that in this example, the image base is 0x10000. </li>  Strip the symbols from the driver:

'''rebase -b 0x10000 -x. driver.sys'''

This will move the symbols into DRIVER.DBG and replace the original driver (DRIVER.SYS) with one that doesn't contain symbols. All files will remain in the current directory.

For this example, here are the file statistics:

<pre class="FIXEDTEXT">                        Checked    Free Original file size:  49728     15392 After REBASE:  30816      9488 </li></ol>