Knowledge Base

How To Remove Symbols from Device Drivers

Article ID: 128372

Article Last Modified on 8/24/2005

APPLIES TO

This article was previously published under Q128372

SUMMARY

When device drivers are built for Microsoft Windows NT using microsoft Visual C++ 4.0 or Microsoft Visual C++ 5.0, the driver binary (<driver>.SYS) contains debugging symbols. These symbols are present even when the driver has been built in the "FREE" environment. The procedure in this article shows you how to remove the symbols from the device driver binary

MORE INFORMATION

NOTE: This same procedure can also be used to reset the driver checksum if it is invalid.

Step-by-Step Procedure

  1. Get the driver base address (image base) by executing this command:

    dumpbin /headers DRIVER_NAME | more

    where:
    • DRIVER_NAME is the name of the driver's binary image (including the path if it is not in the current directory)
    This will dump the driver headers and pipe the output through the MORE command.
  2. Strip the symbols from the driver and place them in a DBG file by executing this command:

    rebase -b IMAGE_BASE -x DBG_PATH DRIVER_NAME"

    where:
    • IMAGE_BASE is the preferred base address of the driver. For kernel mode drivers, this is usually 0x10000.
    • DBG_PATH is the directory to place the DBG file. For ease of use, use "." to specify the current directory.
    • DRIVER_NAME is the name of the driver's binary image (including the path if it is not in the current directory)

Step-by-Step Example

  1. Get the driver base address:

    dumpbin /headers driver.sys | more

    The sample output as follows: 
        -----------------------------------------------------------

    Microsoft (R) COFF Binary File Dumper Version 2.50
    Copyright (C) Microsoft Corp 1992-94. All rights reserved.


    Dump of file driver.sys

    NT signature found

    File Type: EXECUTABLE IMAGE

    FILE HEADER VALUES
         14C machine (i386)
           6 number of sections
    2F295879 time date stamp Fri Jan 27 12:32:57 1995
           0 file pointer to symbol table
           0 number of symbols
          E0 size of optional header
         102 characteristics
                Executable
                32 bit word machine

    OPTIONAL HEADER VALUES
         10B magic #
        2.50 linker version
        33C0 size of code
        1500 size of initialized data
           0 size of uninitialized data
         280 address of entry point
         280 base of code
        3640 base of data
             ----- new -----
       10000 image base

        ... Additional information deleted ...

    -----------------------------------------------------------
    Notice that in this example, the image base is 0x10000.
  2. Strip the symbols from the driver:

    rebase -b 0x10000 -x . driver.sys

    This will move the symbols into DRIVER.DBG and replace the original driver (DRIVER.SYS) with one that doesn't contain symbols. All files will remain in the current directory.

    For this example, here are the file statistics:
                             Checked    Free
                         ----------------
    Original file size:   49728     15392
          After REBASE:   30816      9488

REFERENCES

Windows NT DDK: Building Windows NT device drivers

For information about the new debugging tools, click the link below:

http://www.microsoft.com/whdc/devtools/ddk/default.mspx


Additional query words: checksum debug

Keywords: kbhowto KB128372


Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.