How To Remove Symbols from Device Drivers

When device drivers are built for Microsoft Windows NT using microsoft Visual C++ 4.0 or Microsoft Visual C++ 5.0, the driver binary (<driver>.SYS) contains debugging symbols. These symbols are present even when the driver has been built in the "FREE" environment. The procedure in this article shows you how to remove the symbols from the device driver binary

NOTE: This same procedure can also be used to reset the driver checksum if it is invalid.

Step-by-Step Procedure

1. Get the driver base address (image base) by executing this command:
   dumpbin /headers DRIVER_NAME | more
   where:
   • DRIVER_NAME is the name of the driver's binary image (including the path if it is not in the current directory)
   This will dump the driver headers and pipe the output through the MORE command.
2. Strip the symbols from the driver and place them in a DBG file by executing this command:
   rebase -b IMAGE_BASE -x DBG_PATH DRIVER_NAME"
   where:
   • IMAGE_BASE is the preferred base address of the driver. For kernel mode drivers, this is usually 0x10000.
   • DBG_PATH is the directory to place the DBG file. For ease of use, use "." to specify the current directory.
   • DRIVER_NAME is the name of the driver's binary image (including the path if it is not in the current directory)

Step-by-Step Example

1. Get the driver base address:
   dumpbin /headers driver.sys | more
   The sample output as follows:

       -----------------------------------------------------------
   
       Microsoft (R) COFF Binary File Dumper Version 2.50
       Copyright (C) Microsoft Corp 1992-94. All rights reserved.
   
   
       Dump of file driver.sys
   
       NT signature found
   
       File Type: EXECUTABLE IMAGE
   
       FILE HEADER VALUES
            14C machine (i386)
              6 number of sections
       2F295879 time date stamp Fri Jan 27 12:32:57 1995
              0 file pointer to symbol table
              0 number of symbols
             E0 size of optional header
            102 characteristics
                   Executable
                   32 bit word machine
   
       OPTIONAL HEADER VALUES
            10B magic #
           2.50 linker version
           33C0 size of code
           1500 size of initialized data
              0 size of uninitialized data
            280 address of entry point
            280 base of code
           3640 base of data
                ----- new -----
          10000 image base
   
           ... Additional information deleted ...
   
       -----------------------------------------------------------
   						

   Notice that in this example, the image base is 0x10000.
2. Strip the symbols from the driver:
   rebase -b 0x10000 -x . driver.sys
   This will move the symbols into DRIVER.DBG and replace the original driver (DRIVER.SYS) with one that doesn't contain symbols. All files will remain in the current directory.
   
   For this example, here are the file statistics:

                            Checked    Free
                            ----------------
       Original file size:   49728     15392
             After REBASE:   30816      9488
   					

Windows NT DDK: Building Windows NT device drivers

For information about the new debugging tools, click the link below: