Hi, all
I’ve noticed that there is full name of the PDB file in a driver
binary built by WDK’s BUILD.exe. This is caused by the “/debug” flag,
which is auto-added by the build file.
Is there a way how to force BUILD.exe not to add the name of the local
PDB file into the final SYS binary ?
L.
This had been asked many times before, and the answer
every time was WHY?
Is this a terrible secret that the driver was built with a pdb? So what?
If your local build path is x:\iranian_nuclear_project - rename it…
–PA
Ladislav Zezula wrote:
Hi, all
I’ve noticed that there is full name of the PDB file in a driver
binary built by WDK’s BUILD.exe. This is caused by the “/debug” flag,
which is auto-added by the build file.Is there a way how to force BUILD.exe not to add the name of the local
PDB file into the final SYS binary ?L.
I’m sure there is a way (must be), if not what is wrong with 5 seconds
in a hex editor?
Pavel A. wrote:
This had been asked many times before, and the answer
every time was WHY?
Is this a terrible secret that the driver was built with a pdb? So
what? If your local build path is x:\iranian_nuclear_project - rename
it…–PA
Ladislav Zezula wrote:
> Hi, all
>
> I’ve noticed that there is full name of the PDB file in a driver
> binary built by WDK’s BUILD.exe. This is caused by the “/debug” flag,
> which is auto-added by the build file.
>
> Is there a way how to force BUILD.exe not to add the name of the local
> PDB file into the final SYS binary ?
>
> L.
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminarsYou are currently subscribed to ntfsd as: matt-martin@tx.rr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
This is tampering and would cause an existing signature to be invalidated.
//Daniel
“Matt” wrote in message news:xxxxx@ntfsd…
> I’m sure there is a way (must be), if not what is wrong with 5 seconds
> in a hex editor?
>
> Pavel A. wrote:
>> This had been asked many times before, and the answer
>> every time was WHY?
>> Is this a terrible secret that the driver was built with a pdb? So
>> what? If your local build path is x:\iranian_nuclear_project - rename
>> it…
>>
>> --PA
>>
>> Ladislav Zezula wrote:
>>> Hi, all
>>>
>>> I’ve noticed that there is full name of the PDB file in a driver
>>> binary built by WDK’s BUILD.exe. This is caused by the “/debug” flag,
>>> which is auto-added by the build file.
>>>
>>> Is there a way how to force BUILD.exe not to add the name of the local
>>> PDB file into the final SYS binary ?
>>>
>>> L.
>>
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule debugging and file system seminars
>> (including our new fs mini-filter seminar) visit:
>> http://www.osr.com/seminars
>>
>> You are currently subscribed to ntfsd as: matt-martin@tx.rr.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>
Matt wrote:
I’m sure there is a way (must be), if not what is wrong with 5 seconds
in a hex editor?
Yes, patch it, then re-checksum. That’s what I’d do…
–PA
Unless it’s your own build and sign process, and you hex edit it first, then
sign it after, (this loads without issue for me on Server 2008 x64).
But I personally see no reason to remove this information unless you have
something to hide…
Although I have known specific malware to be “counter attacked” based on
this path and pdb being found by a “legitimate” product (the specific target
of the malware itself)
Crispin.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@resplendence.com
Sent: Thursday, September 11, 2008 14:12
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] How to get rid of PDB file name in FREE build of a
driver ?
This is tampering and would cause an existing signature to be invalidated.
//Daniel
“Matt” wrote in message news:xxxxx@ntfsd…
> I’m sure there is a way (must be), if not what is wrong with 5 seconds
> in a hex editor?
>
> Pavel A. wrote:
>> This had been asked many times before, and the answer
>> every time was WHY?
>> Is this a terrible secret that the driver was built with a pdb? So
>> what? If your local build path is x:\iranian_nuclear_project - rename
>> it…
>>
>> --PA
>>
>> Ladislav Zezula wrote:
>>> Hi, all
>>>
>>> I’ve noticed that there is full name of the PDB file in a driver
>>> binary built by WDK’s BUILD.exe. This is caused by the “/debug” flag,
>>> which is auto-added by the build file.
>>>
>>> Is there a way how to force BUILD.exe not to add the name of the local
>>> PDB file into the final SYS binary ?
>>>
>>> L.
>>
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule debugging and file system seminars
>> (including our new fs mini-filter seminar) visit:
>> http://www.osr.com/seminars
>>
>> You are currently subscribed to ntfsd as: matt-martin@tx.rr.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>
—
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@blocksoft.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com
Information from ESET NOD32 Antivirus, version of virus signature
database 3434 (20080911)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Information from ESET NOD32 Antivirus, version of virus signature
database 3434 (20080911)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
The undocumented /pdbpath:none linker option will embed the .pdb filename without the fully qualified path (i.e. just “blah.pdb” instead of “C:\WINDDK\6001\src\myprog.…\blah.pdb”). Is that what you are looking for?
The .pdb filename needs to be in there in some form if the debugger is ever to find symbols, however. If you really want absolutely no .pdb filename, then you might as well not build with /debug. (I would never ship a product that I didn’t have symbols for, but that is just me, however.)
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Thursday, September 11, 2008 4:24 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] How to get rid of PDB file name in FREE build of a driver ?
Hi, all
I’ve noticed that there is full name of the PDB file in a driver
binary built by WDK’s BUILD.exe. This is caused by the “/debug” flag,
which is auto-added by the build file.
Is there a way how to force BUILD.exe not to add the name of the local
PDB file into the final SYS binary ?
L.
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Crispin Wright wrote:
…
I have known specific malware to be “counter attacked” based on
this path and pdb being found by a “legitimate” product (the specific target
of the malware itself)
Hmm this is interesting idea. But again, the path part of the pdb
filename is local to the build machine, this path may be meaningless
where the driver is deployed.
All this path is worth for, is to save few motions for a dev who builds
and runs windbg on same machine.
–PA
Yes that’s exactly what I’m saying. In a particular instance, where the
malware author brought his “victim” software back to his build machine for
analysis, and typically ran it using a user mode debugger like ollydbg, then
the technique was successful, as he didn’t realize his driver had been
dumped by the victim software, and this information gleaned, even though he
had gone to extreme lengths to protect it by destroying the DEVICE_OBJECT
header, and hooking calls like MmIsAddressValid, NtLoadDriver, and
implementing a whole host of other nasty hooks and subversions.
I will be awfully glad when only signed drivers can be loaded on both 32bit
and 64bit machines, and there is no bypass whatsoever.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Pavel A.
Sent: Thursday, September 11, 2008 17:44
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] How to get rid of PDB file name in FREE build of a
driver ?
Crispin Wright wrote:
…
I have known specific malware to be “counter attacked” based on
this path and pdb being found by a “legitimate” product (the specific
target
of the malware itself)
Hmm this is interesting idea. But again, the path part of the pdb
filename is local to the build machine, this path may be meaningless
where the driver is deployed.
All this path is worth for, is to save few motions for a dev who builds
and runs windbg on same machine.
–PA
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@blocksoft.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 3435 (20080911) __________
The message was checked by ESET NOD32 Antivirus.
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 3435 (20080911) __________
The message was checked by ESET NOD32 Antivirus.
On 9/11/08, Skywing wrote:
> The undocumented /pdbpath:none linker option will embed the .pdb filename
> without the fully qualified path (i.e. just “blah.pdb” instead of
> “C:\WINDDK\6001\src\myprog.…\blah.pdb”). Is that what you are looking
> for?
one can also use another undoc /pdbaltpath:path to embed an altogether
new path in the exe and manually copy the pdb to that path
but skywing these switches dont erase the path in the physical pdbs
they will still contain the directory structure
Source files, item 0
Module=crap
Source=CRAP.C
Source path=c:\lisp\crap.c
Debug Directories
Time Type Size RVA Pointer
-------- ------ -------- -------- --------
48C97B49 cv 29 00017CB0 17CB0 Format: RSDS, {8F8740B6-8E2B-4
669-8BB4-2A40E791903C}, 1, c:\lisp\blah.pdb
i read binplace -a -s -x deletes these paths and puts just the pdb
name everywhere
but has never tried it