identifying a debug binary

Hi all,

is there a way to identify whether one of my installed drivers are release
or debug?

i just have the binary, no sources or symbols.

i have IDA Pro, which flags it as a debug binary, but what are the
sections/things that can identify it?

thanks

  • amitr0

As I remember running “link /dump /headers yourfile.sys” will give you some
info.

Jan


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Monday, December 22, 2008 4:02 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] identifying a debug binary

Hi all,

is there a way to identify whether one of my installed drivers are release
or debug?

i just have the binary, no sources or symbols.

i have IDA Pro, which flags it as a debug binary, but what are the
sections/things that can identify it?

thanks

  • amitr0

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Not sure, but probably _stkchk will show in the prologue, and can be seen using windbg !!!

Well, as if I’ve to sign something !
Prokash Sinha
http://prokash.squarespace.com
Success has many fathers, but failure is an orphan.

----- Original Message -----
From: Jan Bottorff
To: Windows System Software Devs Interest List
Sent: Monday, December 22, 2008 4:06 PM
Subject: RE: [ntdev] identifying a debug binary

As I remember running “link /dump /headers yourfile.sys” will give you some info.

Jan


From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Monday, December 22, 2008 4:02 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] identifying a debug binary

Hi all,

is there a way to identify whether one of my installed drivers are release or debug?

i just have the binary, no sources or symbols.

i have IDA Pro, which flags it as a debug binary, but what are the sections/things that can identify it?

thanks

  • amitr0

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

What about the image do you want to know specifically, because whether
something is chk or dbg or whatever, is really a matter of definition,
and consequently not really something that can be determined after the
fact without knowing what you’re looking for.

Good luck,

mm

amitr0 wrote:

Hi all,

is there a way to identify whether one of my installed drivers are
release or debug?

i just have the binary, no sources or symbols.

i have IDA Pro, which flags it as a debug binary, but what are the
sections/things that can identify it?

thanks

  • amitr0

If you have a VERSIONINFO structure in it, then you can set the debug bit,
and use the standard version APIs to read the .sys file.

in the .rc file you use, you could add

#ifdef DBG
FILEFLAGS VS_FF_DEBUG
#else
FILEFLAGS 0
#endif

or something along those lines.

Note that you might want to have other file flags specified, so I just
showed the one of interest. Your Mileage May Vary.
joe


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Monday, December 22, 2008 7:02 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] identifying a debug binary

Hi all,

is there a way to identify whether one of my installed drivers are release
or debug?

i just have the binary, no sources or symbols.

i have IDA Pro, which flags it as a debug binary, but what are the
sections/things that can identify it?

thanks

  • amitr0

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

This message has been scanned for viruses and
dangerous content by http:</http:> MailScanner, and is
believed to be clean.