Skip to content

andreiw/dbgsplice

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
dbgsplice.c
dbgsplice.c
 
 
pe32.h
pe32.h
 
 
withsyms.png
withsyms.png
 
 

Repository files navigation

dbgsplice

Merge COFF symbol table into stripped EXE.

This tool is a debugging aid meant to simplify disassembling stripped Windows NT binaries. Checked builds of NT came with DBG files (e.g. support/debug/ppc/symbols/exe/ntoskrnl.dbg for ntoskrnl.exe), but normal tools (Microsoft's dumpbin, OpenWatcom wdis) don't make use of DBG files and thus yield a pretty useless disassembly.

Status

dbgsplice only takes care of the COFF symbol table today. This is good enough for dumpbin. Tools that care about CV (Windbg...?) know about symbol files after all.

  • I didn't verify that the resulting image is good enough for running (i.e. checksum is not updated).
  • Should be endian clean.
  • And supports PE/COFF files with and without MZ headers.
  • Architecture agnostic.
  • Some sanity checking that DBG and EXE match.

Building

$ make dbgsplice

Using

$ dbgsplice ntkrnlmp.dbg  ntkrnlmp.exe ntkrnlmp-with-syms.exe
Done!
...
Q:\> dumpbin /DISASM ntkrnlmp-with-syms.exe > ntkrnlmp-with-syms.txt

and we have syms

Contact Info

Andrei Warkentin (andrey.warkentin@gmail.com).

About

Merge COFF symbol table into stripped EXE

Resources

Readme
Activity

Stars

2 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages