Huh??? "objdump -h ntoskrnl.exe" gives:
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 000ae630 80001000 80001000 00001000 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE, DATA
1 init 0000c128 800b0000 800b0000 000b0000 2**2
CONTENTS, ALLOC, LOAD, CODE
2 .data 000014c0 800bd000 800bd000 000bd000 2**4
CONTENTS, ALLOC, LOAD, DATA
3 .rdata 000178b0 800bf000 800bf000 000bf000 2**4
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .edata 0000b83d 800d7000 800d7000 000d7000 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .idata 000007d4 800e3000 800e3000 000e3000 2**2
CONTENTS, ALLOC, LOAD, DATA
6 .rsrc 000015e8 800e4000 800e4000 000e4000 2**2
CONTENTS, ALLOC, LOAD, DATA
7 .bss 00021320 800e6000 800e6000 00000000 2**4
ALLOC
8 .reloc 00008cd0 80108000 80108000 000e6000 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .rossym 000c7e88 80111000 80111000 000ef000 2**2
CONTENTS, READONLY, DEBUGGING, NEVER_LOAD, EXCLUDE
Please note the .rossym section, which contains the symbols. Section size
0xc7e88. Corresponds very nicely to the 800KB you mention.
Gé van Geldorp.
Ok, well Casper kept insisting that rsym "strips" the symbols away.
Doesn't look like it.
Thanks for clearing it up.
Best regards,
Alex Ionescu