VC生成的exe文件中, Dos头部分除了Dos Stub之外, 还多了一些东西

 
VC生成的exe文件中, Dos头部分除了Dos Stub之外, 还多了一些东西

gcc编译器编译出来的exe文件的dos头部stub部分只有This program cannot be run in DOS mode，但是VC除此之外还多出来几行，谁知道这几行这是干什么的，在纯dos模式下VC也不过就是显示This program cannot be run in DOS mode，没干其他事。

而且，这个dos stub不同的文件还不一样

不知这些东西是干嘛的
http://topic.csdn.net/u/20091030/05/2362D834-B848-4047-9D02-BA61D2C5DB1C.html

------------------------------------------------------------------------------------

那是Rich signature，网上众说纷纭，有人说是主机名，便于追踪病毒作者，

有人说是linker版本信息，有人说是vc的注册信息，但是未见过一个官方的解释

------------------------------------------------------------------------------------

程序越长这个东西也越大，而且每个程序都不同，貌似没这么简单

------------------------------------------------------------------------------------

这里说明比较详细
http://ntcore.com/files/richsign.htm

http://www.asmcommunity.net/board/index.php?topic=11182.0

http://thestarman.pcministry.com/asm/debug/DOSstub.htm#INTRO
http://thestarman.pcministry.com/asm/index.html
http://thestarman.pcministry.com/asm/debug/debug2.htm
http://www.asmcommunity.net/board/index.php?topic=11182.15
http://www.woodmann.com/forum/showthread.php?5925-question-about-some-stuff-in-exe-header
http://www.woodmann.com/forum/showthread.php?11367-Microsoft-s-Rich-Signature-(undocumented)
http://mirror.sweon.net/madchat/vxdevl/vxmags/29a-8/Articles/29A-8.009

 

: things they didn't tell you about ms link and the pe header : lw, 7 july 2004 :

 

* Introduction

The linkers from microsoft store information about used compiler versions

to create the object and library files in the EXE files they produces. This

information is stored right after the DOS stub, and before the start of the

actual PE header.

Apparently they wanted to hide it, since all this stuff is encrypted using

checksums and other weird ways. I must say that I don't understand much of

the way they built up the structure, it is inefficient and simply weird.

Also I don't see much use of it, unless in some strange lawsuit or something

where the question is: is this .exe file created by this compiler+linker?

Or: are these .lib's used to create this exe file? Still then there is no

good evidence, because only the used compiler versions are stored, compilers

which are used by thousands of other people too. And why does microsoft use

this strange encryption and such?

Well, as you might see, enough questions about the reason why it exists -I can't

tell you much about the use of it- but maybe I can tell you something in this

article about the structure of this stored data though.

* The Rich-Structure

The name "rich" is used because of one field  of the structure, which contains

the ASCII values that form "Rich". After the DOS stub the "rich" structure is

stored. This structure is created by the ms linker and consists mainly of compiler

id's which are gathered by the linker from the used .obj and .lib files. These

compiler id's are stored in the files by the ms compiler in the 'comp.id' fields,

and contain the version number of the compiler. Newer linkers from ms also add

their linker id to the exe file.

The "rich" structure is in the following format:

a, b, b, b      -- identification block / header?

compid^b, r^b   -- from 0

..              --      :

compid^b, r^b   -- to   n

'Rich', b       -- terminator

padding

Where all variables are dwords. b is the checksum i'll describe later, and

a=b^0x536e6144. This value is a hardcoded value and appearantly always used.

compid is the compiler id and b is the number of times it was encountered

over all the lib/obj files (that is an assumption, i'm not 100% sure). And

n is number of stored compid's. compid's are dwords too, the lower word is

the minor version number (0-9999 decimal), the high word is the major

number. i don't know how the high word is encoded, but 13.10 appears is

encoded as 0x60, and 7.10 as 0x5a. and yes, i see that 0x60-0x5a is the same

as 13-7 decimal, but where did the 0x53 (0x60-13decimal) came from? and where

is the 10 from the verison number stored?

The size of the "rich" structure is ((b/32)%3 + n)*8 + 0x20 bytes. the unused

space is padded with zeroes.

b is calculated in these steps:

b=sizeof(dos_stub)              // (almost always 0x80)

then the checksum of the dos_stub, with the pointer to the PE zeroed out, is

calculated in the following way:

for(int i=0; i<sizeof(dos_stub); i++)

{

    b += dos_stub[i] ROL i;     // ROL is the x86 rotate over left operation.

}

when the default dos stub of 0x80 bytes is used, b contains now 0x884f3421

next, a checksum over the various compiler id's is calculated in this way:

for(int i=0; i<n; i++)

{

    b += compid[i] ROL r[i];

}

as stated above, r appears to be the number of times that compid is

encountered in the libs/objs.

* Conclusion

The linker doesn't store your the MAC address of your NIC nor your DNA profile,

but better remove it anyway ;). You can write a very simple tool that will

zero out the rich structure given an exe file, or patch your linker so that it

won't get written at all. For my investigation I used the Microsoft Visual C++

Toolkit 2003 with the "same compiler and linker that ship with Visual Studio

.NET 2003 Professional!" which you can download for free from microsoft.com,

google for "VCToolkitSetup.exe". You can locate the interesting parts of code

by searching link.exe for the string 'Rich' or in the function starting at

0x459090.

If you have anything to tell me, don't hesitate to contact me.

 

    :lifewire / ikx -          lifewire@mail.ru            -  ikx.cjb.net: