flat assembler
Message board for the users of flat assembler.

Index > Windows > PE Rich header

Author
Thread Post new topic Reply to topic
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 23 Sep 2023, 14:15
Not long ago, I came to know rich header (if that's the correct term) in PE files, which is a section in DOS stub (between 0x3c to offset to PE header), used to indicate the type of compiler.

Just now I browse CFF Explorer directory and accidentally found IMAGE_FILE_MACHINE_I386.xml and some others.

In that XML file, I found FASM entries:

Code:
  <ENTRY>
    <NAME>fasm -&gt; Tomasz Grysztar</NAME>
    <COMMENTS />
    <ENTRYPOINT>6A00</ENTRYPOINT>
    <ENTIREPE />
  </ENTRY>
  <ENTRY>
    <NAME>fasm -&gt; Tomasz Grysztar [flat]</NAME>
    <COMMENTS>
    </COMMENTS>
    <ENTRYPOINT>6A24</ENTRYPOINT>
    <ENTIREPE>
    </ENTIREPE>
  </ENTRY>
  <ENTRY>
    <NAME>FASM v1.3x</NAME>
    <COMMENTS />
    <ENTRYPOINT>6A??FF15????????A3</ENTRYPOINT>
    <ENTIREPE />
  </ENTRY>
  <ENTRY>
    <NAME>FASM v1.5x</NAME>
    <COMMENTS />
    <ENTRYPOINT>6A00FF15????4000A3????4000????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????00</ENTRYPOINT>
    <ENTIREPE />
  </ENTRY>    


I wonder what is the "entry point" used for? And just joking, how to "enroll" my experimental compiler as part of the standard list?

It is definitely an honor for every author to be recognized as reputable compiler/assembler. Very Happy
Post 23 Sep 2023, 14:15
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20486
Location: In your JS exploiting you and your system
revolution 23 Sep 2023, 15:36
The hex bytes in the ENTRYPOINT tag look like code.
Code:
push 0 ; 6a00
call ... ; ff15    
Maybe it is just a short dump of bytes starting at the entry point?
Post 23 Sep 2023, 15:36
View user's profile Send private message Visit poster's website Reply with quote
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 23 Sep 2023, 15:58
revolution wrote:
The hex bytes in the ENTRYPOINT tag look like code.
Code:
push 0 ; 6a00
call ... ; ff15    
Maybe it is just a short dump of bytes starting at the entry point?


You're right, I guess it is signatures used to detect the version of FASM used to assemble the program? But the CFF Explorer is wrong.

My COLORDUMP.asm code coincidentally meet the code pattern 0x6A XX FF 15:
Code:
start:
        push    -11
        call    [GetStdHandle]         


Code:
L_00402000:   push -0xb
L_00402002:   call [0x403060]    


And it was reported as FASM 1.3. Rolling Eyes

Now if I assemble a dummy program:

Code:
entry $

     mov ax, 1
     ret               


The File Info will say "No match found" even it was assembled by FASM.

What an inaccurate way to read signature. Mad

But I understand that CFF Explorer has not been updated since long ago.... maybe should try PE-bear.


Description: PE info of my program assembled with FASM 1.73.31
Filesize: 18.83 KB
Viewed: 3963 Time(s)

Screenshot 2023-09-23 235257.png


Post 23 Sep 2023, 15:58
View user's profile Send private message Reply with quote
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 23 Sep 2023, 16:10
Another signature example used in CFF Explorer to detect Dev-C++ v5:

Code:
  <ENTRY>
    <NAME>Dev-C++ v5</NAME>
    <COMMENTS>
    </COMMENTS>
    <ENTRYPOINT>
    </ENTRYPOINT>
    <ENTIREPE>5589E583EC146A??FF15??????00????????????????????????????00000000</ENTIREPE>
  </ENTRY>    


...which is...
Code:
0:  55                      push   ebp
1:  89 e5                   mov    ebp,esp
3:  83 ec 14                sub    esp,0x14
6:  6a                      .byte 0x6a    


Is this how rich header in PE file should behave?
Post 23 Sep 2023, 16:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20486
Location: In your JS exploiting you and your system
revolution 23 Sep 2023, 16:50
The Rich Header is an MS link.exe undocumented format. So it can be literally anything and we wouldn't know if that is how "should behave" unless you can convince MS to say something about it.

The only "signature" fasm leaves in an MZ header is the DOS stub code. It isn't a real signature. It is just that fasm uses the same stub for all PE outputs. You can change the stub to anything of your liking.

Tools that try to guess the compiler with heuristics can't be 100% accurate. Anyone can create a unique file with no recognised patterns.
Post 23 Sep 2023, 16:50
View user's profile Send private message Visit poster's website Reply with quote
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 23 Sep 2023, 17:13
Thanks for your useful info, revolution.
Post 23 Sep 2023, 17:13
View user's profile Send private message Reply with quote
MatQuasar



Joined: 25 Oct 2023
Posts: 105
MatQuasar 10 Jan 2024, 13:55
Today I found the real Rich header (in a Rust-compiled binary) , between "This program cannot be run in DOS mode" data string and PE signature.


Description:
Filesize: 22.58 KB
Viewed: 3301 Time(s)

Screenshot 2024-01-10 215241.png


Post 10 Jan 2024, 13:55
View user's profile Send private message Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 1052
Location: Russia
macomics 10 Jan 2024, 16:44
The PE header should be searched for by the offset indicated at the end of the MZ header (bytes 0x3C-0x3F)

And it most likely specifies 0x00000100

In any case, this yellow block of data will be skipped by loader and there should be a reference to it from code. To find them, it is enough to feed the disassembler program or debugger.


Last edited by macomics on 13 Nov 2024, 20:54; edited 1 time in total
Post 10 Jan 2024, 16:44
View user's profile Send private message Reply with quote
MatQuasar



Joined: 25 Oct 2023
Posts: 105
MatQuasar 10 Jan 2024, 17:16
Maybe you misunderstand it.

A description about Rich header:
Quote:
The Rich header is an undocumented header contained within PE files compiled and linked using the Microsoft toolchain. It contains information about the build environment that the PE file was created in. 


But what you said about locating PE header from offset 0x3C is correct.
Post 10 Jan 2024, 17:16
View user's profile Send private message Reply with quote
Mat Quasar



Joined: 15 Dec 2024
Posts: 77
Mat Quasar 30 Dec 2024, 09:52
Example of rich header in PE file:


Description: Analyzed using PE-bear
Filesize: 20.41 KB
Viewed: 959 Time(s)

rich_header.PNG


Post 30 Dec 2024, 09:52
View user's profile Send private message Reply with quote
Core i7



Joined: 14 Nov 2024
Posts: 33
Location: Socket in motherboard
Core i7 30 Dec 2024, 12:22
Post 30 Dec 2024, 12:22
View user's profile Send private message Reply with quote
Mat Quasar



Joined: 15 Dec 2024
Posts: 77
Mat Quasar 30 Dec 2024, 13:03
Core i7 wrote:
Mat Quasar, information on the topic:
https://codeby.net/threads/asm-tjomnaja-storona-re-fajla.79133/


We must be having same interest if Marylin was you! Smile

A good read, now I understand the block between DanS and Rich is rich header, and the XOR key is the checksum after 'Rich'.

I learned one thing or two from your PE_RICH example, I didn't know previously that we can set console title for console app, and also console app can support Open File Dialog (which is part of GUI). (I also saw these in Picnic's HB example, but not confirming until I saw yours)
And the world is so small, Mikl___ is also your fellow member, I know they created tiny PE...

I ran your PE_RICH.EXE on the same EXE that I analyzed using PE-bear. Yours is less meaningful (no "Visual Studio 15" for example), but it worked.


Description:
Filesize: 21.45 KB
Viewed: 933 Time(s)

marylin_perich.PNG




Last edited by Mat Quasar on 31 Dec 2024, 06:06; edited 1 time in total
Post 30 Dec 2024, 13:03
View user's profile Send private message Reply with quote
Mat Quasar



Joined: 15 Dec 2024
Posts: 77
Mat Quasar 30 Dec 2024, 15:49
I advertise a bit for my File Visual Analyzer:
( https://board.flatassembler.net/topic.php?t=22924 )

This is the hexdump of MZ header and rich header in colors!


Description:
Filesize: 32.75 KB
Viewed: 895 Time(s)

colordump_richheader.PNG




Last edited by Mat Quasar on 31 Dec 2024, 07:31; edited 1 time in total
Post 30 Dec 2024, 15:49
View user's profile Send private message Reply with quote
Core i7



Joined: 14 Nov 2024
Posts: 33
Location: Socket in motherboard
Core i7 30 Dec 2024, 16:16
Mat Quasar wrote:
I ran your PE_RICH.EXE on the same EXE that I analyzed using PE-bear. Yours is less meaningful (no "Visual Studio 15" for example), but it worked.

Yes, the base is small there.
The full list of "CompilerId.txt" can be found here:
https://github.com/dishather/richprint/blob/master/comp_id.txt
Post 30 Dec 2024, 16:16
View user's profile Send private message Reply with quote
Core i7



Joined: 14 Nov 2024
Posts: 33
Location: Socket in motherboard
Core i7 31 Dec 2024, 02:21
Probably the best PE file viewer today is Pe-Anatomist. Shows all undocumented structures of Windows executable files, including "RichHeader". Moreover, it is the only tool that can collect information about *.PDB debug files. I recommend it!


Description:
Filesize: 19.67 KB
Viewed: 814 Time(s)

PeAnatom.png


Post 31 Dec 2024, 02:21
View user's profile Send private message Reply with quote
akatatsu27



Joined: 02 Dec 2024
Posts: 1
akatatsu27 13 Jan 2025, 22:32
The best analysis of the Rich Header I've found is here: https://www.ntcore.com/files/richsign.htm
I've made a macro to generate the Rich header, and a helper macro to insert it before the PE header using the standard fasm2 includes:
Code:
macro toolUsage mask, qwordpadding, tools&
Rich:
        db 'DanS'
        dd 0x0
        dd 0x0
        dd 0x0
        iterate <buildid,productid,timesUsed>, tools
                dw buildid
                dw productid
                dd timesUsed
        end iterate
RichInfoEnd:
        db 'Rich'
        dd mask
RichEnd:
        dq qwordpadding dup 0
        repeat (RichInfoEnd - Rich)/4
                load a : dword from Rich + (%-1)*4
                store a xor mask : dword at Rich + (%-1) * 4
        end repeat
end macro

namespace PE
macro Header &tail&
        toolUsage 0xa6191cf1, 2,\
                        30729, 131, 100,\
                        30729, 147, 11,\
                        0, 1, 108,\
                        30729, 149, 62,\
                        30729, 142, 866,\
                        30729, 132, 26,\
                        30729, 146, 1,\
                        30729, 148, 1,\
                        30729, 145, 1
        Header tail
end macro
end namespace

format PE64 GUI
    
Post 13 Jan 2025, 22:32
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.