flat assembler
Message board for the users of flat assembler.

Home Search Register
Log in to check your private messages Log in

Index > Windows > PE Rich header
Author
Thread Post new topic Reply to topic
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 23 Sep 2023, 14:15
Not long ago, I came to know rich header (if that's the correct term) in PE files, which is a section in DOS stub (between 0x3c to offset to PE header), used to indicate the type of compiler.

Just now I browse CFF Explorer directory and accidentally found IMAGE_FILE_MACHINE_I386.xml and some others.

In that XML file, I found FASM entries:

Code:
  <ENTRY>
    <NAME>fasm -&gt; Tomasz Grysztar</NAME>
    <COMMENTS />
    <ENTRYPOINT>6A00</ENTRYPOINT>
    <ENTIREPE />
  </ENTRY>
  <ENTRY>
    <NAME>fasm -&gt; Tomasz Grysztar [flat]</NAME>
    <COMMENTS>
    </COMMENTS>
    <ENTRYPOINT>6A24</ENTRYPOINT>
    <ENTIREPE>
    </ENTIREPE>
  </ENTRY>
  <ENTRY>
    <NAME>FASM v1.3x</NAME>
    <COMMENTS />
    <ENTRYPOINT>6A??FF15????????A3</ENTRYPOINT>
    <ENTIREPE />
  </ENTRY>
  <ENTRY>
    <NAME>FASM v1.5x</NAME>
    <COMMENTS />
    <ENTRYPOINT>6A00FF15????4000A3????4000????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????00</ENTRYPOINT>
    <ENTIREPE />
  </ENTRY>


I wonder what is the "entry point" used for? And just joking, how to "enroll" my experimental compiler as part of the standard list?

It is definitely an honor for every author to be recognized as reputable compiler/assembler. Very Happy
Post 23 Sep 2023, 14:15
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 19872
Location: In your JS exploiting you and your system
revolution 23 Sep 2023, 15:36
The hex bytes in the ENTRYPOINT tag look like code.
Code:
push 0 ; 6a00
call ... ; ff15
Maybe it is just a short dump of bytes starting at the entry point?
Post 23 Sep 2023, 15:36
View user's profile Send private message Visit poster's website Reply with quote
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 23 Sep 2023, 15:58
revolution wrote:
The hex bytes in the ENTRYPOINT tag look like code.
Code:
push 0 ; 6a00
call ... ; ff15
Maybe it is just a short dump of bytes starting at the entry point?


You're right, I guess it is signatures used to detect the version of FASM used to assemble the program? But the CFF Explorer is wrong.

My COLORDUMP.asm code coincidentally meet the code pattern 0x6A XX FF 15:
Code:
start:
        push    -11
        call    [GetStdHandle]


Code:
L_00402000:   push -0xb
L_00402002:   call [0x403060]


And it was reported as FASM 1.3. Rolling Eyes

Now if I assemble a dummy program:

Code:
entry $

     mov ax, 1
     ret


The File Info will say "No match found" even it was assembled by FASM.

What an inaccurate way to read signature. Mad

But I understand that CFF Explorer has not been updated since long ago.... maybe should try PE-bear.


Description: PE info of my program assembled with FASM 1.73.31
Filesize: 18.83 KB
Viewed: 520 Time(s)

Screenshot 2023-09-23 235257.png

Post 23 Sep 2023, 15:58
View user's profile Send private message Reply with quote
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 23 Sep 2023, 16:10
Another signature example used in CFF Explorer to detect Dev-C++ v5:

Code:
  <ENTRY>
    <NAME>Dev-C++ v5</NAME>
    <COMMENTS>
    </COMMENTS>
    <ENTRYPOINT>
    </ENTRYPOINT>
    <ENTIREPE>5589E583EC146A??FF15??????00????????????????????????????00000000</ENTIREPE>
  </ENTRY>


...which is...
Code:
0:  55                      push   ebp
1:  89 e5                   mov    ebp,esp
3:  83 ec 14                sub    esp,0x14
6:  6a                      .byte 0x6a


Is this how rich header in PE file should behave?
Post 23 Sep 2023, 16:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 19872
Location: In your JS exploiting you and your system
revolution 23 Sep 2023, 16:50
The Rich Header is an MS link.exe undocumented format. So it can be literally anything and we wouldn't know if that is how "should behave" unless you can convince MS to say something about it.

The only "signature" fasm leaves in an MZ header is the DOS stub code. It isn't a real signature. It is just that fasm uses the same stub for all PE outputs. You can change the stub to anything of your liking.

Tools that try to guess the compiler with heuristics can't be 100% accurate. Anyone can create a unique file with no recognised patterns.
Post 23 Sep 2023, 16:50
View user's profile Send private message Visit poster's website Reply with quote
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 23 Sep 2023, 17:13
Thanks for your useful info, revolution.
Post 23 Sep 2023, 17:13
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Main index Download Documentation Examples Message board

Copyright © 1999-2023, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.