flat assembler
Message board for the users of flat assembler.

Index > Windows > PE Rich header

Author
Thread Post new topic Reply to topic
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 23 Sep 2023, 14:15
Not long ago, I came to know rich header (if that's the correct term) in PE files, which is a section in DOS stub (between 0x3c to offset to PE header), used to indicate the type of compiler.

Just now I browse CFF Explorer directory and accidentally found IMAGE_FILE_MACHINE_I386.xml and some others.

In that XML file, I found FASM entries:

Code:
  <ENTRY>
    <NAME>fasm -&gt; Tomasz Grysztar</NAME>
    <COMMENTS />
    <ENTRYPOINT>6A00</ENTRYPOINT>
    <ENTIREPE />
  </ENTRY>
  <ENTRY>
    <NAME>fasm -&gt; Tomasz Grysztar [flat]</NAME>
    <COMMENTS>
    </COMMENTS>
    <ENTRYPOINT>6A24</ENTRYPOINT>
    <ENTIREPE>
    </ENTIREPE>
  </ENTRY>
  <ENTRY>
    <NAME>FASM v1.3x</NAME>
    <COMMENTS />
    <ENTRYPOINT>6A??FF15????????A3</ENTRYPOINT>
    <ENTIREPE />
  </ENTRY>
  <ENTRY>
    <NAME>FASM v1.5x</NAME>
    <COMMENTS />
    <ENTRYPOINT>6A00FF15????4000A3????4000????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????00</ENTRYPOINT>
    <ENTIREPE />
  </ENTRY>    


I wonder what is the "entry point" used for? And just joking, how to "enroll" my experimental compiler as part of the standard list?

It is definitely an honor for every author to be recognized as reputable compiler/assembler. Very Happy
Post 23 Sep 2023, 14:15
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20132
Location: In your JS exploiting you and your system
revolution 23 Sep 2023, 15:36
The hex bytes in the ENTRYPOINT tag look like code.
Code:
push 0 ; 6a00
call ... ; ff15    
Maybe it is just a short dump of bytes starting at the entry point?
Post 23 Sep 2023, 15:36
View user's profile Send private message Visit poster's website Reply with quote
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 23 Sep 2023, 15:58
revolution wrote:
The hex bytes in the ENTRYPOINT tag look like code.
Code:
push 0 ; 6a00
call ... ; ff15    
Maybe it is just a short dump of bytes starting at the entry point?


You're right, I guess it is signatures used to detect the version of FASM used to assemble the program? But the CFF Explorer is wrong.

My COLORDUMP.asm code coincidentally meet the code pattern 0x6A XX FF 15:
Code:
start:
        push    -11
        call    [GetStdHandle]         


Code:
L_00402000:   push -0xb
L_00402002:   call [0x403060]    


And it was reported as FASM 1.3. Rolling Eyes

Now if I assemble a dummy program:

Code:
entry $

     mov ax, 1
     ret               


The File Info will say "No match found" even it was assembled by FASM.

What an inaccurate way to read signature. Mad

But I understand that CFF Explorer has not been updated since long ago.... maybe should try PE-bear.


Description: PE info of my program assembled with FASM 1.73.31
Filesize: 18.83 KB
Viewed: 1650 Time(s)

Screenshot 2023-09-23 235257.png


Post 23 Sep 2023, 15:58
View user's profile Send private message Reply with quote
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 23 Sep 2023, 16:10
Another signature example used in CFF Explorer to detect Dev-C++ v5:

Code:
  <ENTRY>
    <NAME>Dev-C++ v5</NAME>
    <COMMENTS>
    </COMMENTS>
    <ENTRYPOINT>
    </ENTRYPOINT>
    <ENTIREPE>5589E583EC146A??FF15??????00????????????????????????????00000000</ENTIREPE>
  </ENTRY>    


...which is...
Code:
0:  55                      push   ebp
1:  89 e5                   mov    ebp,esp
3:  83 ec 14                sub    esp,0x14
6:  6a                      .byte 0x6a    


Is this how rich header in PE file should behave?
Post 23 Sep 2023, 16:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20132
Location: In your JS exploiting you and your system
revolution 23 Sep 2023, 16:50
The Rich Header is an MS link.exe undocumented format. So it can be literally anything and we wouldn't know if that is how "should behave" unless you can convince MS to say something about it.

The only "signature" fasm leaves in an MZ header is the DOS stub code. It isn't a real signature. It is just that fasm uses the same stub for all PE outputs. You can change the stub to anything of your liking.

Tools that try to guess the compiler with heuristics can't be 100% accurate. Anyone can create a unique file with no recognised patterns.
Post 23 Sep 2023, 16:50
View user's profile Send private message Visit poster's website Reply with quote
FlierMate7



Joined: 06 Sep 2023
Posts: 12
FlierMate7 23 Sep 2023, 17:13
Thanks for your useful info, revolution.
Post 23 Sep 2023, 17:13
View user's profile Send private message Reply with quote
MatQuasar



Joined: 25 Oct 2023
Posts: 102
MatQuasar 10 Jan 2024, 13:55
Today I found the real Rich header (in a Rust-compiled binary) , between "This program cannot be run in DOS mode" data string and PE signature.


Description:
Filesize: 22.58 KB
Viewed: 988 Time(s)

Screenshot 2024-01-10 215241.png


Post 10 Jan 2024, 13:55
View user's profile Send private message Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 913
Location: Russia
macomics 10 Jan 2024, 16:44
The PE header should be searched for by the offset indicated at the end of the MZ header (bytes 0x3C-0x3F)

And it most likely specifies 0x00000100

In any case, this yellow block of data will be skipped by loader and there should be a reference to it from code. To find them, it is enough to feed the disassembler program or debugger.


Description:
Filesize: 29.53 KB
Viewed: 968 Time(s)

RUST.png


Post 10 Jan 2024, 16:44
View user's profile Send private message Reply with quote
MatQuasar



Joined: 25 Oct 2023
Posts: 102
MatQuasar 10 Jan 2024, 17:16
Maybe you misunderstand it.

A description about Rich header:
Quote:
The Rich header is an undocumented header contained within PE files compiled and linked using the Microsoft toolchain. It contains information about the build environment that the PE file was created in. 


But what you said about locating PE header from offset 0x3C is correct.
Post 10 Jan 2024, 17:16
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.