Peter Kankowski has released an improved template for EXE- files to be used with Sweetscape's 010 Editor. This template also allows to parse 64bit binaries. For the first time the template recognizes the "Rich" header inserted into binaries by Microsoft's linkers.
After the template has been applied to an EXE or DLL file, 010 Editor will show its structure. The template recognizes some special section names used by popular EXE packers like UPX and aspack.
Regarding the Rich header as created by Microsoft's linkers the template limits itself to showing just the plain DWORDs. According to an article by "lifewire" there's still some more information hidden in it.
The following screen shot shows the header of an EXE file. The string "Rich" is clearly visible at the end of the structure. It is followed by a DWORD named "checksum b" by lifewire; in this example its value is 0x9e0faae6.
Unfortunately I couldn't get any independent confirmation for lifewire's thesis. I'd appreciate any information regarding that matter. Perhaps this could help someday in forensic examinations of program binaries?!
04/08/2007: Link to lifewire's article updated.
