An EXE Template and the Rich Header

Peter Kankowski has released an improved template for EXE- files to be used with Sweetscape's 010 Editor. This template also allows to parse 64bit binaries. For the first time the template recognizes the "Rich" header inserted into binaries by Microsoft's linkers.

After the template has been applied to an EXE or DLL file, 010 Editor will show its structure. The template recognizes some special section names used by popular EXE packers like UPX and aspack.

The template recognizes sections used by popular EXE packers.

Regarding the Rich header as created by Microsoft's linkers the template limits itself to showing just the plain DWORDs. According to an article by "lifewire" there's still some more information hidden in it.

The following screen shot shows the header of an EXE file. The string "Rich" is clearly visible at the end of the structure. It is followed by a DWORD named "checksum b" by lifewire; in this example its value is 0x9e0faae6.

What's the meaning of all that data in a linker signature?

Unfortunately I couldn't get any independent confirmation for lifewire's thesis. I'd appreciate any information regarding that matter. Perhaps this could help someday in forensic examinations of program binaries?!

04/08/2007: Link to lifewire's article updated.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12