More about the Rich Header

About two years ago I wrote about the Rich header which can be found in most executable files for the Microsoft Windows platform. Now Daniel Pistelli went on a thorough investigation into that matter.

If one views at an executable file (like EXE, DLL, SYS...) in a hex editor, the "Rich" signature is likely to catch one's eye. It is preceded by a series of very similar values. Their number and value differ from file to file.

The Rich header of an executable file

What program creates these values and what can they tell the forensic examiner? About two years ago I pointed to a first interpretation. Now Daniel Pistelli provides a detailed analysis of the Rich header.

He found that a function in the Microsoft Linker that is called CbBuildProdidBlock creates the header. In his article he disassembles and comments on the function. Then he traces the single values back to the compiler. In his opinion there's not much information hidden in those values, though:

However, it surely isn't sensitive data. It's more like a flag: in most cases from a symbol to another only one bit changes; and in many cases not even that. In fact, I seem to be unable to produce an object (or library) which has a different value than 0x006EC627, and so do my friends with their compilers.



This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.