View Full Version : Microsoft's Rich Signature

12-03-2012, 01:03 PM
There is a space between end of DOS stub and starting of PE header in a PE executable file. Would look garbage because it is undocumented(correct me if I am wrong) , but actually Microsoft had made it so for a specific purpose !! But the smart reverse engineers found out

Lets see how ..

It is a compiler specific thing. It is called Rich Signature. Strangely, it will only be generated by Microsoft's standard linkers.

The dword after "Rich" is a key generated by the linker which repeats several times in the garbage data.When we compile a program the compiler puts the string "@comp.id" followed by a DWORD-sized compilerID number in our obj file. When we link our obj file the linker extracts the comp.id number and XORs it withthe key and writes it in the "garbage" as the 2nd DWORD before "Rich"
Word was that Microsoft uses compiler ids to prove that a virus is made on a particular machine with a particular compiler. Proving that the person owning the computer is the virus writer !

References and reads:
http://www.garage4hackers.com/f24/goppit-pe-format-reverse-engineer-249.html#post592 (Worried people can read it to patch the linker so that this signature is not generated )
Microsoft's Rich Signature (undocumented) (http://ntcore.com/Files/richsign.htm)
Microsofts Rich Header - Peter Kleissner (http://web17.webbpro.de/index.php?page=microsofts-rich-header)
Microsoft's Rich Signature (undocumented) [Archive] - RCE Messageboard's Regroupment (http://www.woodmann.com/forum/archive/index.php/t-11367.html)