Microsoft's Rich Signature (undocumented)
Daniel Pistelli (Ntoskrnl) <ntoskrnlgmailcom> Wednesday, March 5 2008 05:43.30 CST


In the last days I've been quite sick, so I decided that as long as I had to stay in bed I might at least use the time to do something useful (or quite so). What happened is that someone asked what the Rich Signature was. It might seems strange but in all these years I didn't even notice it, I just overlooked it as part of the dos stub (incredible but true). Unable to answer, I noticed together with this person that the subject was completely undocumented. It might not even be much important, but you might find it an interesting reading after all.

http://ntcore.com/Files/richsign.htm

Since information about this topic is non-existent, the reader might not know what I'm talking about:

Code:

00000070  6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00  mode....$.......
00000080  E7 B3 9D E7 A3 D2 F3 B4 A3 D2 F3 B4 A3 D2 F3 B4  糝�������
00000090  60 DD AC B4 A8 D2 F3 B4 60 DD AE B4 BE D2 F3 B4  `ݬ����`ݮ����
000000A0  A3 D2 F2 B4 F8 D0 F3 B4 84 14 8E B4 BA D2 F3 B4  �����󴄎����
000000B0  84 14 9E B4 3A D2 F3 B4 84 14 9D B4 3F D2 F3 B4  ���:�󴄝�?��
000000C0  84 14 81 B4 B3 D2 F3 B4 84 14 8F B4 A2 D2 F3 B4  �����󴄏����
000000D0  84 14 8B B4 A2 D2 F3 B4 52 69 63 68 A3 D2 F3 B4  ������Rich���
000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000F0  00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00  ........PE..L.

The data between the dos stub and the PE Header. It ends with the word Rich. It is produced by microsoft VC++ compilers only and it is encrypted.

Comments
dennis Posted: Wednesday, March 5 2008 06:10.43 CST
very thorough analysis and good work. thanks for sharing!

igorsk Posted: Wednesday, March 5 2008 06:29.45 CST
It's been described before in 29A, among other places.
http://mirror.sweon.net/madchat/vxdevl/vxmags/29a-8/Articles/29A-8.009
http://www.woodmann.com/forum/archive/index.php/t-5398.html
There's also a resident topic at wasm.ru where you can get patches for various versions of link.exe to disable the signature's generation if you're paranoid :)
That article is wrong BTW, Rich signature is produced by VC6's linker too.

Ntoskrnl Posted: Wednesday, March 5 2008 07:36.56 CST
I said in the article I wasn't sure about when it was introduced. I don't have my VC++ 6 to test any more.

igorsk Posted: Wednesday, March 5 2008 08:20.06 CST
I had a look at where @comp.id is generated, and its value is basically the compiler's build number (low word) plus some compilation flags (high word).
I guess MS puts it into executable to be able to determine which compiler version(s) were used to produce it.

Ntoskrnl Posted: Wednesday, March 5 2008 08:45.14 CST
To produce the libraries with which the exe was linked you mean. Uhm, yes that sounds very likely to be true, since as I wrote in the article the data seems more like a flag and part of it seems almost never to change. Thanks for sharing, anyway this info would be likely to go into an article about the object file format produced by MS linkers, it needs some further digging.

I fixed the article about the VC++ 6 thing you said.

blimyk Posted: Thursday, March 6 2008 00:01.57 CST
very good read! thanks!

RolfRolles Posted: Thursday, March 6 2008 00:37.11 CST
Novel or not, this is a good example of a professional-quality reverse engineering workproduct.  Good job.

Ntoskrnl Posted: Thursday, March 6 2008 11:18.11 CST
Thanks!

Ntoskrnl Posted: Friday, May 2 2008 12:10.05 CDT
Today I had bit of time and updated the article:

http://ntcore.com/Files/richsign.htm

Actually the high word is divided in two parts. high byte and low byte. The low byte contains the major version of the compiler. Whereas the minor version is contained in the low word.

Just wanted to let you know so that the topic can be closed once and for all.