VC生成的exe文件中, Dos头部分除了Dos Stub之外, 还多了一些东西

最新推荐文章于 2023-04-24 22:44:37 发布
最新推荐文章于 2023-04-24 22:44:37 发布
阅读量1.9k 收藏
点赞数
分类专栏: VC PE文件结构学习 文章标签: dos exe structure linker compiler microsoft
 

VC生成的exe文件中, Dos头部分除了Dos Stub之外, 还多了一些东西

gcc编译器编译出来的exe文件的dos头部stub部分只有This program cannot be run in DOS mode,但是VC除此之外还多出来几行,谁知道这几行这是干什么的,在纯dos模式下VC也不过就是显示This program cannot be run in DOS mode,没干其他事。
而且,这个dos stub不同的文件还不一样

不知这些东西是干嘛的
http://topic.csdn.net/u/20091030/05/2362D834-B848-4047-9D02-BA61D2C5DB1C.html
------------------------------------------------------------------------------------
那是Rich signature,网上众说纷纭,有人说是主机名,便于追踪病毒作者,
有人说是linker版本信息,有人说是vc的注册信息,但是未见过一个官方的解释
------------------------------------------------------------------------------------
程序越长这个东西也越大,而且每个程序都不同,貌似没这么简单
------------------------------------------------------------------------------------
这里说明比较详细
http://ntcore.com/files/richsign.htm

http://www.asmcommunity.net/board/index.php?topic=11182.0


http://thestarman.pcministry.com/asm/debug/DOSstub.htm#INTRO
http://thestarman.pcministry.com/asm/index.html
http://thestarman.pcministry.com/asm/debug/debug2.htm
http://www.asmcommunity.net/board/index.php?topic=11182.15
http://www.woodmann.com/forum/showthread.php?5925-question-about-some-stuff-in-exe-header
http://www.woodmann.com/forum/showthread.php?11367-Microsoft-s-Rich-Signature-(undocumented)
http://mirror.sweon.net/madchat/vxdevl/vxmags/29a-8/Articles/29A-8.009

 


: things they didn't tell you about ms link and the pe header : lw, 7 july 2004 :

 

* Introduction

The linkers from microsoft store information about used compiler versions
to create the object and library files in the EXE files they produces. This
information is stored right after the DOS stub, and before the start of the
actual PE header.

Apparently they wanted to hide it, since all this stuff is encrypted using
checksums and other weird ways. I must say that I don't understand much of
the way they built up the structure, it is inefficient and simply weird.

Also I don't see much use of it, unless in some strange lawsuit or something
where the question is: is this .exe file created by this compiler+linker?
Or: are these .lib's used to create this exe file? Still then there is no
good evidence, because only the used compiler versions are stored, compilers
which are used by thousands of other people too. And why does microsoft use
this strange encryption and such?

Well, as you might see, enough questions about the reason why it exists -I can't
tell you much about the use of it- but maybe I can tell you something in this
article about the structure of this stored data though.

* The Rich-Structure

The name "rich" is used because of one field  of the structure, which contains
the ASCII values that form "Rich". After the DOS stub the "rich" structure is
stored. This structure is created by the ms linker and consists mainly of compiler
id's which are gathered by the linker from the used .obj and .lib files. These
compiler id's are stored in the files by the ms compiler in the 'comp.id' fields,
and contain the version number of the compiler. Newer linkers from ms also add
their linker id to the exe file.

The "rich" structure is in the following format:

a, b, b, b      -- identification block / header?

compid^b, r^b   -- from 0
..              --      :
compid^b, r^b   -- to   n

'Rich', b       -- terminator

padding

Where all variables are dwords. b is the checksum i'll describe later, and
a=b^0x536e6144. This value is a hardcoded value and appearantly always used.
compid is the compiler id and b is the number of times it was encountered
over all the lib/obj files (that is an assumption, i'm not 100% sure). And
n is number of stored compid's. compid's are dwords too, the lower word is
the minor version number (0-9999 decimal), the high word is the major
number. i don't know how the high word is encoded, but 13.10 appears is
encoded as 0x60, and 7.10 as 0x5a. and yes, i see that 0x60-0x5a is the same
as 13-7 decimal, but where did the 0x53 (0x60-13decimal) came from? and where
is the 10 from the verison number stored?

The size of the "rich" structure is ((b/32)%3 + n)*8 + 0x20 bytes. the unused
space is padded with zeroes.

b is calculated in these steps:

b=sizeof(dos_stub)              // (almost always 0x80)

then the checksum of the dos_stub, with the pointer to the PE zeroed out, is
calculated in the following way:

for(int i=0; i<sizeof(dos_stub); i++)
{
    b += dos_stub[i] ROL i;     // ROL is the x86 rotate over left operation.
}

when the default dos stub of 0x80 bytes is used, b contains now 0x884f3421

next, a checksum over the various compiler id's is calculated in this way:

for(int i=0; i<n; i++)
{
    b += compid[i] ROL r[i];
}

as stated above, r appears to be the number of times that compid is
encountered in the libs/objs.


* Conclusion

The linker doesn't store your the MAC address of your NIC nor your DNA profile,
but better remove it anyway ;). You can write a very simple tool that will
zero out the rich structure given an exe file, or patch your linker so that it
won't get written at all. For my investigation I used the Microsoft Visual C++
Toolkit 2003 with the "same compiler and linker that ship with Visual Studio
.NET 2003 Professional!" which you can download for free from microsoft.com,
google for "VCToolkitSetup.exe". You can locate the interesting parts of code
by searching link.exe for the string 'Rich' or in the function starting at
0x459090.

If you have anything to tell me, don't hesitate to contact me.

 

    :lifewire / ikx -          lifewire@mail.ru            -  ikx.cjb.net:


 

小大小丑
关注
专栏目录
使用模块定义文件(.def)文件生成dll
mazi的博客
06-25 5973
一、什么是.def文件 模块定义 (.def) 文件为链接器提供有关被链接程序的导出、属性及其他方面的信息。生成 DLL 时,.def 文件最有用。由于存在可代替模块定义语句使用的链接器选项,通常不需要 .def 文件。也可以将 __declspec(dllexport) 用作指定导出函数的手段。在链接器阶段可以使用 /DEF(指定模块定义文件)链接器选项调用 .def 文件。如果生成的 .ex
rich 结构,dos_stub
09-13
嘿嘿.......自己下载下来看吧,不码字了
dos stub
weixin_39057744的博客
10-17 607
ASSUME CS:CODE,DS:DATA,ES:STACK STACK SEGMENT ;DB 8 DUP (?) STACK ENDS CODE SEGMENT push cs pop ds mov dx,0eh mov ah,09h int 21h MOV ax,4C01H INT 21H CODE ENDS DATA SEGMENT D...
MS-DOS
十年磨一剑,霜刃未曾试!
06-10 2892
<br />每个PE文件都是以一个Dos程序开始的,有了它,一旦程序在Dos下执行,Dos就能识别出这是有效的执行体,然后运行紧随MZ header之后的Dos stub(Dos块). Dos stub实际上是一个有效的EXE,在不支持PE文件格式的操作系统,它将简单的显示一个错误提示,This program must be run under Win32。Dos stub一般都是由编译器自动生成的。Dos MZDos stub合称为Dos文件。<br /> <br />MS-DOS部占据了PE
手动修改PE文件:删除Dos Stub
当我在写代码的时候我在写什么
11-05 2557
自己动手丰衣足食。前面说到Dos Stub是可以删除的,现在要说的不止删除Dos Stub,顺便把DosHeader跟NtHeader合并了。写这篇的时候我是编一个只用了一个MessageBoxA函数的程序。做了一些优化,把程序结构和代码都搞得非常简单,因为现在是手动修改,结构太复杂的话手工改不过来。下面开始。 1、删除DosStub并且合并DosHeader、NtHeader
CodeBlocks编译没有反应的原因及解决办法
最新发布
2301_77821229的博客
04-24 3279
不少同学在安装CodeBlocks之后,点击编译或运行都没反应,包括下方的编译输出信息也没有,对于这种情况首先请大家确认安装没问题,如我站提供的16.01版本安装过程,此环节务必全部勾选,否则请卸载并重新安装。大家在到常用工具的链接里找到 VCToolkitSetup下载安装,地址依旧是 https://blog.dotcpp.com/a/67493。首先,没有下载地址的同学可以点击这里下载https://blog.dotcpp.com/a/67493。好,大家可以尝试,可以解决记得留言反馈哦!
基于VC++实现PE的修改编程
尹成的技术博客
05-11 4557
在Windows系统下的可执行文件的一种(还有NE、LE),是微软设计、TIS(Tool Interface Standard,工具接口标准)委员会批准的一种可执行文件格式。PE的意思是Portable Executable(可移植可执行)。所有Windows下的32位或64位可执行文件都是PE文件格式,其包括DLL、EXE、FON、OCX、LIB和部分SYS文件DOS-stub(DOS-
DOS的古董美(未完待續)
04-18 5153
DOS的古董美 MD DocUmEnT: 3/26/2016 10:26:57 AM by Jimbowhy 当计算机技术越来越先进,越来越快速更新,作为电子FANS,发现这样的现状不仅带给从事这个行业的人更多的便利,还有更多的迷失!而DOS就像是那个本应有活力的游乐园,收集资料的过程发现,国外确实把DOS当成了计算机世界的大游乐场!国内很多在玩开发板的的同学几乎都不懂得,其实个人电脑才是功能最
windows的exe、lib文件跟c运行时库怎么关联的
mofabang的专栏
11-02 1722
2015-11-2 09:22:02 Am Monday 嗨,周一。一个新的工作周的开始。在Windows操作系统下,可执行文件的存储格式是PE(Portable Executable)格式的;在Linux下,可执行文件的存储格式是WLF格式的。它们都是COFF格式文件的变种。在Windows下,目标文件(.obj)、静态库(.lib)使用COFF格式存储;可执行文件(.exe),动态链接库文件(
学习笔记:pe文件格式、pe部分信息解析程序代码(win32asm)
11-25 2758
 一:PE整体结构PE 的意思就是Portable Executable(可移植的执行体)。PE文件的整体大概结构描述:struct pe{DOS MZ header:所有PE文件(甚至32位的DLLs) 必须以一个简单的DOS MZ header 开始。有了它,一旦程序在DOS下执行,DOS就能识别出这是有效的执行体,然后运行紧随MZ header 之后的DOS stub
Microsoft Visual C++ Toolkit 2003 精简版
10-21
Microsoft Visual C++ Toolkit 2003提供了比VC++6对C++标准更好的支持,这是官方1.01版.用winrar解压
MICROSOFT VISUAL C++ TOOLKIT 2003
12-07
MICROSOFT VISUAL C++ TOOLKIT 2003 如果无法使用,尝试修改注册表 Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VisualStudio\7.1\VC] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VisualStudio\7.1\VC\VC_OBJECTS_PLATFORM_INFO] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VisualStudio\7.1\VC\VC_OBJECTS_PLATFORM_INFO\Win32] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VisualStudio\7.1\VC\VC_OBJECTS_PLATFORM_INFO\Win32\Directories] "Path Dirs"="C:\\Program Files\\Microsoft Visual C++ Toolkit 2003\\bin; C:\\Program Files\\Microsoft Platform SDK for Windows Server 2003 R2\\bin" "Library Dirs"="C:\\Program Files\\Microsoft Visual C++ Toolkit 2003\\lib; C:\\Program Files\\Microsoft Platform SDK for Windows Server 2003 R2\\Lib; C:\\Program Files\\Microsoft Visual Studio .NET 2003\\Vc7\\lib" "Include Dirs"="C:\\Program Files\\Microsoft Visual C++ Toolkit 2003\\include; C:\\Program Files\\Microsoft Platform SDK for Windows Server 2003 R2\\Include"
PE文件格式总结
m0_48995611的博客
06-11 440
PE文件格式总结基本介绍1.DOS Header 和 DOS stub2.NT headers2.1File header2.2 Optional header3.Section headers4.Sections其他 时间:202106 基本介绍 PE文件主要由 文件 和 区段(Section) 构成(如图所示),文件记录相关信息,而区段则存放相关数据。相连代表数据在文件存储紧接上一部分文件部分包括: (1) DOS Header (2) DOS Stub (3) NT Headers
PE文件学习--Dos
KOOKNUT的博客
03-23 524
PE(Portable Executeable File Format)可移植的执行文体格式,我们平时常见的exe\dll\sys等都是PE文件的一种。PE文件的组成可以被分为PE Head和PE Body,我们先从PE文件Dos部说起。 DOS部分为两部分:第一部分DOS MZ第二部分DOS Stub(指令字节码)。 以下为DOS MZ部微软给出的定义,其我学习用到的最关键两...
PE文件(一)PE
qq_63329753的博客
02-13 3760
PE文件结构(一)PE 12/100 发布文章 qq_63329753 未选择任何文件 new PE文件结构 PE(Portble Executable File Format,可移植的执行体文件格式) 文件是Windows操作系统下使用的可执行文件格式,使用该格式的目标是使链接生成EXE文件能在不同的CPU工作指令下工作。 PE文件种类:(种类:主拓展名) 可执行系列:EXE,SCR; 驱动程序系列:SYS,VXD; 库系列:DLL,OCX,CPL,DRV; 对象文件系列:OBJ; PE
PE文件格式详解:从DOS stub到NT Signature
文件之后是可选(Optional Header),它提供了更多关于PE文件的信息,如操作系统版本、图像基地址、代码和数据的大小、入口点地址、依赖的DLL列表等。可选分为标准字段和Windows特定字段,这些信息对于加载器...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值