Microsoft’s Rich Signature (undocumented)

In the last days I’ve been quite sick, so I decided that as long as I had to stay in bed I might at least use the time to do something useful (or quite so). What happened is that someone asked what the Rich Signature was. It might seems strange but in all these years I didn’t even notice it, I just overlooked it as part of the dos stub (incredible but true). Unable to answer, I noticed together with this person that the subject was completely undocumented. It might not even be much important, but you might find it an interesting reading after all.

http://ntcore.com/Files/richsign.htm

Since information about this topic is non-existent, the reader might not know what I’m talking about:

00000070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode….$…….
00000080 E7 B3 9D E7 A3 D2 F3 B4 A3 D2 F3 B4 A3 D2 F3 B4 糝ç£Òó´£Òó´£Òó´
00000090 60 DD AC B4 A8 D2 F3 B4 60 DD AE B4 BE D2 F3 B4 `ݬ´¨Òó´`Ý®´¾Òó´
000000A0 A3 D2 F2 B4 F8 D0 F3 B4 84 14 8E B4 BA D2 F3 B4 £Òò´øÐó´„Ž´ºÒó´
000000B0 84 14 9E B4 3A D2 F3 B4 84 14 9D B4 3F D2 F3 B4 „ž´:Ò󴄝´?Òó´
000000C0 84 14 81 B4 B3 D2 F3 B4 84 14 8F B4 A2 D2 F3 B4 „´³Ò󴄏´¢Òó´
000000D0 84 14 8B B4 A2 D2 F3 B4 52 69 63 68 A3 D2 F3 B4 „‹´¢Òó´Rich£Òó´
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000F0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 ……..PE..L.

The data between the dos stub and the PE Header. It ends with the word Rich. It is produced by microsoft VC++ compilers only and it is encrypted.

This entry was posted in Internals, Reversing and tagged . Bookmark the permalink.

10 Responses to Microsoft’s Rich Signature (undocumented)

  1. Snaury says:

    Wow, thanks a lot for your article! =^_^= Back in the times I never found enough time or will to find what it actually stores there, I was just always patching link.exe to never do that, see http://snaury.livejournal.com/72193.html

    As for information being non-existent, I remember I’ve seen a mention of this topic on http://www.wasm.ru. Ah, right! Searching for “rich inurl:www.wasm.ru” got me this: http://www.wasm.ru/baixado.php?mode=tool&id=244 (there’s an RTF file inside the archive, the article dated January 2004). There’s nothing interesting in there, just a mention of a way to disable this and analysis left as a homework, but still I think people have been interested by this Rich thing for a long time. :)

    Anyway, great analysis from you. Respect!

  2. Snaury says:

    Ah! Further searching got me this: http://www.asmcommunity.net/board/index.php?topic=11182

    There’s the link to your article as well as to an older short article from 2004. :)

  3. Snaury says:

    But you already knew all that. My bad. %)

  4. Ntoskrnl says:

    Hello, thanks snaury. Yes, I’m now familiar with the article on asmcommunity, but it was totally unknown to me at the time I wrote the article. Otherwise I would have mentioned it. At the time I looked on google for Rich Signature and found only two topics in forums which talked in a very generic way about it. It’s difficult to look for past research about a topic if the information is relegated to closed forums: I can’t possibly check them all. Again, I’m glad you liked the article.

  5. Ntoskrnl says:

    Sorry, we posted together =)

    Yes I knew about it, but it’s good that you mention it.

    I would like to go back to these kind of topics. I don’t want to become the .NET guy.. =)

  6. spongman says:

    Wow, blast from the past. i worked in the VC team back then (not on the linker, though). ‘Rich’ is almost certainly short for ‘Richard Shupack’ from MS research who worked on linker/loader stuff in NT (among a whole bunch of other stuff), and ‘DanS’ is probably ‘Dan Spalding’ who, i think, ran the linker team back then. Their initials also show up in the MSF/PDB format.

  7. Interesting anecdote! Thanks for sharing! :)

    I will have to check PDB! :P

  8. AnotherVCGuy says:

    Yes, I also worked on the VC Team long back. Richard Shupak is spelt without the ‘c’, I think. Shupak worked in the MS Research team under Amitabh Srivastava then. But he used to do checkins in a lot of VC related code base – linkers, libraries etc.

  9. Thanks for confirming! Those were other times, lots of these Easter eggs everywhere. :)

  10. Guru Meditation says:

    Thank you for the article, I have come back to it a couple of times since it was written, most recently a couple of days ago and this time, noticing the link to the 2004 article was not working anymore, I decided to track down where it could be found… At long last, I found it hidden deep down in a website dedicated to virus programming, and so I will not post any link.
    Anyway, I always wanted to say thank you for writing the article, and only now being able to compare, so much more informative than the 2004 version.
    Since it is referenced, I hope you don’t mind me pasting the contents of 29A-8.009 here. If you do however, please moderate my comment.

    29A-8.009
    : things they didn’t tell you about ms link and the pe header : lw, 7 july 2004 :

    * Introduction

    The linkers from microsoft store information about used compiler versions
    to create the object and library files in the EXE files they produces. This
    information is stored right after the DOS stub, and before the start of the
    actual PE header.

    Appearantly they wanted to hide it, since all this stuff is encrypted using
    checksums and other weird ways. I must say that I don’t understand much of
    the way they built up the structure, it is inefficient and simply weird.

    Also I don’t see much use of it, unless in some strange lawsuit or something
    where the question is: is this .exe file created by this compiler+linker?
    Or: are these .lib’s used to create this exe file? Still then there is no
    good evidence, because only the used compiler versions are stored, compilers
    which are used by thousands of other people too. And why does microsoft use
    this strange encryption and such?

    Well, as you might see, enough questions about the reason why it exists -I can’t
    tell you much about the use of it- but maybe I can tell you something in this
    article about the structure of this stored data though.

    * The Rich-Structure

    The name “rich” is used because of one field of the structure, which contains
    the ASCII values that form “Rich”. After the DOS stub the “rich” structure is
    stored. This structure is created by the ms linker and consists mainly of compiler
    id’s which are gathered by the linker from the used .obj and .lib files. These
    compiler id’s are stored in the files by the ms compiler in the ‘comp.id’ fields,
    and contain the version number of the compiler. Newer linkers from ms also add
    their linker id to the exe file.

    The “rich” structure is in the following format:

    a, b, b, b — identification block / header?

    compid^b, r^b — from 0
    .. — :
    compid^b, r^b — to n

    ‘Rich’, b — terminator

    padding

    Where all variables are dwords. b is the checksum i’ll describe later, and
    a=b^0x536e6144. This value is a hardcoded value and appearantly always used.
    compid is the compiler id and b is the number of times it was encountered
    over all the lib/obj files (that is an assumption, i’m not 100% sure). And
    n is number of stored compid’s. compid’s are dwords too, the lower word is
    the minor version number (0-9999 decimal), the high word is the major
    number. i don’t know how the high word is encoded, but 13.10 appears is
    encoded as 0x60, and 7.10 as 0x5a. and yes, i see that 0x60-0x5a is the same
    as 13-7 decimal, but where did the 0x53 (0x60-13decimal) came from? and where
    is the 10 from the verison number stored?

    The size of the “rich” structure is ((b/32)%3 + n)*8 + 0x20 bytes. the unused
    space is padded with zeroes.

    b is calculated in these steps:

    b=sizeof(dos_stub) // (almost always 0x80)

    then the checksum of the dos_stub, with the pointer to the PE zeroed out, is
    calculated in the following way:

    for(int i=0; i<sizeof(dos_stub); i++)
    {
    b += dos_stub[i] ROL i; // ROL is the x86 rotate over left operation.
    }

    when the default dos stub of 0x80 bytes is used, b contains now 0x884f3421

    next, a checksum over the various compiler id's is calculated in this way:

    for(int i=0; i<n; i++)
    {
    b += compid[i] ROL r[i];
    }

    as stated above, r appears to be the number of times that compid is
    encountered in the libs/objs.

    * Conclusion

    The linker doesn't store your the MAC address of your NIC nor your DNA profile,
    but better remove it anyway ;). You can write a very simple tool that will
    zero out the rich structure given an exe file, or patch your linker so that it
    won't get written at all. For my investigation I used the Microsoft Visual C++
    Toolkit 2003 with the "same compiler and linker that ship with Visual Studio
    .NET 2003 Professional!" which you can download for free from microsoft.com,
    google for "VCToolkitSetup.exe". You can locate the interesting parts of code
    by searching link.exe for the string 'Rich' or in the function starting at
    0x459090.

    * Some additional last minute notes:

    Disavowed told me on the RCE board that the constant 0x536e6144 is equal to
    Dan^ in ASCII, and Silver had an some additional information about "Dan":
    Dan Ruder, Mechanics of Dynamic Linking, Microsoft, MSDN Library 1993, as
    referenced by patent 6253258 filed by Symantec for "Subclassing system for
    computer that operates with portable-executable (PE) modules". Well, that must
    be "our" magic Dan, shouldn't he?

Leave a Reply

Your email address will not be published. Required fields are marked *

*