I haven't been able to find much about this, does anyone know what it is/does?
I'm referring to a block of data in a PE header, between the DOS part and the NT header that has the word "Rich" in it (exactly like that, with the capital R, without the quotes of course)
Rich signature in exe's from VC++?
Moderator: MaxCoderz Staff
-
King Harold
- Calc King
- Posts: 1513
- Joined: Sat 05 Aug, 2006 7:22 am
-
benryves
- Maxcoderz Staff
- Posts: 3087
- Joined: Thu 16 Dec, 2004 10:06 pm
- Location: Croydon, England
- Contact:
It only appears in a handful of binaries here (some VB6 ones, for example).
As far as I can see it comes near the end of the DOS stub application that appears at the start of PE files (the one that tells you that "This program cannot be run in DOS mode."). It's just part of that, whether it's anything meaningful or not I'm not sure.
As far as I can see it comes near the end of the DOS stub application that appears at the start of PE files (the one that tells you that "This program cannot be run in DOS mode."). It's just part of that, whether it's anything meaningful or not I'm not sure.
-
King Harold
- Calc King
- Posts: 1513
- Joined: Sat 05 Aug, 2006 7:22 am
Well the place google found most on about these rich sigs is http://www.ntcore.com/Files/richsign.htm
It doesn't say what it's used for though, only what kind of data it is and that it can be safely removed (got to say that Daniel Pistelli did a nice job there, at the point just past the XOR-ing I would have given up)
It doesn't say what it's used for though, only what kind of data it is and that it can be safely removed (got to say that Daniel Pistelli did a nice job there, at the point just past the XOR-ing I would have given up)