Author Topic: rich header info  (Read 253 times)

TimoVJL

  • Member
  • **
  • Posts: 105
rich header info
« on: January 08, 2019, 11:37:59 PM »
As comp_id.txt provide info about M$ tools used to create program,
hopefully we can collect comp_id's from a new versions of those tools.

PETestRichHdr is for that purpose.

example output:
Code: [Select]
hello64m.exe
00000000 id:0   version:0       times:3
00010000 id:1   version:0       times:2
01036990 id:259 version:27024   times:1
01026990 id:258 version:27024   times:1
01036990 [ASM] VS2017 build 27024    14.16.27024.1
01026990 [LNK] VS2017 build 27024    14.16.27024.1
Code: [Select]
TestMessageBox1.exe
00937809 id:147 version:30729   times:5
00010000 id:1   version:0       times:2
01046990 id:260 version:27024   times:1
01026990 id:258 version:27024   times:1
01046990 [ C ] VS2017 build 27024    19.16.27024.1 for x86
01026990 [LNK] VS2017 build 27024    14.16.27024.1

  18 8444 001220fc [ASM] VS98 (6.0) build ????, ml.exe 6.14.8444
  42 8803 002a2263 [ASM] VS98 (6.0) SP5 PP build 9044, ml.exe 6.15.8803
« Last Edit: January 09, 2019, 06:18:52 AM by TimoVJL »
May the source be with you

fearless

  • Member
  • ***
  • Posts: 370
    • LetTheLightIn
Re: rich header info
« Reply #1 on: January 09, 2019, 12:46:22 AM »
Code: [Select]
M:\radasm\Masm\projects\WinBif>PETestRichHdr64.exe winbif.exe
winbif.exe
00e0797d id:224 version:31101   times:9
00df797d id:223 version:31101   times:2
00131f8e id:19  version:8078    times:46
00937809 id:147 version:30729   times:2
00cbffdd id:203 version:65501   times:3
00010000 id:1   version:0       times:125
001220fc id:18  version:8444    times:65
00db520d id:219 version:21005   times:1
00de797d id:222 version:31101   times:1
Linker: Microsoft linker(12.00.31101)
Compiler: MASM(6.14.8444)
I used Nauz File Detector v0.01 for the linker/compiler info: https://github.com/horsicq/Nauz-File-Detector

fearless

CM690II Case, HX1000 PSU, Asus Z97, Intel i7-4790K, Seidon 120v Cooler, 16GB DDR3, MSI GTX 980TI

www.LetTheLight.in  My Github  Twitter

TimoVJL

  • Member
  • **
  • Posts: 105
Re: rich header info
« Reply #2 on: January 09, 2019, 01:08:39 AM »
From comp_id:
Code: [Select]
winbif.exe
00e0797d id:224 version:31101   times:9    [ C ] VS2013 UPD4 build 31101
00df797d id:223 version:31101   times:2    [ASM] VS2013 UPD4 build 31101
00131f8e id:19  version:8078    times:46   
00937809 id:147 version:30729   times:2    [IMP] VS2008 SP1 build 30729
00cbffdd id:203 version:65501   times:3
00010000 id:1   version:0       times:125
001220fc id:18  version:8444    times:65   [ASM] ????, ml.exe 6.14.8444
00db520d id:219 version:21005   times:1    [RES] VS2013 build 21005
00de797d id:222 version:31101   times:1    [LNK] VS2013 UPD4 build 31101
« Last Edit: January 09, 2019, 06:33:11 AM by TimoVJL »
May the source be with you

AW

  • Member
  • *****
  • Posts: 1657
  • Let's Make ASM Great Again!
Re: rich header info
« Reply #3 on: January 10, 2019, 03:33:05 AM »
Counter measure Post-Build Event to turn Rich into Poor PE:
"pathTopeupdate\peupdate" -r "$(TargetPath)"


TimoVJL

  • Member
  • **
  • Posts: 105
Re: rich header info
« Reply #4 on: January 10, 2019, 04:49:20 AM »
It is also possible to 'fix' link.exe to avoid that header feature.
With a dummy stub it also saves 512 bytes.

linkx.exe 5.12 0004511B 03 C8 -> 90 90

EDIT: fixed
« Last Edit: January 13, 2019, 07:40:38 AM by TimoVJL »
May the source be with you

AW

  • Member
  • *****
  • Posts: 1657
  • Let's Make ASM Great Again!
Re: rich header info
« Reply #5 on: January 13, 2019, 07:26:28 AM »
For the link that is distributed with the masm32 sdk (5.12.8078) nop here:
0004511B: 03 c8


AW

  • Member
  • *****
  • Posts: 1657
  • Let's Make ASM Great Again!
Re: rich header info
« Reply #6 on: January 13, 2019, 07:46:05 AM »
Custom MS-DOS stub built with UASM which can be used by link.exe or polink.exe with the option /STUB:mystub.bin

Code: [Select]
; to build: uasm64 -bin -Fo mystub.bin mystub.asm

    .386
    option casemap:none

IMAGE_DOS_HEADER struct
e_magic WORD ?
e_cblp WORD ?
e_cp WORD ?
e_crlc WORD ?
e_cparhdr WORD ?
e_minalloc WORD ?
e_maxalloc WORD ?
e_ss WORD ?
e_sp WORD ?
e_csum WORD ?
e_ip WORD ?
e_cs WORD ?
e_lfarlc WORD ?
e_ovno WORD ?
e_res WORD 4 dup (?)
e_oemid WORD ?
e_oeminfo WORD ?
e_res2 WORD 10 dup (?)
e_lfanew SDWORD ?
IMAGE_DOS_HEADER ends

IMAGEBASE equ 400000h

PEHDR segment dword FLAT

;--- define the DOS "MZ" header

    ORG IMAGEBASE

    IMAGE_DOS_HEADER <"ZM", 90h, 3, 0,4,0,0ffffh,0,0b8h,0,0,0,40h,0,<0>,0,0,<0>,IMAGEREL PEHdr>

    db 0Eh         ;push cs
    db 1Fh         ;pop ds
    db 0BAh,0Eh,0  ;mov dx,text
    db 0B4h,09h    ;mov ah,9
    db 0CDh,21h    ;int 21h
    db 0B8h,01h,4Ch;mov ax,4c01h
    db 0CDh,21h    ;int 21h
    db "My custom-made DOS stub",13,10,'$'
   

PEHdr label byte
ORG PEHdr

PEHDR ends


Note: The widespread variation of building for 16 bits and then using the undocumented 16 bit link.exe /KNOWEAS switch wastes a lot of space.

TimoVJL

  • Member
  • **
  • Posts: 105
Re: rich header info
« Reply #7 on: January 13, 2019, 07:51:02 AM »
an empty stub.bin

EDIT: small stub
Code: [Select]
00000000 4D 5A 90 00 03 00 00 00  04 00 00 00 FF FF 00 00 MZ.........ÿÿ..
00000010 B8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00 ¸.......@.......
00000020 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00  00 00 00 00 50 00 00 00 ............P...
00000040 B8 01 4C CD 21 57 69 6E  4E 54 20 73 74 75 62 00 ¸.LÍ!WinNT stub.
« Last Edit: January 13, 2019, 11:37:39 PM by TimoVJL »
May the source be with you

AW

  • Member
  • *****
  • Posts: 1657
  • Let's Make ASM Great Again!
Re: rich header info
« Reply #8 on: January 13, 2019, 07:11:50 PM »
Now using MASM to produce the custom MS-DOS stub which can be used by link.exe or polink.exe with the option /STUB:mystub.bin

Code: [Select]
;\masm32\bin\ml -c -omf Stub.asm
; Need the 16-bit Microsoft segmented linker
;\masm32\bin\link16 /TINY Stub.obj,Stub.bin

.model TINY
option casemap:none

IMAGE_DOS_HEADER struct
e_magic WORD ?
e_cblp WORD ?
e_cp WORD ?
e_crlc WORD ?
e_cparhdr WORD ?
e_minalloc WORD ?
e_maxalloc WORD ?
e_ss WORD ?
e_sp WORD ?
e_csum WORD ?
e_ip WORD ?
e_cs WORD ?
e_lfarlc WORD ?
e_ovno WORD ?
e_res WORD 4 dup (?)
e_oemid WORD ?
e_oeminfo WORD ?
e_res2 WORD 10 dup (?)
e_lfanew SDWORD ?
IMAGE_DOS_HEADER ends

PEHDR segment

ORG 0
start:
IMAGE_DOS_HEADER <"ZM", 90h, 3, 0,4,0,0ffffh,0,0b8h,0,0,0,40h,0,<0>,0,0,<0>,offset PEHdr>

    push cs
    pop ds
    mov     dx, offset string - sizeof IMAGE_DOS_HEADER
    mov     ah,9
    int     21h
    mov     ah,04Ch
    int     21h

string  db "My custom-made DOS stub",13,10,'$'
         

PEHdr label byte
PEHDR Ends

END start


You can test in the DosBox after changing the extension from .bin to .com

AW

  • Member
  • *****
  • Posts: 1657
  • Let's Make ASM Great Again!
Re: rich header info
« Reply #9 on: January 13, 2019, 07:33:16 PM »
This is the source code for Timo's empty stub. It will crash if you launch in DOS, of course.  :(

Code: [Select]
.model TINY
option casemap:none

IMAGE_DOS_HEADER struct
e_magic WORD ?
e_cblp WORD ?
e_cp WORD ?
e_crlc WORD ?
e_cparhdr WORD ?
e_minalloc WORD ?
e_maxalloc WORD ?
e_ss WORD ?
e_sp WORD ?
e_csum WORD ?
e_ip WORD ?
e_cs WORD ?
e_lfarlc WORD ?
e_ovno WORD ?
e_res WORD 4 dup (?)
e_oemid WORD ?
e_oeminfo WORD ?
e_res2 WORD 10 dup (?)
e_lfanew SDWORD ?
IMAGE_DOS_HEADER ends

PEHDR segment

ORG 0
start:
IMAGE_DOS_HEADER <"ZM", 90h, 3, 0,4,0,0ffffh,0,0b8h,0,0,0,40h,0,<0>,0,0,<0>,offset PEHdr>


PEHdr label byte
PEHDR Ends

END start

Vortex

  • Member
  • *****
  • Posts: 1877
Re: rich header info
« Reply #10 on: January 13, 2019, 09:51:25 PM »
Building a custom DOS stub :

Code: [Select]
\masm32\bin\ml /c /coff Sample.asm
\masm32\bin\ml /c Mystub.asm
\masm32\bin\link16 /KNOWEAS Mystub.obj
\masm32\bin\link /SUBSYSTEM:WINDOWS /STUB:Mystub.exe Sample.obj

Mystub.asm :
Code: [Select]
.model small
.stack
.data

msg db 'Hello DOS!','$'

.code

start:

    mov     ax,@data
    mov     ds,ax
    mov     dx,OFFSET msg
    mov     ah,9
    int     21h
    mov     ah,04Ch
    int     21h

END start

The KNOWEAS option above is required to build the DOS stub :

Code: [Select]
\masm32\bin\link /SUBSYSTEM:WINDOWS /STUB:Mystub.exe Sample.obj
Microsoft (R) Incremental Linker Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.

Mystub.exe : warning LNK4060: stub file missing full MS-DOS header; rebuild stub
 with /KNOWEAS 16-bit LINK option

AW

  • Member
  • *****
  • Posts: 1657
  • Let's Make ASM Great Again!
Re: rich header info
« Reply #11 on: January 13, 2019, 10:59:21 PM »
Hello Vortex,

Yes, I am aware of that procedure but you end up with a stub of 539 bytes  :(

Code: [Select]
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  4D 5A 1B 00 02 00 01 00 20 00 41 00 FF FF 02 00  MZ...... .A.ÿÿ..
00000010  00 04 00 00 00 00 00 00 40 00 00 00 01 00 00 00  ........@.......
00000020  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030  00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 00  ............ ...
00000040  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000160  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000170  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000200  B8 01 00 8E D8 BA 00 00 B4 09 CD 21 B4 4C CD 21  ¸..ŽØº..´.Í!´LÍ!
00000210  48 65 6C 6C 6F 20 44 4F 53 21 24 00 00 00 00 00  Hello DOS!$.....