Looking at Ms-Dos Header

[HellOfMice]

Here is a small program to look at inside the MS-Dos Header
This program is a part of a bigger program
I found interesting so if you are curious as me...
The project has 2 7Zip files because of sqlite3.dll and a background images that very big
The build result I got is in the file "Build.txt"

[HellOfMice]

After this header you will find the stup program and the Rich header.
The rich Header will learn you which Microsoft tools have been used.
This header is not part of the PE file structure but it can exists on some tools
like Errlook.exe

You can learn more about in https://0xrick.github.io/win-internals/pe1/

[John Z]

Thanks HellOfMice!

I  think this is quite useful.

John Z

[HellOfMice]

It's a sort of cookie that Microsoft installs. This is still valid today.


Look at this image and the one in the previous post. The image in this comes from a program that you know well
There is no Rich Header

[TimoVJL]

You can see it this way too 

[HellOfMice]

Hi Timo,


Good,


I downloaded this program yesterday but when compiling it it said that an include file was missing.
Could you resend the whole project


When looking at in depth a file we can have surprise.
What interests me is to know what it means.
Here it is a kind of cookie.

[HellOfMice]

Here is a program, in C, that decrypt the GuidGen.exe Rich Header and the result.

Code: [Select]

536E6144 00000000 : 21358.24900.0
00000000 00000000 : 0.0.0
00CEFFDD 00000001 : 206.65501.1
00C7A09E 00000001 : 199.41118.1
00DF5146 00000001 : 223.20806.1
00E05146 00000013 : 224.20806.19
00E15146 00000009 : 225.20806.9
00DD5146 00000004 : 221.20806.4
00CBFFDD 0000000B : 203.65501.11
00010000 00000100 : 1.0.256
00E1797D 00000003 : 225.31101.3
00DB520D 00000001 : 219.21005.1
00970000 00000001 : 151.0.1
00DE797D 00000001 : 222.31101.1
3BF3635A 00000000 : 15347.25434.0


[HellOfMice]

I discovered that when POASM is in Debug mode it replaces the original MS-DOS header with its own one
Into my program I added a stub, written by TimoVJL. Into this file there is only the MS-DOS header, no stub program.
I needed to debug the program and tooke my program as a file to analyze.
What a surprise I did not recognize the header!

[Vortex]

Hi Philippe,

ıt's easy to build a DOS stub, you need to pass the KNOWEAS option to the 16-bit linker :

Code: [Select]

\masm32\bin\ml /c /coff Sample.asm
\masm32\bin\ml /c Mystub.asm
\masm32\bin\link16 /KNOWEAS Mystub.obj
\masm32\bin\link /SUBSYSTEM:WINDOWS /STUB:Mystub.exe Sample.obj