Looking at Ms-Dos Header

Started by HellOfMice, December 22, 2024, 08:02:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

HellOfMice

December 22, 2024, 08:02:43 PM
Here is a small program to look at inside the MS-Dos Header
This program is a part of a bigger program
I found interesting so if you are curious as me...
The project has 2 7Zip files because of sqlite3.dll and a background images that very big
The build result I got is in the file "Build.txt"

HellOfMice

#1
December 22, 2024, 08:23:10 PM Last Edit: December 22, 2024, 08:28:34 PM by HellOfMice
After this header you will find the stup program and the Rich header.
The rich Header will learn you which Microsoft tools have been used.
This header is not part of the PE file structure but it can exists on some tools
like Errlook.exe

You can learn more about in https://0xrick.github.io/win-internals/pe1/

John Z

#2
December 23, 2024, 12:22:40 AM
Thanks HellOfMice!

I  think this is quite useful.

John Z

HellOfMice

#3
December 23, 2024, 06:18:25 AM Last Edit: December 23, 2024, 06:21:49 AM by HellOfMice
It's a sort of cookie that Microsoft installs. This is still valid today.


Look at this image and the one in the previous post. The image in this comes from a program that you know well
There is no Rich Header

TimoVJL

#4
December 23, 2024, 03:35:03 PM
You can see it this way too  ;)
May the source be with you

HellOfMice

#5
December 23, 2024, 03:48:58 PM
Hi Timo,


Good,


I downloaded this program yesterday but when compiling it it said that an include file was missing. :o
Could you resend the whole project


When looking at in depth a file we can have surprise.
What interests me is to know what it means.
Here it is a kind of cookie.

HellOfMice

#6
December 24, 2024, 08:58:42 AM
Here is a program, in C, that decrypt the GuidGen.exe Rich Header and the result.
Code Select
536E6144 00000000 : 21358.24900.0
00000000 00000000 : 0.0.0
00CEFFDD 00000001 : 206.65501.1
00C7A09E 00000001 : 199.41118.1
00DF5146 00000001 : 223.20806.1
00E05146 00000013 : 224.20806.19
00E15146 00000009 : 225.20806.9
00DD5146 00000004 : 221.20806.4
00CBFFDD 0000000B : 203.65501.11
00010000 00000100 : 1.0.256
00E1797D 00000003 : 225.31101.3
00DB520D 00000001 : 219.21005.1
00970000 00000001 : 151.0.1
00DE797D 00000001 : 222.31101.1
3BF3635A 00000000 : 15347.25434.0


HellOfMice

#7
December 24, 2024, 04:57:30 PM
I discovered that when POASM is in Debug mode it replaces the original MS-DOS header with its own one
Into my program I added a stub, written by TimoVJL. Into this file there is only the MS-DOS header, no stub program.
I needed to debug the program and tooke my program as a file to analyze.
What a surprise I did not recognize the header!

Vortex

#8
December 24, 2024, 06:07:45 PM
Hi Philippe,

ıt's easy to build a DOS stub, you need to pass the KNOWEAS option to the 16-bit linker :

Code Select
\masm32\bin\ml /c /coff Sample.asm
\masm32\bin\ml /c Mystub.asm
\masm32\bin\link16 /KNOWEAS Mystub.obj
\masm32\bin\link /SUBSYSTEM:WINDOWS /STUB:Mystub.exe Sample.obj
Code it... That's all...
Print
Go Up Pages1
User actions