Microsoft’s Rich Signature (undocumented)

In the last days I’ve been quite sick, so I decided that as long as I had to stay in bed I might at least use the time to do something useful (or quite so). What happened is that someone asked what the Rich Signature was. It might seems strange but in all these years I didn’t even notice it, I just overlooked it as part of the dos stub (incredible but true). Unable to answer, I noticed together with this person that the subject was completely undocumented. It might not even be much important, but you might find it an interesting reading after all.

http://ntcore.com/Files/richsign.htm

Since information about this topic is non-existent, the reader might not know what I’m talking about:

00000070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode….$…….
00000080 E7 B3 9D E7 A3 D2 F3 B4 A3 D2 F3 B4 A3 D2 F3 B4 糝ç£Òó´£Òó´£Òó´
00000090 60 DD AC B4 A8 D2 F3 B4 60 DD AE B4 BE D2 F3 B4 ݬ´¨Òó´Ý®´¾Òó´
000000A0 A3 D2 F2 B4 F8 D0 F3 B4 84 14 8E B4 BA D2 F3 B4 £Òò´øÐó´„Ž´ºÒó´
000000B0 84 14 9E B4 3A D2 F3 B4 84 14 9D B4 3F D2 F3 B4 „ž´:Ò󴄝´?Òó´
000000C0 84 14 81 B4 B3 D2 F3 B4 84 14 8F B4 A2 D2 F3 B4 „´³Ò󴄏´¢Òó´
000000D0 84 14 8B B4 A2 D2 F3 B4 52 69 63 68 A3 D2 F3 B4 „‹´¢Òó´Rich£Òó´
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
000000F0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 ……..PE..L.

The data between the dos stub and the PE Header. It ends with the word Rich. It is produced by microsoft VC++ compilers only and it is encrypted.

PE Validator Script

Checking the validity of a PE file is a very difficult task, but checking a .NET assembly is even more complicated, since you have to check the tables integrity, the code integrity, the stack integrity etc. Ok, there’s already a tool that does that provided by the .NET framework. However, that tool isn’t perfect either and doesn’t check some other problems. When I wrote my .NET compiler I spent literally days figuring out what was wrong one time or another time in the format I produced, and the MS tools didn’t help. But let’s not go OT, I just wanted to say that this a topic on the woodmann forum triggered my interest because it was a good opportunity to test the CFF Explorer’s scripting capabilities. So, yesterday I took two hours and wrote a little script (called PE Validator Script) which checks for some of the most common problems in a PE. Since it’s a script (thus opensource) it can be expanded easily.

You can find it in the extensions repository:

http://www.woodmann.com/collaborative/tools/index.php/PE_Validator_Script

Here are the current checks:

— check CRC32 (useful for drivers)
— check number of rva and sizes
— check image size
— check sections
— check that EP is valid
— check that EP is in code
— check that the EP section is executable
— check data directories RVAs
— check whether the API IsDebuggerPresent is imported

Don’t be too serious about it, it’s just a thing I did for fun.

Explorer Suite III (CFF Explorer VII)

Scripting documentation:

http://ntcore.com/Files/cffscriptv1.htm

News:

– Fixed a lot of bugs
– Fixed a minor bug in the MetaData tables
– Fixed minor resizing bug on Vista
– General improvements
– Significantly improved the interface
– Improved Resource Editor
– Improved Rebuilder (added checksum update and strip debug directory)
– Improved Data Directories viewer
– Improved Hex Editor
– Improved Sections Dialog (added section’s hex view)
– Improved MetaData Tables
– Extended the SDK
– Added powerful very scripting language
– Added documentation for the scripting language
– Added security features for the scripting language
– Added support for generic files
– Added Name Unmangler
– Added Debug Directory
– Added Dependency Walker
– Added Quick Disassembler (x86, x64)

Hope you like it.

After months of work I finally have a release.

Surprising

Only today I had 4000 unique visitors on NTCore!

It all began yesterday evening when I reached in 3062 visitors. I really couldn’t believe my eyes when I saw the number on my visitors counter. What happened? I noticed going through the referrals that I had been linked by several major sites. One of them was del.icio.us.

In one and a half day I reached 7000 unique visitors.

Why? Because of Vista4Experts, which, after not even a week of being released, has being linked everywhere on the net. Really a big hit. If you type it into google, you’ll find more than 30,000 results. And, I repeat, that’s after not even a week that I uploaded this software on NTCore.

Webpages and blogs from all over the world are talking about it.

PC World asked me if they could host the program as well, because they are covering it in an article about Windows Vista.

All this tells me that I was right about my criticism about Vista and a lot of people, even not experts, feel like me.

Vista4Experts

Three days ago I got sick (not unusual for me) and had to stay in bed. Unfortunately, I easily get bored by just staying in bed. Ok, I watch some movies, I read, but then I feel the urge to do something. On the other hand, I wasn’t in the mood of working on the CFF Explorer or finishing my new article. So, I decided to work on something more relaxing (even though it turned out to be more stressful than I thought).

The result of these three days is Vista4Experts, which is, in my opinion, is kind of a treat for people like us (meaning experts), who don’t want security center notifications, User Account Control dialogs, automatic Windows Defender scannings, automatic update installations (which cause you to reboot your system if you don’t react quickly enough). People who want MSDN (or google) set as default search engine in the Internet Explorer search bar, who want the start menu power button to shut down the system instead of hibernating it, etc. These and many more fixes are included in Vista4Experts. All of these changes can be discarded, enabled or reversed. Vista4Experts is the first expert utility of its kind and works on every platform.

I realize, of course, that many fixes in Vista4Experts lower Windows Vista’s default security, but that’s the difference between users who feel enough confident to decide what’s best for their system and users who don’t. Many of Windows Vista’s security features are extremely annoying to many developers and other IT experts.

I even think it’s bad that Microsoft didn’t provide a permanent way to disable the driver signature verification and making it possible only for signed drivers to run on x64 (that if the user isn’t in the mood of pressing F8 on every boot). A way of replying to my criticism is to say that many hardware manufacturers would force the user to disable the driver verification in order to use their drivers, but that’s non-sense! No serious manufacturer would do that. This is my system and I want to run any driver that I want to! I’m pretty sure I won’t involuntarily execute a rootkit, don’t worry about me Microsoft…

Let’s take for example TrueCrypt. It’s a top quality free software and, of course, works through a file system driver. Why should the author/company pay 500$ (or less) for a 1-year certificate to sign their driver? Ok, it’s not a problem for TrueCrypt, since this product was famous long time before Vista came along. Its community surely will cover all the expenses, I suppose. But what about a new project which may start now. Should the developer invest 500$ for something which might not even cover his expenses? Oh, sure, 500$ isn’t that much, and he can do pay this amount without selling computer, but the questions are: is it right? Will he?
And myself, the user, why shouldn’t I be able to run his driver if I absolutely want to? That, of course, without being bothered by the terrible F8 or by installing a test certificate?

We keep going in the direction where the user has less and less control over his own system. It’s unfair and disappointing.