Tech Juice

When looking at the hexadecimal code of a 32 bits Portable Executable file (files with the well known extension .EXE) I ran into some questions. According to the specification every PE file starts with a DOS header. This element contains the DOS stub, the part that usually prints “This program cannot be run in DOS mode”. Next we find the PE header, which contains many important fields of information about the executable file.

When viewing calc.exe (Windows Calculator) in a hex editor, I found some extra paragraphs (16 bytes) in the DOS stub that I could not explain. The contents of calc.exe are displayed below:

We can identify elements at these offsets:

• 0x00 - 0x3F: 64 bytes of DOS header
• 0x40 - 0x7F: 64 bytes of DOS stub
• 0x80 - 0xD7: Unknown code
• 0xD8:  The characters ‘PE’ (pointed to by 0x3C in the DOS header) denoting the start of the PE header.

How Do We Know the DOS Stub Code Is Only 64 Bytes?

According to the specification, the DOS stub field starts at 0x40 and ends right before the start of the PE header at 0xD8. However, if you disassemble the code you will see it does not reference anything beyond the ‘$’ character at 0x78. The rest of the DOS stub is normally padded with 0x0 bytes, but not here. Something else is going on.

So What Do the Bytes at 0×80-0xD7 Mean?

The eight 0x0 bytes before ‘PE’ at 0xD0 are probably padding. The other five paragraphs, as I figured out after much searching, are called the Rich Signature. It is a Microsoft-compiler-only section, that is not well-documented. But there is one excellent resource by Daniel Pistelli at ntcore.com — and sharing it with you is the whole point of this post.

• Check out his Daniel Pistelli’s article: Microsoft’s Rich Signature (undocumented).
• If you want to learn more about the PE format I suggest you read the free x86 Disassembly book.