Microsoft's "Rich Signature"

[Ehtyar]

Hi all.
I recently stumbled across some rather disturbing information recently; it seems Microsoft has taken it upon themselves to insert personally identifiable information into every executable linked with their link.exe. This information is refered to as the "rich signature", and is located between the DOS stub and PE header (example below). Apparently thus far they've used it as evidence against several high-profile virus writers.
Thus far the only information i have found on this signature is information on how to prevent it being created by link.exe, and a passing reference to it on the archived SysInternals forums. Out of sheer morbid curiosity, I'd like to ask if anyone else has any further information on the rich signature. If your information is available from an objectionable location, please PM me about it, otherwise feel free to add it to this thread.

Thanks, Ehtyar.

[Lashiec]

Some more information about it in the Sysinternals forum (go the next page for more details about it), for those wondering.

Interesting, I wonder what it could be used for, but it seems like nothing new. Perhaps you could ask the guys around there if they have some information they're saving for themselves, or maybe to the same Mark Russinovich.

[Ehtyar]

That was indeed the link i had previously come across, I apologize for not linking to in my previous post. I had found information on another site that i cannot directly link to, but just in case someone comes across it and thinks it would be good to post, you will find this website as the first result in a google search on "disable rich signature".

Ehtyar.

[mouser]

Yeah i can't quite put my finger on why, but this definitely rubs me the wrong way. 

[f0dder]

The topic appeared several years ago at the ASM Community, dunno if it's possible to dig up the stuff (should be easier after we installed Wordzillas search mod ), one of the members iirc reverse-engineered link.exe enough to prevent generation of the information.

I started work on a little tool to nuke the information post-link time, but never really finished it (as in, it nuked a hardcoded amount of bytes at a hardcoded file offset, so it won't work for all EXEs).

[Lashiec]

Did someone there got some insight about what it's contained in the signature? Personal information about the owner of the computer in which the program was compiled, or what? And hidden underneath which scheme?

Mmmm, the page is not working at the moment

[mouser]

someone make a utility that lets us swap our info for that of bill gates.

[Ehtyar]

someone make a utility that lets us swap our info for that of bill gates.

-mouser (January 23, 2008, 02:20 PM)

Well the rich signature shown in the image in my first post is from cl.exe, so perhaps just substitute your rich signature for the one found there. Make their head spin a little if they ever wanted to know who made it.

Did someone there got some insight about what it's contained in the signature? Personal information about the owner of the computer in which the program was compiled, or what? And hidden underneath which scheme?

Mmmm, the page is not working at the moment

-Lashiec (January 23, 2008, 01:54 PM)

This was actually mostly what i was looking for. As much as i would like to say I'm an uber reverse engineer, my skills are nowhere near that level. I have picked up hints that the information is hardware-related, so things like MAC address, OS serial number, CPUID etc are likely candidates and the information is then encrypted with, of all things, xor. This information could be discerned by REing link.exe, but as I said, I'm just not that good.

The topic appeared several years ago at the ASM Community, dunno if it's possible to dig up the stuff (should be easier after we installed Wordzillas search mod ), one of the members iirc reverse-engineered link.exe enough to prevent generation of the information.

I started work on a little tool to nuke the information post-link time, but never really finished it (as in, it nuked a hardcoded amount of bytes at a hardcoded file offset, so it won't work for all EXEs).

-f0dder (January 23, 2008, 05:07 AM)

Indeed. I have already found instructions on preventing generation of the signature, at the location mentioned in my last post (google for "disable rich signature") but as i said earlier, my question is simply related more to knowing more about the signature itself, and what it contains and/or is used for.
Thanks for your posts guys, this is getting interesting

Ehtyar.

[f0dder]

Iirc the post at the asmcommunity did contain a bit of information on what's contained, but it's been quite some years ago

[Lashiec]

I've put some of my Google-fu to work, and unearthed various sites. First, a post in the EXETOOLS forum, with the tool used to strip the executables from the RICH information. It seems the original information about the signature was posted at wasm.ru, but of course, it's in Russian. The first post there includes some file, and the tool comes with a machine translated version (Russian -> English) of the original RTF file that came with the tool.

Second, in the documentation of a library used to play music in XM format, and co-authored by the same guy (at least with the same screen name) of the above tool, I found this:

There's another MS linker-specific known issue. link.exe attaches some unnecessary data between DOS stub and the beginning of PE header. It's easy to spot the dead weight in a Hex editor - it begins with a magic word 'Rich'. The encoded machine compid follows the magic word. If you don't want your executables being signed this way or just don't like to spend some extra bytes (actually, it's half a Kb!) on the signature, there's a couple of workarounds available. First, you can switch to another linker. Or you can search the web to find an article on patching link.exe. Psst! It's written in russian and available somewhere at wasm.ru.

Finally, in another forum, an attachment (do not worry, it's a pure text file), the most interesting document, and one that throws quite some light over what's the purpose of the RICH section. Still, it does not clarifies what's exactly stored there, only makes some suppositions.

[Ehtyar]

Wow, i seem to be neglecting to mention pieces of information I've already found. Asterix's removal tool no longer works as the bytes that require patching have changed (a different register is used in the targeted piece of code) as of vc 05, but thank you for the link. Naturally woodmann is being a b**ch to me, so i will have to wait to pass judgment on the attachment, but I'm salivating right now.

Ehtyar.

[Lashiec]

Interesting, I've seen that the English version of the second link does not include some information that is present in the Spanish one. Now which is the original version (English, Spanish or Russian?), which is correctly translated and which one is (maybe) omitting or adding original research? Hmmmm.... Anyway, the original Spanish text, for native speakers or advanced students :)

Hay otro asunto interesante relacionado con el linker de MS. link.exe introduce cierta información innecesaria entre el DOS stub y el inicio de la cabecera PE. Resulta sencillo localizar estos datos en un editor hexa, porque empiezan con la palabra 'Rich'. A continuación de esta palabra se encuentra el compid codificado de su PC. Si no desea que sus aplicaciones resulten firmadas de esta manera o simplemente prefiere no gastar unos cuantos bytes extra (en realidad, ¡medio Kb!) en la firma, existen 2 formas de evitarlo. En primer lugar, puede cambiar de linker. Como alternativa, puede buscar el la red un artículo sobre cómo modificar link.exe. Por cierto, el artículo en ruso se puede encontrar en wasm.ru.

And my English translation (I'll try my best):

There's another interesting issue related to Microsoft's linker. link.exe inserts certain useless information between the DOS stub and the beginning of the PE header. It's easy to locate this data using an hex editor, as it starts with the word 'Rich'. After this word, you can find the encoded compid of your PC. If you don't want your applications to be signed in such way or simply prefer not to waste a few bytes more (actually, half of a KB!) in the signature, there are 2 ways to avoid this. First, you can use another linker. As an alternative, you can search the Web for an article that explains how to modify link.exe. By the way, the article in Russian can be found at wasm.ru

[Ehtyar]

Well, after discovering that Verizon is the b**ch and not woodmann, i wget'd the attachment off my site shell and did some very interesting reading. Contrary to my assumptions "compid" is compiler ID, or version number. It would seem that the rich signature contains relatively benign information compared to what i first suspected. For those who wish to read further into it, I have attached the woodmann attachment to this post, and if I in future decide to pack my linkers (I have 6,7,8 and 9) I will be sure to post the details for everyone.

Ehtyar.

[f0dder]

This goes back to 2003/2004. Unfortunately "lingo" edited out the post where he described the whole thing >_<, and I don't know if anybody has that old backups of the forum. A shame, really.

http://www.asmcommun...ex.php?topic=11182.0
http://www.asmcommun...ex.php?topic=14699.0

[Ehtyar]

Well thank you for trying f0dder, I don't suppose spook keeps backups from that long ago eh? 

Ehtyar.

[f0dder]

Well thank you for trying f0dder, I don't suppose spook keeps backups from that long ago eh? 

Ehtyar.

-Ehtyar (January 24, 2008, 05:07 PM)

Dunno, really - Hiroshimator had backups of the old ASP forum database (the one Iczelion himself threw together), which has been integrated with the current forum. There's been various hacks and editing-out and whatnot, so a few things here and there have unfortunately been lost... I guess Lingo's edits went unnoticed long enough that there weren't any backups.

Yet a reason for keeping posts under revision control or similar!

[Rover]

This goes back to 2003/2004. Unfortunately "lingo" edited out the post where he described the whole thing >_<, and I don't know if anybody has that old backups of the forum. A shame, really.

http://www.asmcommun...ex.php?topic=11182.0
http://www.asmcommun...ex.php?topic=14699.0

-f0dder (January 24, 2008, 05:19 AM)

Did you try the Internet Archive?  If it was indexed, there should be a copy there...

[Ehtyar]

All the info we really needed was contained in RichSignature.txt attached above I think. Nothing more to know it, but thank you

Ehtyar.

[f0dder]

Did you try the Internet Archive?  If it was indexed, there should be a copy there...

-Rover (February 09, 2008, 09:54 PM)

In my experience, the internet archive is pretty bad at indexing forum topics... but I didn't try.

All the info we really needed was contained in RichSignature.txt attached above I think. Nothing more to know it, but thank you

-Ehtyar (February 10, 2008, 12:36 AM)

Still, it would have been nice to find the original asmcommunity posts about it. Oh well.

[Ehtyar]

Well, yay once again for disreputable websites. Here is a link containing a LOT more info from a very talented reverse engineer Daniel Pistelli. Much thanks to him for his work on this.

Ehtyar.

[f0dder]

Disreputable websites?

[Ehtyar]

Disreputable websites?

-f0dder (March 07, 2008, 06:00 PM)

Sorry, was a bit unclear there. I found the link to that page on the disreputable website. Just for clarification, ntcore.com is NOT a disreputable website.

Ehtyar.

[f0dder]

Disreputable websites?

-f0dder (March 07, 2008, 06:00 PM)

Sorry, was a bit unclear there. I found the link to that page on the disreputable website. Just for clarification, ntcore.com is NOT a disreputable website.

-Ehtyar (March 07, 2008, 06:08 PM)

woodmann's then?

[Ehtyar]

Well if i simply must throw subtlety out the window, the link is from the ARTeam Forum.

Ehtyar.