ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

Microsoft's "Rich Signature"

(1/5) > >>

Hi all.
I recently stumbled across some rather disturbing information recently; it seems Microsoft has taken it upon themselves to insert personally identifiable information into every executable linked with their link.exe. This information is refered to as the "rich signature", and is located between the DOS stub and PE header (example below). Apparently thus far they've used it as evidence against several high-profile virus writers.
Thus far the only information i have found on this signature is information on how to prevent it being created by link.exe, and a passing reference to it on the archived SysInternals forums. Out of sheer morbid curiosity, I'd like to ask if anyone else has any further information on the rich signature. If your information is available from an objectionable location, please PM me about it, otherwise feel free to add it to this thread.

Thanks, Ehtyar.

Some more information about it in the Sysinternals forum (go the next page for more details about it), for those wondering.

Interesting, I wonder what it could be used for, but it seems like nothing new. Perhaps you could ask the guys around there if they have some information they're saving for themselves, or maybe to the same Mark Russinovich.

That was indeed the link i had previously come across, I apologize for not linking to in my previous post. I had found information on another site that i cannot directly link to, but just in case someone comes across it and thinks it would be good to post, you will find this website as the first result in a google search on "disable rich signature".


Yeah i can't quite put my finger on why, but this definitely rubs me the wrong way.  :down:

The topic appeared several years ago at the ASM Community, dunno if it's possible to dig up the stuff (should be easier after we installed Wordzillas search mod :)), one of the members iirc reverse-engineered link.exe enough to prevent generation of the information.

I started work on a little tool to nuke the information post-link time, but never really finished it (as in, it nuked a hardcoded amount of bytes at a hardcoded file offset, so it won't work for all EXEs).


[0] Message Index

[#] Next page

Go to full version