Daniel Pistelli

  1. Microsoft's Rich Signature (undocumented)

    In the last days I've been quite sick, so I decided that as long as I had to stay in bed I might at least use the time to do something useful (or quite so). What happened is that someone asked what the Rich Signature was. It might seems strange but in all these years I didn't even notice it, I just overlooked it as part of the dos stub (incredible but true). Unable to answer, I noticed together with this person that the subject was completely undocumented. It might not even be much important, but you might find it an interesting reading after all.


    Since information about this topic is non-existent, the reader might not know what I'm talking about:

    00000070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
    00000080 E7 B3 9D E7 A3 D2 F3 B4 A3 D2 F3 B4 A3 D2 F3 B4 糝
    00000090 60 DD AC B4 A8 D2 F3 B4 60 DD AE B4 BE D2 F3 B4 `ݬ`ݮ
    000000A0 A3 D2 F2 B4 F8 D0 F3 B4 84 14 8E B4 BA D2 F3 B4 
    000000B0 84 14 9E B4 3A D2 F3 B4 84 14 9D B4 3F D2 F3 B4 :?
    000000C0 84 14 81 B4 B3 D2 F3 B4 84 14 8F B4 A2 D2 F3 B4 
    000000D0 84 14 8B B4 A2 D2 F3 B4 52 69 63 68 A3 D2 F3 B4 Rich
    000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    000000F0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 ........PE..L.

    The data between the dos stub and the PE Header. It ends with the word Rich. It is produced by microsoft VC++ compilers only and it is encrypted.

    To dELTA who has been hunting me down for this article for more than a week: I hope you're satisfied now! Damn swedish bloodhound! =)

    Updated March 4th, 2008 at 21:15 by Daniel Pistelli

  2. PE Validator Script

    Checking the validity of a PE file is a very difficult task, but checking a .NET assembly is even more complicated, since you have to check the tables integrity, the code integrity, the stack integrity etc. Ok, there's already a tool that does that provided by the .NET framework. However, that tool isn't perfect either and doesn't check some other problems. When I wrote my .NET compiler I spent literally days figuring out what was wrong one time or another time in the format I produced, and the MS tools didn't help. But let's not go OT, I just wanted to say that this a topic on the woodmann forum triggered my interest because it was a good opportunity to test the CFF Explorer's scripting capabilities. So, yesterday I took two hours and wrote a little script (called PE Validator Script) which checks for some of the most common problems in a PE. Since it's a script (thus opensource) it can be expanded easily.

    You can find it in the extensions repository:


    Here are the current checks:

    -- check CRC32 (useful for drivers)
    -- check number of rva and sizes
    -- check image size
    -- check sections
    -- check that EP is valid
    -- check that EP is in code
    -- check that the EP section is executable
    -- check data directories RVAs
    -- check whether the API IsDebuggerPresent is imported

    Don't be too serious about it, it's just a thing I did for fun.
  3. Explorer Suite III (CFF Explorer VII)


    Scripting documentation:



    - Fixed a lot of bugs
    - Fixed a minor bug in the MetaData tables
    - Fixed minor resizing bug on Vista
    - General improvements
    - Significantly improved the interface
    - Improved Resource Editor
    - Improved Rebuilder (added checksum update and strip debug directory)
    - Improved Data Directories viewer
    - Improved Hex Editor
    - Improved Sections Dialog (added section's hex view)
    - Improved MetaData Tables
    - Extended the SDK
    - Added powerful very scripting language
    - Added documentation for the scripting language
    - Added security features for the scripting language
    - Added support for generic files
    - Added Name Unmangler
    - Added Debug Directory
    - Added Dependency Walker
    - Added Quick Disassembler (x86, x64)

    Hope you like it..
  4. The Windows Vista Issue

    Windows XP brought a lot of enthusiasm to most programmers and common users loved it too. XP officially introduced the NT kernel for everyone, not just for servers. It was a great step forward, and most people who earlier disliked Windows had now trouble criticizing it from a technical point of view.

    Windows Vista, unfortunately, wasn't going to satisfy everybody. There's got to be a reason (even more than one) if PC World wrote that Vista is the biggest tech disappointment of the year 2007. Not that PC World's opinion is 100% reliable and in the article it mostly criticizes Vista for the wrong reasons. However, one fact remains: many users decided not to upgrade to Vista and some even downgraded to XP.

    Microsoft is a big company whose interest is making money like all companies, that's pretty clear, but in the process Microsoft shouldn't leave behind all the people who made of Windows what it is now. Windows is so important because of three factors:

    a) the quality of the operating system
    b) the number of people who use it
    c) the number of applications developed for it

    The c) factor is really important, because it's sort of the backbone of Microsoft's success. I don't want to imply that Microsoft is going to lose millions of dollars, because the current Mark Russinovich will use another OS instead of Windows (would be a little hard for him, since he's employed by Microsoft now), but maybe the next Pietrek / Russinovich won't be a Windows expert. If Microsoft leaves behind the developers community it'll reflect directly upon the users community. In my opinion Microsoft is taking chances for no good reason.

    In my opinion it's better to make less money on the long-term, than making a lot of money in just one year and losing in the process a lot of costumers.

    I tried to make a list of all the things which would have been made Vista the best product of 2007. Ok, let's not exaggerate, but surely it wouldn't have been the worst one. Keep in mind that the points in the list are not ordered by relevance, but, if not casual, by logical connection.

    What Microsoft should change:

    1) Let's start from the silliest thing: Windows Vista's Aero is not available in Vista Home Basic edition. Aero is described as "Elegant Windows Aero desktop experience" feature. But that's just silly, it can't be a feature for which the user pays extra money. Vista Home Basic retail edition costs 250 euros (367 USD)! For that price, I think, it's highly immoral to exclude such a silly feature as Aero. Microsoft can't make money from Aero, it's just unprofessional and the company loses credibility. And this brings us right to the next point.

    2) Only Vista Business and Vista Ultimate can be virtualized (run on VMWare, VirtualPC etc.). Microsoft applied license restrictions to Vista Home (both Basic and Premium) making it impossible to virtualize, at least legally, these two editions. Again, that's unprofessional and, from a technical point of view, horrible. This point is very important. Microsoft should just offer more tools/services (e.g. Bitlocker) in its more expensive editions. It's just wrong to put use restrictions in its less expensive editions.

    3) It should be possible to disable driver verification permanently at boot time (this means without forcing the user to press F8 on every boot). A way of replying to this point is to say that many hardware manufacturers would force the user to disable the driver verification in order to use their drivers, but that's non-sense! No serious manufacturer would do that. Let's take for example TrueCrypt. It's a top quality free software and, of course, works through a file system driver. Why should the author/company pay 500$ (or less) for a 1-year certificate to sign their driver? Ok, it's not a problem for TrueCrypt, since this product was famous long time before Vista came along. Its community surely will cover all the expenses, I suppose. But what about a new project which may start now. Should the developer invest 500$ for something which might not even cover his expenses? Oh, sure, 500$ isn't that much, and he can pay this amount without selling his computer, but the questions are: is it right? Will he? And the user himself why shouldn't he be able to run his driver if he absolutely wants to? That, of course, without being bothered by the terrible F8 or by installing a test certificate? Again, this is a very serious credibility issue, which shouldn't easily be dismissed. I'm not even sure if this policy was introduced only for security reasons or even because driver signatures are expensive and TrueSign (owned by Microsoft) is making good money out of this. Anyway, if Microsoft wants to make money out of driver developers, it should sell documentation or compilers. Libraries and header files should be given for free (as they currently are). I can't emphasize this enough: trying to make money out of everything can be very counterproductive.

    4) Lower the prices! Microsoft can't be offering an operating system which can't be virtualized and doesn't have Aero for 250 euros (367 USD) (retail edition price). To have these luxuries you have to pay at least 300 euros (440 USD).

    5) .NET is a great thing, no doubt about it. But it will never totally replace native C/C++ programs. So, PLEASE, keep the MSDN up to date, fix the broken links and enrich the contents! I'm a huge fan of the .NET technology, but it's just a fact that developers love C/C++ (not that managed C++ thing) and they'll never give up developing with it. And that's right, because .NET can't be a replacement for everything (and never will be). I'm sure the community would really appreciate this point.

    6) Microsoft strenght on the market is given by its kernel, by its libraries and, at last but not least, by its hardware support. If there was a freeware (or sold at, let's say, ten bucks) open source system with a NT-like kernel (NTFS support included) and with the same hardware support, it could run a modified WINE (like ReactOS) to support Win32; and that would be part of the end of Microsoft's domain, since most of the users would migrate to it (and even most of Microsoft's products would run on it). Thus, Microsoft shouldn't push too hard with Windows prices, because all the Aeros, UACs, defenders and bitlockers can't compete with a free/cheap system.

    7) Microsoft is running too fast. Many directions are right, but developers won't follow blindly. What's with Win32? It's old, ok, but does Microsoft really think that .NET and WinFX will completely replace it? If Microsoft thinks that the future is going to be something like "kernel in C/C++ and all GUI applications in .NET (WPF, Forms, WinFX etc.)", then it's betting wrong. Ok, the native C++ code could be contained in external dlls, but even that won't happen. I learned C# pretty early in my life, but even I would never give up writing native code, so it's impossible to expect that from people who are much older than me. Maybe in 30 years if Microsoft maintains its leadership...
    Also, why should a new Windows edition come out every X years? An edition should come out when it's ready, not when it's supposed to and Vista wasn't ready to come out (let's think about all the things which were cut out of that version because of time issues). But I don't expect this to happen: marketing rules.

    8) Just abandon the DRM "technology". DRM is just wrong and lame. Windows is becoming more and more a closed box where nobody can look inside or change something. Degrading / preventing on purpose audio/video output is, again, unprofessional. I call these sort of things "dirty programming". These kind of checks in the code are just garbage which pollute the beauty of the code itself. Every software is, in my opinion, a piece of art. Dirty programming is like writing the market price with a black marker over one of Monet's pictures.

    9) Offer a way to permanently disable Patch Guard. This isn't, of course, something for common users, but for experts who need total control of their systems. Again, this point is about Microsoft's credibility in the eyes of the developers community. Trying to prevent developers and revers messing with the system is not good, because experts lose interst in a closed box which cannot be played with. If Symantec is allowed to modify the kernel, then there's no excuse for preventing other to do the same. It's just unfair and in this case lame (Symantec: bleah!).

    10) XP was a very good operating system. I'm still running XP SP2 on my laptop and it works perfectly. There's got to be a reason if XP support was extended to the year 2014, whereas Vista support ends in 2012. Ok, they might change their mind and extend Vista's support, but the fact remains. So, don't ruin XP through updates with Vista-like features.

    11) Ok, the UAC is necessary, but limit the number of dialog boxes which annoy the user only for important things. Create a light version of the UAC which allows to modify system objects which aren't critical for the system (at least not for the common user). Need an example? Changing the system time/date is not critical for most people! Make it possible to run some Microsoft applications like regedit or administrative tools without UAC confirmation dialog. How? There are plenty of ways, like signing those application with a special Microsoft signature. I don't want to say to throw away the existing UAC, just create an alternative!

    I don't think Microsoft will ever follow one of these points, but who knows...

    As for me, it's not like I discovered Vista yesterday. In fact, I was one of the first users of Vista x64 and one ...
Page 2 of 2 FirstFirst 12