I'm experimenting with building my own exe-files and dll-files, and the only bytes in an exe-file that I cannot find any info about is the data that the MASM linker always seems to put between the DOS stub code and the PE-header. I know that this data is not part of the exe-format itself (in files produced by other linkers, e.g. Delphi, this area is zeroed) but it would still be really interesting to know what kind of data MASM stores here?

I have noticed that the data is practically identical between different exe-files produced with MASM (only one byte in it has been observed to change) and it also always seems to include the string "Rich".

MASM outputs different data (and even different size of this data) when producing a dll file and when producing an exe file though.


This is a normal MASM DOS-stub code:

Code:
push    cs
pop     ds
mov     dx, 0Eh
mov     ah, 9
int     21h             ; DOS - PRINT STRING
                        ; DS : DX -> string terminated by "$"
mov     ax, 4C01h
int     21h             ; DOS - 2+ - QUIT WITH EXIT CODE (EXIT)

000E_string:
    "This program cannot be run in DOS mode.", 2Eh, 0Dh, 0Dh, 0Ah, "$"
Directly after it comes this data I'm talking about, before the PE-header.



In my MASM exe-files it is the following:
Code:
00000070   <end of stub string here>   00 00 00 00 00 00 00            .......
00000080   5D 17 1D DB 19 76 73 88  19 76 73 88 19 76 73 88   ]..Û.vsˆ.vsˆ.vsˆ
00000090   19 76 73 88 0D 76 73 88  E5 56 61 88 18 76 73 88   .vsˆ.vsˆċVaˆ.vsˆ
000000A0   52 69 63 68 19 76 73 88  00 00 00 00 00 00 00 00   Rich.vsˆ........
000000B0   <PE-header begins here>
In my MASM dll-files it is the following:
Code:
00000070   <end of stub string here>   00 00 00 00 00 00 00            .......
00000080   71 D4 F7 DB 35 B5 99 88  35 B5 99 88 35 B5 99 88   qÔ÷Û5µ™ˆ5µ™ˆ5µ™ˆ
00000090   C9 95 8B 88 34 B5 99 88  BB AA 8A 88 34 B5 99 88   ɕ‹ˆ4µ™ˆğŞŠˆ4µ™ˆ
000000A0   52 69 63 68 35 B5 99 88  00 00 00 00 00 00 00 00   Rich5µ™ˆ........
000000B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000C0   <PE-header begins here>
It would be really interesting to know what kind of info that MASM "hides" in this data. Does anyone have any idea whatsoever?

Thanks!