Clear all

MS-DOS stub program  

Community Legend


The other day, I started doing some research into PE headers and came across some information that led me to a question…

When a PE executable is created, the linker adds an MS-DOS stub program to the file, prior to the PE header. This is the part that says, "This program cannot be run in DOS mode", or something similiar (I've seen variations). With the MSVC++ environment, the default stub is "winstub.exe". In some cases, the remaining data between the DOS mode "notice" and the PE header includes the letters "Rich", along with other stuff.

My question is, has anyone used this information to tie a program to a suspect's development environment? For example, if you have a PE exectuable, and you have several suspects, let's say that based on the MS-DOS stub program, you can say with reasonable certainty that the application was created using Borland's environment, instead of MSVC++. A couple of the suspects use Cygwin/MingC, a couple use MSVC++ or MS Visual Studio, and one uses Borland.

To me, this is similar to EXIF data stored in JPEGs created on digital cameras.

Has anyone used this technique (ie, the MS-DOS stub program thing)?

H. Carvey
"Windows Forensics and Incident Recovery"

Posted : 09/06/2005 5:28 pm