Search code examples
executablereverse-engineeringportable-executable

What's this extra bytes?


I'm studying the PE (Portable Executable) format, but I saw a difference between C++ programs compiled with MinGW and MSVC:

image

It's some extra bytes after 'This program cannot be run in DOS mode' and before the 'PE' magic signature. Anyone know what this is and why there's the 'Rich' word?


Solution

  • This is the "Rich header". It was added by Microsoft's link.exe (notice the text "Rich" at the end of the block). It's a structure in PE files between the DOS Header and the NT Header (between DOS stub and PE Header). It contains version information of linked libraries and the linkers versions.

    Further reading: