Case studies in Rich Header analysis and hunting
http://ropgadget.com/posts/richheader_hunting.html [ropgadget.com]
2018-08-13 18:33
I highly recommend reading it but the TL;DR is that at some point Microsoft introduced a function into their linker which embeds a “signature” in the DOS Stub, right after the DOS executable, but before the NT Header. You’ve probably seen it a thousand times when looking at files and never realized it existed. Back in the early 2000’s, when the existence of the header was known for a while, everyone originally assumed it included unique data to identify systems or people, such as with a GUID, and it spawned numerous conspiracy theories - they even nick named it “the Devil’s Mark”. Eventually someone got around to actually reverse engineering (RE) the linker and figured out how the structure of information was being generated and what it actually reflected. Turns out the tin-foils were half-right. The blog post linked above in the Tweet shows what is actually in them and, while not truly unique to a system or person, it can still serve for some identifying purposes to a certain degree. My interest was peaked!
source: grugq