As part of some research I’m doing into Amcache (more on that another time), I went about exploring Windows PE version information and how Windows see’s it. This came about because I thought I found a bug in the Velocidex PE module when in fact, it’s more likely “Windows does funny things sometimes”.

What was the “bug”?

While checking out the version information of a PE on my Windows 11 machine I noticed that in some cases, the details Windows shows you and what is actually embedded in the file doesn’t match.

Here I had written a Velociraptor artifact that grabs details out of Amcache and then also parses the binary with the PE module (something that Velo excels at –> combining various artefacts together!). In the screenshot you can see the Properties of the binary versus the manual parsing.

For some reason, the file is a self-extracting cab file according to the PE version information, but not according to the Windows details. Theory here is that in some cases, the API is doing some extra lifting – my guess is the details here represent the executable that gets extracted and installed.

So I wanted to do some digging

What did you find?

Well, I don’t know how it works, or why it does it; but with the help of some Copilot prompts I made a couple of binaries and did some testing. The first one, hello.exe, just prints hello world and has no embedded metadata. Just a simple C script compiled with GCC. The second, hello2.exe, has a .rc file which embeds the metadata I gave it. Simple enough.

So here’s hello2, which should have embedded information, but for reasons I don’t yet understand the API to pulls the information out to present it in the Details pane.

If I parse the file with pestudio, it’s definitely there (although sidebar, pestudio didn’t work properly on that self-extracting cab from earlier). Interestingly Amcache mirrored what was in the file properties, so maybe uses the same APIs?

Next I got Copilot to write me two other C programs – the first uses the Windows API to print the version information and the second manually extracts the data. Grain of salt here on how it’s working because I took a C class 20 years ago and also dont exactly know what Windows is doing (it’s probably a combo of these), but Copilot seems to have done what I told it to with a bit of tweaking.

So what?

Basically dont assume the properties the Windows APIs return are complete, and be wary of what might get put into a forensic artifact that pulls data out of a PE header – ie Amcache. It may not always be complete, or correct (but that’s a story for another time).