JIURL PE study summary format (D) - PE file resources Author: JIURL Home: http://jiurl.yeah.net/ Date: 2003-4-24
The various resources used by the program, such as BMP, Cursor, Menu, dialog, etc., all exist in the PE file. We will detail the various structures of resources, and through an example to illustrate how resources and their related structures are placed in the PE file. And how to traverse all resources in the PE file. We only finally find the location and length of these resources in the file. Instead, analyze the format of some resource, such as a BMP resource, we do not analyze the BMP format. A resource is found in the file. The resources are placed in a section of the PE file, and the PointertoraWData in the section of the section is where the resource section is in the file. 1.1 Get the location of Pe Header in the file. You can determine the location of the PE Header in the file through the member E_LFANew of the DOS HEADER structure. 1.2 Get the number of documents. Determine the location of the PE Header in the file, you can determine the position of the members FileHeader and member OptionalHeader in the PE header in the file. Depending on the value of member Numberofsections in FileHead, the number of files world segments can be determined, that is, the number of elements in the chart array. 1.3 Get the location of the section table in the file. PE Header can get the start position of the section table in the file in the location of the PE Header structure in the location of the file. The size of the PE Header structure can be determined by the size of Signature plus the size of the FileHeader plus the sizeOfoptionalHeade in the FileHeader. In fact, SIZEOFOPTIONALHEADE is also the size of the Optional HEADER, which is also fixed, so the size of the entire PE Header structure is also fixed. However, in order to ensure the size of the FileHeader with the size of Signature, add the SizeOfOptionalHeade in FileHeader to determine comparison insurance. 1.4 Get the location of the resource section in the file. In step 1.2, we identified the number of files in the file, and we determined the position of the section table in the file in step 1.3. There are now two ways to determine the location of the resource in the file. The first method, according to the number of the festival, traversing the number of groups. That is, every section item from 0 to (the number of tables - 1). Compare the Name field of each section entry to see if ".rsrc". If you are equal. Find the section item of the resource festival. The value in the PointeRorawData in this section is the location of the resource section in the file. The second method, obtaining the third item in the DataDirectory array in the Optional HEADER in Pe Header, which is the resource item. Each of the DataDirectory [] array is an Image_Data_directory structure, which is defined as follows. Typedef struct _image_data_directory; dword size;} image_data_directory, * pimage_data_directory; get the value of member VirtualAddress in the third item in the DataDirectory array. This value is RVA in the resource section in memory. Then, according to the number of the festival, traversal table array. That is, every section item from 0 to (the number of tables - 1). Each section of the RVA in memory is starting from the value of the member VirtualAddress field of the section entry (including this value), and the value of VirtualAddress Misc.virtualsize ends (excluding this value). We traverse the entire section table, see the RVA of the resource festival we have acquired, which section is within the RVA range of the RVA. If you are within the scope, you find the section table item of the resource section.
The value in the PointeRorawData in this section is the location of the resource section in the file. If this PE file has no resource, the third item in the DataDirectory array is 0. This way we get the location where resources start in the file. Resources in the second PE file. We have got the location of the resource section in the file. The resource section is the most beginning to an Image_Resource_Directory structure. Defined in Winnt.h as follows. typedef struct _IMAGE_RESOURCE_DIRECTORY {DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; WORD NumberOfNamedEntries; WORD NumberOfIdEntries; // IMAGE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries [];} IMAGE_RESOURCE_DIRECTORY, * PIMAGE_RESOURCE_DIRECTORY; This structure is 16 bytes, a total of six fields. The various fields have the following: Characteristics: Resource Flags, reserved for later use, is currently 0. TIMEDATESTAMP: The time of the resource compiler generates resources. Majorversion: MINORVERSON: NUMBEROFNAMEDENTRIES: Use a string to mark the image_resource_directory_entry item, tightly follow the number of members of the image_resource_directory_entry array. Number of id Entries: Use the shaping number to represent the image_resource_directory_entry item, tightly follow the number of members of the Image_Resource_Directory_entry array of this structure. Image_resource_directory will be followed by an Image_Resource_Directory_Entry array. The image_resource_directory_entry system is defined below. typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {union {struct {DWORD NameOffset: 31; DWORD NameIsString: 1;}; DWORD Name; WORD Id;}; union {DWORD OffsetToData; struct {DWORD OffsetToDirectory: 31; DWORD DataIsDirectory: 1;};};} Image_resource_directory_entry, * pimage_resource_directory_entry; This structure is 8 bytes. There are two fields, and each field is 4 bytes. According to different situations, the meaning of these two fields is different. If the definition of this structure If you don't understand, you will understand at once. The first field, when the highest bit of the first field is 1, indicates that the remaining 31 bits of this DWORD indicate that the offset relative to the resource start position is an image_resource_dir_string, inside String to indicate this image_resource_directory_entry. When the highest bit of the first field is 0, it means that the value in this DWORD is as an ID to indicate this image_resource_directory_entry. The second field, when the highest bit of the second field is 1, indicates that there is a structure of the next layer.
The remaining 31 bits of this DWORD indicate a shift relative to the resource start position, this offset is a next layer_resource_directory structure, which looks at the description of the following example. When the highest bit of the second field is 0, it means that there is no structure of the next layer. The remaining 31 bits of this DWORD indicate a shift relative to the resource start position, this offset is an image_resource_data_entry structure, the image_resource_data_entry structure will illustrate the location of the resource. Marking an image_resource_directory_entry is generally using the ID, which is an integer. But there are also a few use image_resource_dir_string to indicate an image_resource_directory_entry. The image_resource_directory_entry system is defined below. TYPEDEF STRUCT _IMAGE_RESOURCE_DIR_STRING_U {Word Length; wchar namestring [1];} image_resource_dir_string_u, * pimage_resource_dir_string_u; there will be a Unicode string in this structure, which is word alignment. All of these image_resource_dir_strings used to identify, the length of this structure is variable, indicated by the first field length, indicates the length of the NNICODE string behind. After 3 layers image_resource_directory_entry (generally 3 layers, there may be fewer. The first resource type BMP, MENU, etc. There is a corresponding position and size of the corresponding (a resource type, a resource name, a resource language) resource, and it is really found. Image_resource_data_entry is defined as follows. TYPEDEF STRUCT _IMAGE_RESOURCE_DATA_ENTRY {DWORD OFFSETTODATA; DWORD SIZE; DWORD CODEPAGE; DWORD RESERVED;} Image_Resource_Data_ENTRY, * PIMAGE_RESOURCE_DATA_ENTRY; this structure is 16 bytes, with 4 fields. Offsettodata: This is RVA in memory. To translate into a file in the file, you need to use this value to subtract the start RVA of the resource section, and the start RVA in the resource section can be used in the third item in the DataDirectory array in Optional Header. VirtualAddress is worth it. Or the value of the VirtualAddress in the resource festival in the section table. After subtraction, the offset starting with respect to the resource section can be obtained. Plus the resource section in the start position in the file, the value of the PointeRorawData in the resource section in the section table is the location of the resource in the file. Size: The size of the resource, in bytes. CodePage: Generally, Unicode Code Page. Reserved: Reserved, the value is 0. The above is a description of the various structures of resources, knowing that these structures are still not enough, and we will find resources through these structures through one example. Our example is the executable file telnet.exe in Win2K. In order to prevent the version from being different, this PE file is included in this article.
The various structures of the resources of the PE file are placed in a tree structure. This structure typically has 3 layers, as shown in Figure 4.1, is the case in telnet.exe. Figure 4.1 Long rectangular rectangles represent an image_resource_directory structure, 16 bytes long, referred to as Directory. Short rectangles in the figure represent an image_resource_directory_entry structure, length 8 bytes, referred to as Directory_Entry. The circle in the figure represents an image_resource_data_entry structure, a length of 16 bytes, referred to as Data_ENTRY. In order to make the next narrative, it is convenient to give each node of the tree, the first layer of the 11, the second layer of the screams 21, 22, 23, 24, the third layer of the screams 31, 32, 33, 34, 35 36, 37, 38, 39, 310, 311, 312. At the beginning of the resource section, it is a Directory structure that indicates the number of elements in a Directory_Entry architecture that keeps followed behind it. After this Directory structure, it is the Directory_Entry architecture array. They formed together 11. As shown in Figure 4.1. All other nodes, 21, 22..31, 32..312, are like this, and each Directory structure is followed by an array of Directory_Entry structures. 11 The Directory_Entry structure in the Directory_Entry structure has an offset of a certain node to the next layer. 21, 22, 23, 24 can be found through each element of the Directory_Entry structure array. The situation is true in other nodes. What can't see in the figure is that all nodes are tightly stored together. After 11, it is closely followed by 21,21, followed by 22, 22. twenty three. So on and so forth. In addition to the offset of the next layer, the Directory_Entry structure array (is the next layer of node, or has reached the final data_entry, there is a Name or ID field (is Name or Name or Detailed description in the ID), depending on the different layers, the meaning of the representative is different. This value of each Directory_entry of the first layer represents the type. For example, the first Directory_Entry of 11 is 3,3 represents icon. From this Directory_Entry, it is an icon (definition of different types, which will be described in detail later). This value of each Directory_entry represents Name, the third layer represents Language. The three values of the DATA_ENTRY of 11, 21, 31 were 3, 1, 409 (all 16), respectively, is an icon type, name is 1H, and the language of Language is 409h. Let's take a look at the specific content of the resource festival in Telnet.exe, use the method of looking for the resource section in the file, we found the location of the resource section in the file to 00013600h.
We look for clarity, each row is a structure, and various members of each structure with / separated, for example, a directory structure 00000000/00000000/0400/0000/0000/0400 can Seeing the structural member, Characteristics is 0, timedatestamp is 0, Majorversion is 4, (if you don't understand why 0004 instead of 0400, please see "JIURL PE format learning summary (1) About BIG-Endian and Little- Endian's introduction), MinorVersion is 0, NumberOfNamedentries is 0, NumberOfidentries is 4. A Directory_Entry Structure 03 00 00/30 00 00 80 can see the structural member, the first byte 00h of the first field is 00000000, the highest bit is 0, so the value in the lower two bytes is ID , ID is 3. The first byte of the second field (if you don't understand why the first byte is 80h instead of 30h, please see "JIURL PE format learning summary (1)" About BIG-Endian and Little-Endian Introduction to the binary 10000000, the highest bit is 1, so there is also the next layer, and has not yet to leave, so the second field represents the offset of the next layer of the offset OFFSETTTODATA value of 30. A DATA_ENTRY Structure E0 23 03 00/30 01 00 00 / E4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- This value subtracts the start RVA of the resource section. The start RVA of the resource section can be worthy of the VirtualAddress in the third item in the DataDirectory array in Optional HEADER. Or the section table, the VirtualAddress in the resource section is worth it. After subtraction, you can get offset relative to the resource section. Add the value of the PointertorawData in the resource section in the resource section, the value of the resource section in the section is the location of the resource in the file. ), Size is 130h, CodePage is 4E4H, and reserved is 0. Below is the content in telnet.exe, you can use the 16-binding editor to open the telnet.exe control. 00013600H: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- : 03 00 00/30 00 00 80 (Directory_entry structure, 8 bytes long. Figure 4.1 Directory_entry array of Directory_ENTRY in Figure 4.1 First element is 0, indicating that the first field represents ID, since it is The first layer, so the type ID is 3. The second field is 1, indicating that the next layer, the lower 31 bits in the second field are the offset of 21 in Fig. 4.1, 30 00013600H = 00013630 h.
) 00013618h: 06 00 00 00/50 00 00 8000013620h: 0E 00 00 00 / A0 00 00 8000013628h: 10 00 00 00 / B8 00 00 8000013630h: 00 00 00 00/00 00 00 00/04 00/00 00/00 00/02 00 (directory21) 00013640h: 01 00 00 00 / D0 00 00 80 00013648h (d0 00013600h = 000136d0h.): 02 00 00 00 / F0 00 00 8000013650h: 00 00 00 00/00 00 00 00/04 00 / 00 00/00 00/08 00 (directory22) 00013660h: 08 00 00 00/10 01 00 8000013668h: 09 00 00 00/30 01 00 8000013670h: 0C 00 00 00/50 01 00 8000013678h: 0D 00 00 00/70 01 00 8000013680H: 10 00 00 00 00 01 00 8000013688H: 11 00 00 / B0 01 00 8000013690H: 12 00 00 00 00: 39 00 00 00 / F0 01 00 80000136A0H: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (Directory structure, 16 bytes long. Figure 4.1 Namedentries, 0 ideners.) 000136B0H: D0 03 00 80/10 02 00 80 ( The Directory structure has shown that this is a namedentries. The high position in the first field is 1. Description The value in the first field is an offset pointing to the image_resource_dir_string structure, 3D0 00013600H = 000139D0H.) 000136B8H: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00136 b8h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00136 b8h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00136 two / 00 00 00 00/04 00/00 00 00 00 / 01 00 (Directory24) 000136C8H: 01 00 00 00/02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (Directory31) 000136E0H: 09 04 00 00 00 00 00 00 0: 09 04 00 00 00 00 00 00 0: 09 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 × 00 00 (Directory_Entry structure, 8 bytes long. The first field is 0, indicating that the first field represents the ID, since it is a third layer, so the Language ID is 409h. The second field is 0. The explanation is already the leaves, the low 31 bits in the second field are offset from a Data_Entry structure, 250 00013600H = 00013850H.
) 000136e8h: 04 08 00 00/60 02 00 00000136f0h: 00 00 00 00/00 00 00 00/04 00/00 00/00 00/02 00 (directory32) 00013700h: 09 04 00 00/70 02 00 0000013708h: 04 08 00 00/80 02 00 0000013710h: 00 00 00 00/00 00 00 00/04 00/00 00/00 00/02 00 (directory33) 00013720h: 09 04 00 00/90 02 00 0000013728h: 04 08 00 00 / A0 02 00 00 00013730H: 00 00 00 00 00 00 00 00 (Directory34) 00013740H: 09 04 00 00 / B0 02 00 00 0 028H: 04 08 00 00 / C0 02 00 00013750H : 00 00 00 00/00 00 00 00/04 00/00 00/00 00/02 00 (directory35) 00013760h: 09 04 00 00 / D0 02 00 0000013768h: 04 08 00 00 / E0 02 00 0000013770h: 00 00 00 00/00 00 00/04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00_0790H: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- 00 00/04 00/00 00/00 00/02 00 (directory37) 000137a0h: 09 04 00 00/10 03 00 00000137a8h: 04 08 00 00/20 03 00 00000137b0h: 00 00 00 00/00 00 00 00 / 04 00/00 00/00 00/02 00 (directory38) 000137c0h: 09 04 00 00/30 03 00 00000137c8h: 04 08 00 00/40 03 00 00000137d0h: 00 00 00 00/00 00 00 00/04 00/00 00/00 00/02 00 (directory39) 000137e0h: 09 04 00 00/50 03 00 00000137e8h: 04 08 00 00/60 03 00 00000137f0h: 00 00 00 00/00 00 00 00/04 00/00 00/00 00 / 02 00 (directory310) 00013800h: 09 04 00 00/70 03 00 0000013808h: 04 08 00 00/80 03 00 0000013810h: 00 00 00 00/00 00 00 00/04 00/00 00/00 00/02 00 ( DIRECTORY311)
00013820h: 09 04 00 00/90 03 00 0000013828h: 04 08 00 00 / A0 03 00 0000013830h: 00 00 00 00/00 00 00 00/04 00/00 00/00 00/02 00 (directory312) 00013840h: 09 04 00 00 / B0 03 00 0000013848h: 04 08 00 00 / C0 03 00 0000013850h: E0 23 03 00/30 01 00 00 / E4 04 00 00/00 00 00 00 (data_entry structure, 16 bytes long, there a resource RVA and size. The RVA at the beginning of the resource festival is 32000. Calculate the outpath of the resource relative to the resource starting 323E0-32000 = 3E0H. Re-use the offset plus the file offset at the beginning of the resource section 13600 Get this resource In the location, 3E0 13600 = 139E0H.
) 00013850h: 10 25 03 00/30 01 00 00 / E4 04 00 00/00 00 00 0000013850h: 40 26 03 00 / E8 02 00 00 / E4 04 00 00/00 00 00 0000013860h: 28 29 03 00 / E8 02 00 00 / E4 04 00 00/00 00 00 0000013870h: 10 2C 03 00/70 00 00 00 / E4 04 00 00/00 00 00 0000013880h: 80 2C 03 00/70 00 00 00 / E4 04 00 00/00 00 00 0000013890h: F0 2C 03 00/56 03 00 00 / E4 04 00 00/00 00 00 00000138a0h: 48 30 03 00 / C0 01 00 00 / E4 04 00 00/00 00 00 00000138b0h: F0 2C 03 00/56 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- 00 00000138e0h: B0 33 03 00 / F4 00 00 00 / E4 04 00 00/00 00 00 00000138f0h: A4 34 03 00 / B6 00 00 00 / E4 04 00 00/00 00 00 0000013900h: 5C 35 03 00/94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- 00 0000013930H: 0C 3D 03 00/32 02 00 00 / E4 04 00 00/00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- CC 45 03 00 / C0 03 00 00 / E4 04 00 00/00 00 00 0000013970h: 8C 49 03 00 / B6 00 00 00 / E4 04 00 00/00 00 00 0000013980h: 44 4A 03 00/84 00 00 00 / E4 04 00 00/00 00 00 0000013990h: C8 4A 03 00/22 00 00 00 / E4 04 00 00/00 00 00 00000139a0h: EC 4A 03 00/22 00 00 00 / E4 04 00 00/00 00 00 00000139b0h: 10 4B 03 00/60 03 00 00 00 00 00 000139C0H: 70 4E 03 00/60 03 00 00 00 00 00 00 000139D0H: 06 00/54 00 45 00 4C 00 4E 00 45 00 54 00 00 00 (image_resource_dir_string structure, length variable. The first field 2 bytes long, the value is 6.
Indicates that the subsequent Unicode string length is 6. The second field is a Unicode string, which does not include the final end. The length is 6, the content is "telnet / 0") 000139E0H: 28 00 00 0 00 00 00 00 00 00 01 00000139F0H: ... It is necessary to supplement that each Directory follows the Directory_Entry array, each element of the Directory_Entry array, with two fields, and the high level of each field is used to determine the meaning of the field representative. Especially the second field offsettodata, if the high position is 1 indicates the next layer, pointing to another Directory. If the high is 0, it indicates a Data_ENTRY. Directory_entry The first field is usually used as an ID, the value in the low word, used to indicate this Directory_Entry, very few cases, the first field saves a unity of the Unicode string (000136A0H in this example), with String to indicate this Directory_ENTRY. If the two fields behind a Directory are not 0, the Directory_ENTRY array behind it has both Namedentries, and Identries, then the Directory_Entry array is first NamedenTries followed by IdeNtries.
In general, it is generally three layers, the ID of each element of the Directory_Entry array in the first layer, represents different types, different types of values defined in Wingdi.h as follows #define rt_cursor makeintResource (1) #define RT_BITMAP MAKEINTRESOURCE (2) #define RT_ICON MAKEINTRESOURCE (3) #define RT_MENU MAKEINTRESOURCE (4) #define RT_DIALOG MAKEINTRESOURCE (5) #define RT_STRING MAKEINTRESOURCE (6) #define RT_FONTDIR MAKEINTRESOURCE (7) #define RT_FONT MAKEINTRESOURCE (8) # define RT_ACCELERATOR MAKEINTRESOURCE (9) #define RT_RCDATA MAKEINTRESOURCE (10) #define RT_MESSAGETABLE MAKEINTRESOURCE (11) #define DIFFERENCE 11 # define RT_GROUP_CURSOR MAKEINTRESOURCE ((DWORD) RT_CURSOR DIFFERENCE) #define RT_GROUP_ICON MAKEINTRESOURCE ((DWORD) RT_ICON DIFFERENCE) #define RT_VERSION MAKEINTRESOURCE (16) #define RT_DLGINCLUDE MAKEINTRESOURCE (17) #if (WINVER> = 0x0400) #define RT_PLUGPLAY MAKEINTRESOURCE (19) #define RT_VXD MAKEINTRESOURCE (20) #define RT_ANICURSOR MAKEINTRESOURCE (21) #define RT_ANIICON MAKEINTRESOURCE (22) #endif / * WinVER> = 0x0400 * / # define RT_HTML MakeintResource (23) may be less than three layers, such as only type and NAME, no Language layer. Let us look at a few data_entry00013850h: 10 25 03 00/30 01 00 00 / E4 04 00 00/00 00 00 0000013850h: 40 26 03 00 / E8 02 00 00 / E4 04 00 00/00 00 00 0000013860h: 28 29 03 00 / E8 02 00 00 / E4 04 00 00 00 00 00 00 You can calculate the Data_ENTRY at 00013850h, the file location of the resource is 13b10h (32510-32000 13600) length of 130 h, so the location at the end of the resource is file 13C40 h in 13C40 h. In a DATA_ENTRY (00013850H), the location of resources in the file is 13C40H (32640-32000 13600) length of 2 e8H. We can see that the two resources are the first tail, that is, a resource and another resource is close to, there is no gap in the middle, and the other resources are calculated using the same method, and the same conclusion can also be obtained.
