Foreword: Nothing to say, discovering this information is all in English, so I studied, while translating, I wrote my own experience.
Resources typically use trees to save, usually contain 3 layers, under NT, the highest layer is type, then the name, the last is the language. Whether a PE file contains a resource file, usually detected whether there is '.rsrc' in the section table, but this method is invalid for some PE files.
A type table structure is as follows ------------- | Resource Directory | ------------- | Resource Data | ----------- - Resource File Layout
The resource directory structure is as follows:
-------------------------- | Resource Flags | -------------------- ------ | Time / Date Stamp | -------------------------- | Major Version | Minor Version | ----- --------------------- | # Name entry | # id entry | -------------------- ------ | Resource Dir Entries | -------------------------- Resource Table Entry
{Resources} stated in the DELPHI PIMAGE_RESOURCE_DIRECTORY = ^ IMAGE_RESOURCE_DIRECTORY; IMAGE_RESOURCE_DIRECTORY = packed record Characteristics: DWORD; TimeDateStamp: DWORD; MajorVersion: WORD; MinorVersion: WORD; NumberOfNamedEntries: WORD; NumberOfIdEntries: WORD; end
among them:
Resource Flags is usually set to 0
Time / Date Stamp Resource Compiler Establishs Time / Date of this resource, may be 0
Major / minor version of Version
# Name Entry Use the number of resource entries for the name, contains an array of directory entries that use the name. # Id Entry Use the number of resources entries for ID numbers, including a 32-bit integer ID number, the same name. This catalog is followed by an unproductive directory entry, regardless of the name or ID, is arranged in ascending order.
This distribution structure of this uncertain length is as follows:
31 0 ---------------------- | Name RVA / Integer ID | ------------------- --- | E | DATA Entry RVA / Subdir RVA | ----------------------
Resource Table 3 (Resource Directory Entry)
Stated in the DELPHI: PIMAGE_RESOURCE_DIRECTORY_ENTRY = ^ IMAGE_RESOURCE_DIRECTORY_ENTRY; IMAGE_RESOURCE_DIRECTORY_ENTRY = packed record Name: DWORD; // Or ID: Word (Union) OffsetToData: DWORD; INTEGER ID contains an integer identifying the resource ID, if in the root directory, the ID indicated Significance Type 1: Cursor 2: Bitmap 3: Icon 4: Menu 5: Dialog 6: String Table 7: Font Directory 8: Font 9: Accelerators 10: Unformatted Resource Data 11: Message Table 12: Group Cursor 14: Group icon 16: Version Information
The relative actual address of the Name RVA name contains an address of the 31-bit relative resource. See Table 4
E An indispensable identification code (Mask 80000000H) If this is 0, it is Resource Data Entries, where DATA RVA = 31-bit (Mask 7FFFFFFH) data entry address. Structure is shown in Table 5 If this is 1, then it means another subdirectory (SUBDIRECTORY Entry).
{This offset is a function test string or a directory name} {IMAGE_RESOURCE_NAME_IS_STRING = IMAGE_RESOURCE_DATA_IS_DIRECTORY = $ 80000000} function HighBitSet (L: Longint): Boolean; begin Result: = (L and IMAGE_RESOURCE_DATA_IS_DIRECTORY) <> 0; end;
{The following two functions are used to remove the remaining value of the E-bit or pointer} {image_offster_strip_high = $ 7FFFFFFF;} Function striphighbit (l: longint): longint; begin result: = l and image_offset_strip_high;
Function striphighptr (l: longint): Pointer; Begin Result: = POINTER (l and image_offset_strip_high);
Each resource catalog is named following format ---------------------- | Length | Unicode String | -------------- -------- | Length | Unicode string | -------------------- Resource Table 4 (Resource Directory String Entry)
In Delphi, the declaration_resource_dir_string_u = ^ image_resource_dir_string_u; image_resource_dir_string_u = Packed Record Length: Word; NameString: Array [0..0] of wchar; end;
Length is a string of the length of the string Unicode String Unicode. Resource Data Sheet Structure: ------------- | Data RVA | ----------- | Size | ------------- | CodePage | ------------- | Reserved | ------------ Table 5 (Resource Data entry
In Delphi, the decodation_resource_data_entry = ^ image_resource_data_entry; image_resource_data_entry = Packed Record Offettodata: DWORD; SIZE: DWORD; CODEPAGE: DWORD; reserved: DWORD;
The relative actual address of the Data RVA resource contains a 32-bit address for resource image base. Size resource size. Codepage has nothing to say, it seems to be set in terms of decoding. RESERVED must be 0
Ok, almost the partial analysis of this part, I am still studying at other parts :)
Xi'an in 2001
