I am interested in extracting resources from other PE. I could not find much material on the net (I googled, etc), so I was wondering if anyone has some source code for me to view and understand.

Thank you.
Posted on 2002-09-15 07:11:05 by roticv
Posted on 2002-09-15 07:22:06 by bazik

You can use GoBug my Win32 symbolic debugger to extract resources from a PE file.

This is available from www.GoDevTool.com

I'm afraid only the 95/98/ME version is available for on-line download. However I do have an early NT/2000/XP evaluation version which I'm still working on.
Posted on 2002-09-15 10:11:57 by jorgon

Is there any way to read directly from the section .rsrc to read through all the resources? I think Ewayne did it in his hexeditor, but i do not really understand his code.
Posted on 2002-09-16 03:01:57 by roticv
It depends exactly what you want to do. If you want to view the resources in the PE file, view the icons, cursors and bitmaps and read the text of written resources within their coded envelopes and extract any resource in a running exe and its loaded dlls then you can do this with GoBug.

You can also view the .rsrc section in the context of the PE file without actually running the exe or dll file using Wayne Radburn's PEView.

There are also dump programs available which will dump the contents of a PE file including listing the resources. Try for example TDUMP which comes with TASM.
Posted on 2002-09-16 07:35:13 by jorgon

jorgon, you got my idea wrong. I want to get the source code of files that does not load pe into the kernel just to read the resource and not programs. I do know plenty of programs that does it execpt that they do not come with source code. So now i am interested in knowing the rersource part of PE. The rest i understood.

Thanks anyway
Posted on 2002-09-16 08:59:27 by roticv
If you want to look at source code of resource files (.rc files) then there are hundreds of examples available in the Windows SDK (Software Development Kit).
You can download this from Microsoft (click on download the Platform SDK and make sure you ask for the "samples"). It takes a long time - make sure you are not paying by the minute for your internet connection.
Posted on 2002-09-16 12:33:18 by jorgon
What roticv mean is He want to extract something from resource directory of PE files ie icons bitmaps dialogs etc.I have found this.
Posted on 2002-09-16 17:35:39 by LaptoniC

No I don't think that's what roticv wants to do.

You can extract icons, cursors, bitmaps etc. with GoBug but that's no use to him.

I believe he is learning about resources and wants to look at some RC files.

Maybe roticv could let us know how he is getting on.

Posted on 2002-09-17 02:14:35 by jorgon

Thanks, LaptoniC for your source code. I think you got my meaning correct. Sorry for my confusing posts though.
Posted on 2002-09-17 07:02:08 by roticv

I wrote some routines to explain how to dump useful resources from
a PE file.

To dump icons:


and bitmaps:


Necessarily, you have to know the PE header structure, especially
the .rsrc section. You need too info about the structure of each resource,
because the compiler splits the icons and cursors in two parts: the raw data
(hardware dependient: ICON) and data structure (hardware independient:
GROUP_ICON). To bitmaps, deletes it a part of the header.

For dialogs and menus, you need to parse the data. In this .zip I include
info about the resource format. I used it write some PEs at hand :) with
NASM, without linker: great exercise!




Your work is extraordinary. Go ahead. I'm waiting the win2k Gobug version.


[ nmt ]
Posted on 2002-09-17 21:45:40 by n u M I T_o r