Research on basic resources for transferring to PE (see snow)

Research on basic PE resources

Resources are generally stored in a tree, which usually contains three layers. In NT, the top layer is type, followed by name, and finally language. If a PE file contains a resource file, the system checks whether the selection table contains ". rsrc" but does not apply to some PE files.

1. The structure of a type table is as follows:
--------------------------
| Resource Directory |
--------------------------
| Resource data |
--------------------------
Resource file Layout)

2. The resource directory structure is as follows:
--------------------------
| Resource flags |
--------------------------
| Time/date stamp |
--------------------------
| Major version | minor version |
--------------------------
| # Name entry | # ID Entry |
--------------------------
| Resource dir entries |
--------------------------
Resource table 2 (resource table entry)

Figure CFF explorer ViewProgramResult
We can see that the above resource table exists.
You can also check Resource Directory to determine whether a resource table exists.

Figure CFF explorer view program results

Resources affirmed in Delphi are usually in the following form:
{Resources}
Pimage_resource_directory = ^ image_resource_directory;
Image_resource_directory = packed record
Characteristics: DWORD;
Timedatestamp: DWORD;
Majorversion: word;
Minorversion: word;
Numberofnamedentries: word;
Numberofidentries: word;
End

Where:
Resource flags
Usually set to 0
Time/date stamp
The time/date when the resource compiler creates the resource, which may be 0.
Major/minor version
Version Information
# Name entry
The number of resource entries by name, which contains an array of directory entries by name.
# ID Entry
The number of resource entries using the ID number, which contains a 32-bit integer ID number.
This directory is followed by a directory entry with an indefinite length. No matter the name or ID is used, it is sorted in ascending order.

The undefined directory structure is as follows:
31 0
----------------------
| Name RVA/Integer ID |
----------------------
| E | data entry RVA/subdir RVA |
----------------------
Resource Directory Entry)

Statement in Delphi:
Pimage_resource_directory_entry = ^ image_resource_directory_entry;
Image_resource_directory_entry = packed record
Name: DWORD; // or ID: Word (union)
Offsettodata: DWORD;

Integer ID
Contains an integer ID that identifies a resource.
In the root directory, this ID indicates the following meaning:
Resource Type
1: cursor
2: bitmap
3: icon
4: Menu
5: Dialog
6: string table
7: font directory
8: font
9: Accelerators
10: unformatted resource data
11: Message table
12: group cursor
14: group icon
16: Version Information