Add menu items to the executable file

Task: Add allowed 'open 'menu items and dimmed 'close' menu items before exiting the menu item.

Tool: hex editor (for example, Hiew), brain (for example, you usually use)

OK. Start working.

Use the fully-used hexadecimal editing tool (such as hiew.exe) to open hello.exe and directly go to the resource area (. rsrc). If hiew is used, press F8, and then press F6 to enter. rsrc. For more information, see pointer to RAW data in. rsrc. In this way, you can see IMAGE_RESOURCE_DIRECTORY. Its structure is as follows:

Typedef struct _ IMAGE_RESOURCE_DIRECTORY {
ULONG Characteristics;
ULONG TimeDateStamp;
USHORT MajorVersion;
USHORT MinorVersion;
USHORT NumberOfNamedEntries;
USHORT NumberOfIdEntries;
} IMAGE_RESOURCE_DIRECTORY, * PIMAGE_RESOURCE_DIRECTORY;

ULONG = 4 bytes, USHORT = 2 bytes total 16 bytes

These things are useless to us, but you need to know where is the beginning of the subsequent data. therefore, you can see some IMAGE_RESOURCE_DIRECTORY _ ENTRies (Resource Directory Entry address) in the first 16 bytes. Its structure is as follows:

Typedef struct _ IMAGE_RESOURCE_DIRECTORY_ENTRY {
ULONG Name;
ULONG OffsetToData;
Typedef struct _ IMAGE_RESOURCE_DIRECTORY_ENTRY {

In hexadecimal format, you will see (similar data ):

For ease of analysis, the NOTEPAD 5.2 Under win2003 is used as a demo)
Xx 00 00 00 xx 00 xx 00 00 00 xx 00 00 xx

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
00008000 h: 00 00 00 00 00 00 00 04 00 00 00 00 08 00;
00008010 h: 03 00 00 00 50 00 80 04 00 00 A8 00 00 80;

03 00 00 00-50 00 00 80-04 00 00 00-A8 00 00 80
1 2 3 4 5 6 7 8
...

Each IMAGE_RESOURCE_DIRECTORY _ ENTRY is 8 bytes long. In the instance data given, the first eight bytes (03-80) are not important to us (it is usually used for: Icon, Menu, Dialog box Dialog ...), however, byte ranges from '04 'to '80' (see the above sample data, that is, 9-16 bits.

From 9-16 bits, the first four bytes represent the name (not used for US), and The 5-8 bits represent the offset. If this important flag is 1, indicates pointing to another IMAGE_RESOURCE_DIRECTORY (Resource Directory). Otherwise, it points to IMAGE_RESOURCE_DATA_ENTRY (the location we need to find ).

In our example, the data is 800000A8 (A8 00 80), and the most important identification bit is set to 1 (the highest data bit), which indicates that A8 is from. the offset from the rsrc section to an IMG_RES_DIR (Resource Directory.

After detection, the offset at the beginning of the resource segment is 8000, and another IMG_RES_DIR (Resource Directory) is placed at 80A6. As mentioned above, it is not important, continue to skip 16 bytes. You can see the next IMG_RES_DIR_ENTRY (Resource Directory Entry ).

Listen 80a0h: 09 00 00 00 48 02 00 80-00 00 00 00 00 00 00 00;
Listen 80b0h: 04 00 00 00 00 01 00-01 00 00 00 60 02 00 80;

Skip the first four bytes, which indicates the name. The last four bytes are 80000260 (60 02 00 80), and the flag is still 1. Then continue to 8260 (8000 + 260 ), there is the next IMG_RES_DIR (Resource Directory), skip 16 bytes, and it is an IMG_RES_DIR_ENTRY (Resource Directory Entry), skip 4 bytes (name), and see the data is 00000440.

00008260 h: 00 00 00 00 00 00 00 04 00 00 00 00 01 00;
00008270 h: 04 08 00 00 40 04 00 00 00 00 00 00 00 00 00 00;

Okay, the flag is 0. Therefore, at 00008440 (8000 + 440), it is the target-IMAGE_RESOURCE_DATA_ENTRY (resource data entry). Its structure is

Typedef struct _ IMAGE_RESOURCE_DATA_ENTRY {
ULONG OffsetToData;
ULONG Size;
ULONG CodePage;
ULONG Reserved;
} IMAGE_RESOURCE_DATA_ENTRY, * PIMAGE_RESOURCE_DATA_ENTRY;

Only the first two fields are important to us. The data is 0011750 (Data offset) and 330 (size). We will use this data later, so write down IMAGE_RESOURCE_DATA_ENTRY (resource data entry) is 8440 in our instance.

00008440 h: 50 17 01 00 30 03 00 00 E4 04 00 00 00 00 00; P... 0 ...&.......
Data offset size

When the second digit of the dimension is not 0, the data offset address shall be subtracted from the value 11750-300 = 0e750. The original text is not described. It may be incorrect after observation, for more details, see related technical materials)

Now, at 0E750, you can see the menu resources here:

0000e750h: 00 00 00 00 10 00 87 65 F6 4E 28 00 26 00 46 00; ...... 127e & N (... F.
0000e760h: 29 00 00 00 00 01 00 B0 65 FA 5E 28 00 26 00;) ...... ° e ú^ (.&.
0000e770h: 4E 00 29 00 09 00 43 00 74 00 72 00 6C 00 2B 00; N.)... C. t. r. l. +.
0000e780h: 4E 00 00 00 00 00 02 00 53 62 00 5F 28 00 26 00; N ...... Sb ._(.&.

Structure of menu items

00 00 | 00 00 | 10 00 | 87 65 F6 4E 28 00 26 00 46 00;
Attribute ID menu item name

First two bytes-unknown purpose, may only act as a separator
3-4 bytes-attribute (see the following description)
5-6 bytes-menu item ID (for pop-up menu, This item does not represent ID)
Start from 7th bytes-menu item name (when the menu is displayed, the name starts from 5th bytes)

Note one exception: Before the Start menu item, there are two Null bytes as the start identifier.

Feature-I only list important attributes. The complete list cannot be obtained from winuser. h or the website.

0800-Separator (Separator)
0000-Enabled (allowed)
0001-Grayed (Grayed out)
0002-Disabled (Forbidden)
0010-Popup (pop-up)
0080-End (End)

The delimiter of the menu item, which looks like this:
00 00 | 00 08 | 00 00
Attribute name string (only two NULL bytes)

For example, the menu items are as follows:

00 00 00 00 | 90 00 | 26 00 46 00 69 00 6C 00 65 00

00 00 | 80 00 | 69 00 45 00 26 00 78 00 69 00 74 00

You can see that the attribute of the first menu item is 90 = 80 | 10, indicating that the menu item is displayed and ended.
The second attribute is only 80 = End. It is not a pop-up menu, so it must be a sub-menu.

Now, to add a single menu item, we should first know what it looks like, for example, an OPEN menu item should look like this:

00 00 | 00 00 | 70 00 | 26 00 4F 00 70 00-65 00 6E 00
Property ID & O p e n
The ID is 0070, but it can be any unused value. the (&) sign before the 'O' character makes 'O' underlined and can be typed into the letter 'O' to activate related menu items.

Now set a 'close' to Close the menu item:

00 00 | 01 00 | 71 00 | 26 00-43 00 6C 00-6F 00 73 00-65 00
Property ID & C l o s e

As you can see, the property is 0001 (Gray) and the ID value is customized.

In my demo program (a simple Hello World application demo has only two menu items, which are written in ms vc ++) I found a space (usually the area filled with '0') in the position after I found my menu resource.
6960. Therefore, I wrote a file menu, and inserted the 'open' and 'close' menu items. Finally, an Exit menu item 'exit ', which looks like the following:

00 00 00 00-90 00 26 00-46 00 69 00-6C 00 65 00
00 00 00 00-70 00 26 00-4F 00 70 00-65 00 6E 00
00 00 01 00-71 00 26 00-43 00 6C 00-6F 00 73 00
65 00 00 00-80 00 69 00-45 00 26 00-78 00 69 00
74 00 00 00

Now w, write down 6960, it points to a 44 (hexadecimal) byte area,
Now, go back to the address mentioned above (in the demo NOTEPAD, It is 0E750, in my hello world, it is 61F0, and the address is 12767c8, And the size is 22 ), you should have noted it down and changed its content to a new address (size: 00006960 from 000067C8. then change the size from 22 to 44 ). Now save the program and run it again. I can see my 'open' and 'close' menu items. What, do you understand?