Resource segments in PE format are complex, at present, several books about the PE format are not deep enough to introduce this article (I think it is well written in the "Windows 95 system programming secrets" Hou Jie translation ), therefore, you have to pick up the tools for your own research and analyze the PE formats, such as stud_pe and ultraedit. Follow these steps to record the process of studying the ICON resources in the PE format analysis textbook: 1. Get the offset address of the resource segment; Use stud_pe to open the PE format file, the "sections" Page has a name named ". rsrc "line (if the program has resources ). View the "virtualoffset" Field of the row. The value is the offset of the resource segment and the offset in the file. 2. Use a hexadecimal editing software (ultraedit can be used) open a PE file and locate the resource segment. 3. The first part is the image_resource_directory structure data. The numberof-namedentries structure indicates the number of resources with names, numberofidentries indicates "resources using an integer ID"; 4. There are then several shard structures, with the sum of numberofnam-edentries and numberofidentries; The image_resource_directory_entry structure is only 8 bytes, although the structure looks very large. The first four bytes indicate the resource type, and the last four bytes indicate the location. If the value of the resource type is 3 (rt_icon), it indicates the icon. For other values, see the document. For example, 2 (rt_bitmap) indicates the bitmap, and 1 (rt_cursor) indicates the cursor; the last four bytes indicate the location of the resource. If a high position is set, the remaining 31 bytes indicate the offset to the Resource Directory. This offset is relative to the starting position of the resource block instead of the RVA; 5. Locate the icon resource offset. Here it is an image_resource_directory structure. The numberofidentries structure indicates the number of icons. Afterwards it is several image_resource_directory_entries (the same as the number of icons ), the first four bytes should be the icon ID, and the last byte is the icon position. 6. Find another image_resource_directory structure from the offset in the previous step, and there is no useful information; it is followed by an image_resource_directory_entry structure (annoying). At this time, you can find another An image_resource_data_entry structure. The useful information of this structure is: offsettodata indicates the position of the icon data (RVA, not offset at this time), and the size of the icon data block. 7. At last, note that the icon information here is better than the information of common Icon files. For a rough look, at least two parts of the data are missing: the file header and the icon header, which start directly from the image data, that is, bitmapinfoheader (not wrong ). In the above process, when rav = raw (offset in the executable file), but in most cases these two values are not equal. How to Get rav and raw and offset (offset): After the image_option_header structure is several image_section_header (Partition Table), each partition table is associated with information of a resource, the number of specified by the IMAGE_NT_HEADERS.FileHeader.NumberOfSe-ctions, in the partition table structure, a field is pointertorawdata, indicating the offset of the block in the disk file. Remember this raw and calculate its offset from rav. Many of the addresses given later are rav. Through this offset, the corresponding raw can be calculated. The following code finds the editing and size of the disk file where the first icon data in the EXE file is located (the code is messy): cfiledialog DLG (true); If (DLG. domodal ()! = Idok) return; handle hfile = createfile (DLG. getpathname (), generic_read | generic_write, file_cmd_read | file_cmd_write, null, open_existing, delimiter, null); If (hfile = delimiter) return; handle hmap =: createfilemapping (hfile, null, page_readwrite, 0,: getfilesize (hfile, null) + 1, null); If (hmap) {lpvoid buffer =: mapviewoffile (hmap, file_map_write | file_map_read, 0, 0, 0); If (buffer) {image_dos_header * pdosheader = (image_dos_header *) buffer; image_nt_headers * pntheader = (image_nt_headers *) (DWORD) buffer + pdosheader-> e_lfanew ); DWORD dwnumberofsections = pntheader-> fileheader. numberofsections; image_section_header * pseheader header = (image_section_header *) (DWORD) pntheader + sizeof (image_nt_headers); For (DWORD I = 0; I <dwnumberofsections; I ++) {If (lstrcmp (char *) pseheader header-> name ,". rsrc ") = 0) break; pseheader header ++;} if (I <dwnumberofsections) {DWORD dwoffsetravtoraw = pntheader-> optionalheader. datadirectory [2]. virtualaddress-> psectionheader-> pointertorawdata; image_resource_directory * presourcedirect = (image_resource_directory *) (DWORD) buffer + pseheader header-> pointertorawdata); trace ("res section rav: % x/N ", pntheader-> optionalheader. datadirectory [2]. virtualaddress); trace ("res raw: % x/N", pseheader header-> pointertorawdata); image_resource_directory_entry * pentry = (image_resource_directory_entry *) (DWORD) presourcedirect + sizeof (image_resource_directory); int nres = presourcedirect-> numberofidentries + presourcedirect-> numberofnamedentries; For (INT I = 0; I <nres; I ++) {If (pentry-> id = 3) {trace ("icon entry is % x/N", pentry-> offsettodata); break;} pentry ++ ;} int offset = pentry-> offsettodata; If (offset & 0x80000000) offset & = 0x7fffff; trace ("% x/N", offset ); image_resource_directory * picondirect = (image_resource_directory *) (DWORD) presourcedirect + offset); optional * piconentry = (image_resource_directory_entry *) (DWORD) picondirect + 16 ); offset = piconentry-> offsettodata; If (offset & 0x80000000) offset & = 0x7fffff; trace ("% x/N", offset); piconentry = (image_resource_directory_entry *) (DWORD) presourcedirect + Offset + 16); offset = piconentry-> offsettodata; If (offset & 0x80000000) offset & = 0x7fffffff; trace ("% x/N ", offset); // offset = 0x168 piconentry = (image_resource_directory_entry *) (DWORD) presourcedirect + offset); int icon_offset = piconentry-> name; int icon_size = piconentry-> offsettodata; cstring STR; Str. format ("icon's RVA = % x, raw = % x, size = % x/N", icon_offset, icon_offset-dwoffsetravtoraw, icon_size); afxmessagebox (STR );}:: unmapviewoffile (buffer); }:: closehandle (hmap);: closehandle (hfile );
