Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Not very clear talking about .rsrc section (https://forum.exetools.com/showthread.php?t=7748)

Nacho_dj 06-28-2005 18:23
Not very clear talking about .rsrc section
 
Hello:

Does anybody here know a good tute about the .rsrc section of PE header?

I have been taking a sigth to the following docs:

- pecoff.pdf

- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndebug/html/msdn_peeringpe.asp

But in both of them I cannot see very clear how the data are set in this section. It appears a kind of confused to me. Maybe a good practical example would help.


Thanks!


Nacho_dj :cool:

SLV 06-28-2005 21:09
1 Attachment(s)
> .rsrc section
hmm.. Firsly u mean not section but IMAGE_RESOURCE_DIRECTORY... secondary look at windows.inc (MASM package) and look at this nice source...

vodu 06-28-2005 23:03
Take a look at Morphine source...

hxxp://rootkit.host.sk


Then survey this ...
procedure PrepareResourceSectionData;

sKip 06-29-2005 00:50
Two very nice essays, which contain a lot informations about the topic


Tool Interface Standard (TIS): Formats Specification for Windows -> example

wxw.x86.org/intel.doc/tools.htm

pe file format by lord julius

hxtp://dl.njfiw.gov.cn/books/%BB%E3%B1%E0/Sorted_OEM/pe/The_pe_file.txt

Nacho_dj 06-29-2005 17:21
.rsrc not so misterious yet!
 
Ok, I think all is a little bit clear for me.

Slv, I haven't installed the masm, so couldn't found the windows.inc. I'll try to install it and see it.
Vodu, I have found the URL you wrote down, but I couldn't find the procedure PrepareResourceSectionData, any clue?
skip, the docs you have suggested are very clear! Specially the one of Julius. :rolleyes:

I am trying to fix some values of RVA pointing to data in the .rsrc after you have deleted some irrelevant sections of the
PE header inserted by an exe wrapper. Thus the .rsrc woulg go to a new raw position, and is getting necessary to fix the RVA values of the data.

I know you can find some tools that are doing this, but I would like insert this procedure in an unpacker/rebuilder I have developping to get "all in one".

Anyway...

Thanks for your answers!

Cheers from the sunny Spain!


Nacho_dj :cool:

Jay 06-29-2005 19:24
http://www.wotsit.org/download.asp?f=res

vodu 06-30-2005 02:03
1 Attachment(s)
Quote:
Originally Posted by Nacho_dj
Vodu, I have found the URL you wrote down, but I couldn't find the procedure PrepareResourceSectionData, any clue?
Just look at morphine source. I also attached it to this msg.

Nacho_dj 07-03-2005 06:23
Ok, Vodu, I see that the source is very complete (and complicated!!)

I guess with a little of patience reading the morphine's code, the .rsrc will be
totally clear.

I was doing tests with the information supplied by the people of the forum. But I think it is hard developping completely a .rsrc rebuilder.

It seems a lilttle bit more complicated I was suppossing :eek:

Thanks for the info


Nacho_dj :cool:


All times are GMT +8. The time now is 01:27.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX