Not very clear talking about .rsrc section

[Nacho_dj]

Hello:

Does anybody here know a good tute about the .rsrc section of PE header?

I have been taking a sigth to the following docs:

- pecoff.pdf

- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndebug/html/msdn_peeringpe.asp

But in both of them I cannot see very clear how the data are set in this section. It appears a kind of confused to me. Maybe a good practical example would help.


Thanks!


Nacho_dj

[SLV]

> .rsrc section
hmm.. Firsly u mean not section but IMAGE_RESOURCE_DIRECTORY... secondary look at windows.inc (MASM package) and look at this nice source...

Take a look at Morphine source...

hxxp://rootkit.host.sk


Then survey this ...
procedure PrepareResourceSectionData;

Two very nice essays, which contain a lot informations about the topic


Tool Interface Standard (TIS): Formats Specification for Windows -> example

wxw.x86.org/intel.doc/tools.htm

pe file format by lord julius

hxtp://dl.njfiw.gov.cn/books/%BB%E3%B1%E0/Sorted_OEM/pe/The_pe_file.txt

[Nacho_dj]

Ok, I think all is a little bit clear for me.

Slv, I haven't installed the masm, so couldn't found the windows.inc. I'll try to install it and see it.
Vodu, I have found the URL you wrote down, but I couldn't find the procedure PrepareResourceSectionData, any clue?
skip, the docs you have suggested are very clear! Specially the one of Julius.

I am trying to fix some values of RVA pointing to data in the .rsrc after you have deleted some irrelevant sections of the
PE header inserted by an exe wrapper. Thus the .rsrc woulg go to a new raw position, and is getting necessary to fix the RVA values of the data.

I know you can find some tools that are doing this, but I would like insert this procedure in an unpacker/rebuilder I have developping to get "all in one".

Anyway...

Thanks for your answers!

Cheers from the sunny Spain!


Nacho_dj

Quote:

Originally Posted by Nacho_dj

Vodu, I have found the URL you wrote down, but I couldn't find the procedure PrepareResourceSectionData, any clue?

Just look at morphine source. I also attached it to this msg.

[Jay]

http://www.wotsit.org/download.asp?f=res