📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.








Flag: Tornado! Hurricane!

 Forums >>  IDA Pro  >>  IDA Resource Viewer plugin

Topic created on: April 28, 2012 02:52 CDT by DriEm .

Inspired by Angus Johnson's Resource Hacker and by Chris Eagle's "The IDA Pro Book", I developed a compact resource viewer to be used with IDA version 5.0 or higher.

The plugin is invoked by Alt+F5 hotkey or from Edit/Plugin sub-menu. It opens a subview and lists all resources contained in a Windows PE executable, provided that the executable has been loaded into IDA with the "Load resources" option checked. Double-click on a list record to display that resource.

Click below for a screenshot of the plugin listing the resources of NOTEPAD.EXE:



It is still rudimentary, and I plan to add more features in the future. Please leave your comments here.

--------------------------------

Name: IDA Resource Viewer plugin
Version: 0.6
Author: DriEm
Distribution: Binary only
Platform: IDA for Windows version 5.0 or higher
Price: Free for non-commercial use
Description: Resource viewer for IDA

Download: https://rapidshare.com/files/1648962871/idares.plw
MD5: f038506b867e06c017e69928f0aed0cb

Download version 0.3 for IDA Freeware Vesrion 5.0: https://rapidshare.com/files/3819039869/idaresfr.plw
MD5: 9f6d7bff1e03356007e9a6e74fda06dd

  waleedassar     April 28, 2012 15:51.28 CDT
Nice plugin, but it is subject to "stack overflow" due to an infinite loop when processing a specially crafted resource directory.

http://ollytlscatch.googlecode.com/files/antiResHacker.exe

N.B. Resource Hacker is also subject to this bug.

  DriEm   April 29, 2012 16:39.01 CDT
> waleedassar: Nice plugin, but it is subject to \"stack overflow\" due to an infinite loop when processing a specially crafted resource directory.
>
> http://ollytlscatch.googlecode.com/files/antiResHacker.exe
>
> N.B. Resource Hacker is also subject to this bug.

Thanks for pointing this out. I've fixed it, click below for a screenshot of the plugin listing the resources of "antiResHacker.exe":



I'll integrate the fix into the next release.

  jduck     April 29, 2012 20:58.42 CDT
Are you planning to release the source??

  DriEm   May 1, 2012 12:20.50 CDT
> jduck: Are you planning to release the source??

Nope. I plan to release an updated version within a few days.

  DriEm   May 2, 2012 09:40.43 CDT
Version 0.2 released, head post updated accordingly.

Changes:
- "infinite loop" vulnerability (as pointed out by waleedassar) fixed
- if the selected resource is a bitmap, it is displayed in a dialog box

  waleedassar     May 2, 2012 11:38.04 CDT
Another infinite loop already exists. No stack overflow, just a typical infinite loop.

Two demos have been included in the archive below.

http://www.filefactory.com/file/5v4iva89en85/n/idares_loops_rar

  DriEm   May 11, 2012 11:55.56 CDT
> waleedassar: Another infinite loop already exists. No stack overflow, just a typical infinite loop.
>
> Two demos have been included in the archive below.
>
> http://www.filefactory.com/file/5v4iva89en85/n/idares_loops_rar

What do your example EXEs do? Do they use resources?

  waleedassar     May 11, 2012 13:59.52 CDT
Yes, they embed resources.
http://uploadpic.org/v.php?img=Lg3hb8YWjk

http://uploadpic.org/v.php?img=b4R3yayQCI

  DriEm   May 13, 2012 13:59.08 CDT
Version 0.3 released, head post updated accordingly.

Changes:
- another "infinite loop" vulnerability fixed (thanks again to waleedassar)
- execution speed-up through minor changes
- plugin compiled for IDA Freeware Version 5.0 (this is the currently distributed free IDA version)

  DriEm   June 12, 2012 13:28.21 CDT
Version 0.6 released, head post updated accordingly.

Changes:
- displaying more resource types (bitmaps, icons, cursors, dialogs, strings, menus)
- for MFC executables, the event handler for a dialog button and for a menu item is printed out to IDA's Output window (may be redundant)
- for Delphi executables, all event handlers for a form's buttons are printed out to IDA's Output window (tested on Embarcadero Delphi 2010 executables)

  r2x64   May 12, 2013 09:27.10 CDT
Hey, any new downloading link for this? It seems that the old links don't work anymore.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit