PE Resource Table | Zack Yang’s Blog

type

status

date

slug

summary

What are PE Resource Tables Used for?

During the application development process, a large number of resource files are typically used, such as icons, cursors, bitmaps, custom dialog boxes, and so on. For this reason, Windows has designed a multi-level resource structure to store these resource files and their related information.

Structure of the Resource Table

The PE Resource Table is organized as a three-level tree structure with the levels representing Type, ID, and Language, respectively. Each node in the tree is a IMAGE_RESOURCE_DIRECTORY structure which contains entries (IMAGE_RESOURCE_DIRECTORY_ENTRY) pointing to other directories or to the actual resource data entries (IMAGE_RESOURCE_DATA_ENTRY).

Type Level: This level identifies the type of resource. Predefined types include RT_ICON, RT_CURSOR, RT_STRING, etc. Custom types defined by the application are also possible.

Name Level: This level identifies the name or ID of individual resources of the same type. The name is either a Unicode string or an integer ID.

Language Level: This level identifies the language for each resource. Resources can be localized to support multiple languages, and each language variant of a resource has its own entry at this level.

Each Language-level entry points to an IMAGE_RESOURCE_DATA_ENTRY structure. This structure provides more detailed information about the specific resource, including the offset and size of the actual resource data and the code page used for that data.

Interpreting the Entries

Entries in the directories are represented by the IMAGE_RESOURCE_DIRECTORY_ENTRY structure. Each entry can be identified by name or by ID. If the NameIsString field is set, the NameOffset field is an offset to a IMAGE_RESOURCE_DIR_STRING_U structure which contains the length of the string and the Unicode string itself. If the NameIsString field is zero, the Id field is used directly.

💡

Two important points to note here: firstly, the name string is always Unicode-encoded, which means you should use wide string types and methods for printing. Secondly, unlike many traditional strings, this name string does not include a null-terminator at the end.

The IMAGE_RESOURCE_DATA_ENTRY structure points to the actual data of a resource and contains information like the size of the resource, the code page used to create the resource, and an RVA (Relative Virtual Address) pointing to the actual resource data.

Languages and Code Pages

The Language level of the Resource Table represents the language of the resources. Language identifiers consist of a primary language identifier and a sublanguage identifier, representing the language and the country/region, respectively.

Code pages are used to map character sets for non-Unicode applications. The code page for a resource is given in the IMAGE_RESOURCE_DATA_ENTRY structure. Information about a code page can be retrieved using the GetCPInfoEx function in the Windows API.

It is important to note that while language identifiers and code pages provide a way to support localization in Windows applications, they represent different aspects. Language identifiers are about linguistics while code pages are about character encoding.