Description

Used to find a resource in an executable or loaded DLL. Malware sometimes uses resources to store strings, configuration information, or other malicious files. If you see this function used, check for a .rsrc section in the malware's PE header.

Syntax

HRSRC WINAPI FindResource(
  _In_opt_  HMODULE hModule,
  _In_      LPCTSTR lpName,
  _In_      LPCTSTR lpType
);

Parameters

hModule [in, optional]

Type: HMODULE

A handle to the module whose portable executable file or an accompanying MUI file contains the resource. If this parameter is NULL, the function searches the module used to create the current process.

lpName [in]

Type: LPCTSTR

The name of the resource. Alternately, rather than a pointer, this parameter can be MAKEINTRESOURCE(ID), where ID is the integer identifier of the resource.

lpType [in]

Type: LPCTSTR

The resource type. Alternately, rather than a pointer, this parameter can be MAKEINTRESOURCE(ID), where ID is the integer identifier of the given resource type.

Return value

Type: HRSRC

If the function succeeds, the return value is a handle to the specified resource's information block. To obtain a handle to the resource, pass this handle to the LoadResource function.

If the function fails, the return value is NULL. To get extended error information, call GetLastError.

Example

The following code targets the resource located in UNICODE > LOCALIZATION:

.text:00401362
.text:00401362 loc_401362:             ; "UNICODE"
.text:00401362 push    offset Type
.text:00401367 push    offset Name     ; "LOCALIZATION"
.text:0040136C mov     eax, [ebp+hModule]
.text:0040136F push    eax             ; hModule
.text:00401370 call    ds:FindRes