LoadResource

From aldeid
Jump to navigation Jump to search

Description

Retrieves a handle that can be used to obtain a pointer to the first byte of the specified resource in memory.

Malware sometimes uses resources to store strings, configuration information, or other malicious files.

Syntax

HGLOBAL WINAPI LoadResource(
  _In_opt_  HMODULE hModule,
  _In_      HRSRC hResInfo
);

Parameters

hModule [in, optional]
Type: HMODULE
A handle to the module whose executable file contains the resource. If hModule is NULL, the system loads the resource from the module that was used to create the current process.
hResInfo [in]
Type: HRSRC
A handle to the resource to be loaded. This handle is returned by the FindResource or FindResourceEx function.

Return value

Type: HGLOBAL

If the function succeeds, the return value is a handle to the data associated with the resource.

If the function fails, the return value is NULL. To get extended error information, call GetLastError.

Example

The below extract shows how the malware is creating a handle (hResInfo) to the resource (UNICODE > LOCALIZATION) with FindResource and is then using this handle with LoadResource: 

.text:00401362 loc_401362:                             ; CODE XREF: extractResource+2Dj
.text:00401362                 push    offset Type     ; "UNICODE"
.text:00401367                 push    offset Name     ; "LOCALIZATION"
.text:0040136C                 mov     eax, [ebp+hModule]
.text:0040136F                 push    eax             ; hModule
.text:00401370                 call    ds:FindResourceA
.text:00401376                 mov     [ebp+hResInfo], eax
.text:00401379                 cmp     [ebp+hResInfo], 0
.text:0040137D                 jnz     short loc_401386
.text:0040137F                 xor     eax, eax
.text:00401381                 jmp     loc_401447
.text:00401386 ; ---------------------------------------------------------------------------
.text:00401386
.text:00401386 loc_401386:                             ; CODE XREF: extractResource+51j
.text:00401386                 mov     ecx, [ebp+hResInfo]
.text:00401389                 push    ecx             ; hResInfo
.text:0040138A                 mov     edx, [ebp+hModule]
.text:0040138D                 push    edx             ; hModule
.text:0040138E                 call    ds:LoadResource
.text:00401394                 mov     [ebp+hResData], eax
.text:00401397                 cmp     [ebp+hResData], 0
.text:0040139B                 jnz     short loc_4013A2
.text:0040139D                 jmp     loc_40142D
Retrieved from "https://www.aldeid.com/w/index.php?title=LoadResource&oldid=28042"