From aldeid
Jump to navigation Jump to search


Loads a string resource from the executable file associated with a specified module, copies the string into a buffer, and appends a terminating null character.


int WINAPI LoadString(
  _In_opt_ HINSTANCE hInstance,
  _In_     UINT      uID,
  _Out_    LPTSTR    lpBuffer,
  _In_     int       nBufferMax


hInstance [in, optional]
A handle to an instance of the module whose executable file contains the string resource. To get the handle to the application itself, call the GetModuleHandle function with NULL.
uID [in]
Type: UINT
The identifier of the string to be loaded.
lpBuffer [out]
The buffer is to receive the string. Must be of sufficient length to hold a pointer (8 bytes).
nBufferMax [in]
Type: int
The size of the buffer, in characters. The string is truncated and null-terminated if it is longer than the number of characters specified. If this parameter is 0, then lpBuffer receives a read-only pointer to the resource itself.

Return value

Type: int

If the function succeeds, the return value is the number of characters copied into the buffer, not including the terminating null character, or zero if the string resource does not exist. To get extended error information, call GetLastError.


Below is the example of malware gathering it's networking becon via a resource string with the LoadString function:

.text:004011D8 push    104h            ; cchBufferMax
.text:004011DD push    eax             ; lpBuffer
.text:004011DE push    1               ; uID
.text:004011E0 push    ecx             ; hInstance
.text:004011E1 call    ds:LoadStringA