Description

Loads a string resource from the executable file associated with a specified module, copies the string into a buffer, and appends a terminating null character.

Syntax

int WINAPI LoadString(
  _In_opt_ HINSTANCE hInstance,
  _In_     UINT      uID,
  _Out_    LPTSTR    lpBuffer,
  _In_     int       nBufferMax
);

Parameters

hInstance [in, optional]

Type: HINSTANCE

A handle to an instance of the module whose executable file contains the string resource. To get the handle to the application itself, call the GetModuleHandle function with NULL.

uID [in]

Type: UINT

The identifier of the string to be loaded.

lpBuffer [out]

Type: LPTSTR

The buffer is to receive the string. Must be of sufficient length to hold a pointer (8 bytes).

nBufferMax [in]

Type: int

The size of the buffer, in characters. The string is truncated and null-terminated if it is longer than the number of characters specified. If this parameter is 0, then lpBuffer receives a read-only pointer to the resource itself.

Return value

Type: int

If the function succeeds, the return value is the number of characters copied into the buffer, not including the terminating null character, or zero if the string resource does not exist. To get extended error information, call GetLastError.

Example

Below is the example of malware gathering it's networking becon via a resource string with the LoadString function:

.text:004011D8 push 104h ; cchBufferMax .text:004011DD push eax ; lpBuffer .text:004011DE push 1 ; uID .text:004011E0 push ecx ; hInstance .text:004011E1 call ds:LoadStringA