Windows Resource Dumper (resdump) from Clive Turvey

Clive Turvey has re-released the resource dumper for Windows that he and I first worked on back in the early 1990s. Yes, a utility first written in 1992 still works to display the internal representation of menus, dialogs, and other resources in Windows executable files:

RESDUMP v8.02c - Windows Resource Dumper - FREEWARE Edition
 Copyright (c) 1992-2017 Andrew Schulman undoc@sonic.net
 Copyright (c) 1995-2017 Clive Turvey cturvey@gmail.com
 All rights reserved. Non-Commercial use only

RESDUMP displays information about resources in a Windows .RES
 file or executable (EXE, DLL, DRV, etc.). Detailed information
 is provided for dialog boxes, controls, menus, string tables,
 accelerator tables, and version resources.

To display resources in a Windows .RES or executable:
 RESDUMP [options] res_or_exe_file
 example: resdump \windows\winfile.exe

To display resources only of a given type:
 RESDUMP -TYPE [type] res_or_exe_file
 example: resdump -type menu \windows\winfile.exe
 resdump -type menu -type dialog -hex \foo\bar.exe
 types: CURSOR BITMAP ICON MENU DIALOG STRINGTAB FONTDIR FONT
 ACCEL RCDATA ERRORTAB CURSDIR ICONDIR NAMETAB VERSION
To also display (x,y) locations for dialog items: -VERBOSE
 To also dump bytes (hex) for each resource: -HEX
 For Windows 1.0 programs: -WIN10
 To disable ANSI to OEM conversion (Japan): -DBCS
 To dump any readable text for unknown resource types: -STRINGS
Also works with Win32 (NT) portable executable (PE) files

Resources may be in MUI (multilingual user interface) files rather than in EXE or DLL files; resdump also works on MUI files.

For example, a small dialog from \windows\system32\en-US\ieframe.dll.mui:

DIALOG #00000154h
 Language 1033 (US English)
 Style: SETFONT MODALFRAME CENTER
 Menu: ""
 Class: ""
 Caption: "New Folder"
 Font: "MS Shell Dlg" (8 Pt.)
 4294967295 (FFFFFFFFh) STATIC 50020000 "Folder &Name:"
 337 (00000151h) EDIT 50810080 ""
 4294967295 (FFFFFFFFh) STATIC 50020000 "C&reate in:"
 338 (00000152h) "ComboBoxEx32" 50210003 ""
 1 (00000001h) BUTTON 50010001 "Cre&ate"
 2 (00000002h) BUTTON 50010000 "Cancel"

Similarly, a popup menu from \windows\system32\en-US\ieframe.dll.mui:

MENU #00000108h
 Language 1033 (US English)
 POPUP ""
 41511 (0000A227h) "&Menu bar"
 41478 (0000A206h) "&Favorites bar"
 41481 (0000A209h) "&Command bar"
 41474 (0000A202h) "&Status bar"
 41480 (0000A208h) "" SEPARATOR
 42448 (0000A5D0h) "Disab&le toolbars and extensions when InPrivate Browsing starts"
 41484 (0000A20Ch) "&Lock the toolbars"
 END

The ID numbers can often be correlated with disassembly listings generated for example by Clive Turvey’s dumppe (see here) or by IDA Pro. For example:

dumppe -getsym -disasm \windows\system32\ieframe.dll > ieframe.a

resdump \windows\system32\en-US\ieframe.dll.mui > ieframe.dmp

Search the disassembly listing for “unusual” hex numbers appearing in the resource dump, such as 0A227h (“&Menu bar”) from the popup menu above:

10341161 6A01         push 1
10341163 6827A20000   push 0A227h
10341168 56           push esi
10341169 FF158CDC5810 call dword ptr [EnableMenuItem]

This can probably be relabeled:

10341161 6A01         push 1
10341163 6827A20000   push MENU_BAR ;; 0A227h
10341168 56           push esi
10341169 FF158CDC5810 call dword ptr [EnableMenuItem]

Similarly:

10341120 68D0A50000   push 0A5D0h
10341125 56           push esi
10341126 FF152CDA5810 call dword ptr [DeleteMenu]
1034112C EB24         jmp loc_10341152

can at least provisionally be relabeled (only “probably” and “provisionally” because of course these numbers, while “unusual,” may represent something else):

10341120 68D0A50000   push DISABLE_TOOLBARS_INPRIVATE ;; 0A5D0h
10341125 56           push esi
10341126 FF152CDA5810 call dword ptr [DeleteMenu]
1034112C EB24         jmp loc_10341152

To dump resources for more than one file, use the for command. For example:

for %f in (\windows\system32\en-US\*.mui) do resdump "%f" >> mui_resdump.txt

The -strings option will display readable text for any resource type unknown to resdump. For example, WordPad uses a “ribbon”:

resdump -strings "C:\progra~1\Windows NT\Accessories\wordpad.exe"

"UIFILE" "WORDPAD_RIBBON"
 Language 1033 (US English)
 ...
 WordpadOleObjectPopUpMenuNItems
 WordpadPicturePopUpMenue}
 WordpadTextPopUpMenu
 cmdRedo
 cmdUndo
 cmdQAT
 cmdClosePreviewCommand
 cmdChunkPreviewClose
 cmdNextPageCommand
 cmdPrevPageCommand
 cmdChunkPreviewPage
 ...

Download link: resdump_for_windows

 

This entry was posted in blog, Uncategorized. Bookmark the permalink. Both comments and trackbacks are currently closed.