Clive Turvey has re-released the resource dumper for Windows that he and I first worked on back in the early 1990s. Yes, a utility first written in 1992 still works to display the internal representation of menus, dialogs, and other resources in Windows executable files:
RESDUMP v8.02c - Windows Resource Dumper - FREEWARE Edition Copyright (c) 1992-2017 Andrew Schulman undoc@sonic.net Copyright (c) 1995-2017 Clive Turvey cturvey@gmail.com All rights reserved. Non-Commercial use only RESDUMP displays information about resources in a Windows .RES file or executable (EXE, DLL, DRV, etc.). Detailed information is provided for dialog boxes, controls, menus, string tables, accelerator tables, and version resources. To display resources in a Windows .RES or executable: RESDUMP [options] res_or_exe_file example: resdump \windows\winfile.exe To display resources only of a given type: RESDUMP -TYPE [type] res_or_exe_file example: resdump -type menu \windows\winfile.exe resdump -type menu -type dialog -hex \foo\bar.exe types: CURSOR BITMAP ICON MENU DIALOG STRINGTAB FONTDIR FONT ACCEL RCDATA ERRORTAB CURSDIR ICONDIR NAMETAB VERSION To also display (x,y) locations for dialog items: -VERBOSE To also dump bytes (hex) for each resource: -HEX For Windows 1.0 programs: -WIN10 To disable ANSI to OEM conversion (Japan): -DBCS To dump any readable text for unknown resource types: -STRINGS Also works with Win32 (NT) portable executable (PE) files
Resources may be in MUI (multilingual user interface) files rather than in EXE or DLL files; resdump also works on MUI files.
For example, a small dialog from \windows\system32\en-US\ieframe.dll.mui:
DIALOG #00000154h Language 1033 (US English) Style: SETFONT MODALFRAME CENTER Menu: "" Class: "" Caption: "New Folder" Font: "MS Shell Dlg" (8 Pt.) 4294967295 (FFFFFFFFh) STATIC 50020000 "Folder &Name:" 337 (00000151h) EDIT 50810080 "" 4294967295 (FFFFFFFFh) STATIC 50020000 "C&reate in:" 338 (00000152h) "ComboBoxEx32" 50210003 "" 1 (00000001h) BUTTON 50010001 "Cre&ate" 2 (00000002h) BUTTON 50010000 "Cancel"
Similarly, a popup menu from \windows\system32\en-US\ieframe.dll.mui:
MENU #00000108h Language 1033 (US English) POPUP "" 41511 (0000A227h) "&Menu bar" 41478 (0000A206h) "&Favorites bar" 41481 (0000A209h) "&Command bar" 41474 (0000A202h) "&Status bar" 41480 (0000A208h) "" SEPARATOR 42448 (0000A5D0h) "Disab&le toolbars and extensions when InPrivate Browsing starts" 41484 (0000A20Ch) "&Lock the toolbars" END
The ID numbers can often be correlated with disassembly listings generated for example by Clive Turvey’s dumppe (see here) or by IDA Pro. For example:
dumppe -getsym -disasm \windows\system32\ieframe.dll > ieframe.a resdump \windows\system32\en-US\ieframe.dll.mui > ieframe.dmp
Search the disassembly listing for “unusual” hex numbers appearing in the resource dump, such as 0A227h (“&Menu bar”) from the popup menu above:
10341161 6A01 push 1 10341163 6827A20000 push 0A227h 10341168 56 push esi 10341169 FF158CDC5810 call dword ptr [EnableMenuItem]
This can probably be relabeled:
10341161 6A01 push 1 10341163 6827A20000 push MENU_BAR ;; 0A227h 10341168 56 push esi 10341169 FF158CDC5810 call dword ptr [EnableMenuItem]
Similarly:
10341120 68D0A50000 push 0A5D0h 10341125 56 push esi 10341126 FF152CDA5810 call dword ptr [DeleteMenu] 1034112C EB24 jmp loc_10341152
can at least provisionally be relabeled (only “probably” and “provisionally” because of course these numbers, while “unusual,” may represent something else):
10341120 68D0A50000 push DISABLE_TOOLBARS_INPRIVATE ;; 0A5D0h 10341125 56 push esi 10341126 FF152CDA5810 call dword ptr [DeleteMenu] 1034112C EB24 jmp loc_10341152
To dump resources for more than one file, use the for command. For example:
for %f in (\windows\system32\en-US\*.mui) do resdump "%f" >> mui_resdump.txt
The -strings option will display readable text for any resource type unknown to resdump. For example, WordPad uses a “ribbon”:
resdump -strings "C:\progra~1\Windows NT\Accessories\wordpad.exe" "UIFILE" "WORDPAD_RIBBON" Language 1033 (US English) ... WordpadOleObjectPopUpMenuNItems WordpadPicturePopUpMenue} WordpadTextPopUpMenu cmdRedo cmdUndo cmdQAT cmdClosePreviewCommand cmdChunkPreviewClose cmdNextPageCommand cmdPrevPageCommand cmdChunkPreviewPage ...
Download link: resdump_for_windows