rbmm · September 21, 2024 10:00
diff --git a/gistfile1.txt b/gistfile1.txt
 void saw(PBYTE Base, PIMAGE_RESOURCE_DIRECTORY pird, ULONG Level, PCSTR prefix)
 {
 	PIMAGE_RESOURCE_DIRECTORY_ENTRY Entry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pird + 1);

 	if (ULONG n = pird->NumberOfNamedEntries + pird->NumberOfIdEntries)
 	{
 		do 
 		{
 			WCHAR name[16];
 			UNICODE_STRING Name;
 			if (Entry->NameIsString)
 			{
 				PIMAGE_RESOURCE_DIR_STRING_U ps = (PIMAGE_RESOURCE_DIR_STRING_U)(Base + Entry->NameOffset);
 				Name.MaximumLength = Name.Length = ps->Length * sizeof(WCHAR);
 				Name.Buffer = ps->NameString;
 			}
 			else
 			{
 				if (2 == Level)
 				{
 					if (MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_UK) == Entry->Id)
 					{
 						Entry->Id = MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US);
 					}
 				}
 				swprintf_s(name, _countof(name), L"#%x", Entry->Id);
 				RtlInitUnicodeString(&Name, name);
 			}

 			union {
 				PBYTE pv;
 				PIMAGE_RESOURCE_DIRECTORY p;
 				PIMAGE_RESOURCE_DATA_ENTRY pirde;
 			};

 			pv = Base + Entry->OffsetToDirectory;

 			DbgPrint("%s%wZ", prefix, &Name);
 			if (Entry->DataIsDirectory)
 			{
 				DbgPrint("\n");
 				saw(Base, p, Level + 1, prefix - 1);
 			}
 			else
 			{
 				DbgPrint(": [%x] (%x) %x\n", pirde->Size, pirde->CodePage, pirde->OffsetToData);
 			}
 			
 		} while (Entry++, --n);
 	}
 }

 NTSTATUS saw(PCWSTR psz)
 {
 	NTSTATUS status;
 	UNICODE_STRING ObjectName;
 	if (0 <= (status = RtlDosPathNameToNtPathName_U_WithStatus(psz, &ObjectName, 0, 0)))
 	{
 		OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName, OBJ_CASE_INSENSITIVE };
 		IO_STATUS_BLOCK iosb;
 		status = NtOpenFile(&oa.RootDirectory, FILE_ALL_ACCESS, &oa,  &iosb, 0, FILE_SYNCHRONOUS_IO_NONALERT);
 		RtlFreeUnicodeString(&ObjectName);

 		if (0 <= status)
 		{
 			HANDLE hSection;
 			status = NtCreateSection(&hSection, SECTION_MAP_WRITE|SECTION_MAP_READ, 0, 0, PAGE_READWRITE, SEC_COMMIT, oa.RootDirectory);
 			NtClose(oa.RootDirectory);
 			if (0 <= status)
 			{
 				PVOID BaseAddress = 0;
 				SIZE_T ViewSize = 0;
 				status = ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 
 					0, 0, 0, &ViewSize, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE);//PAGE_READONLY // 
 				NtClose(hSection);
 				if (0 <= status)
 				{
 					ULONG s;
 					if (PIMAGE_RESOURCE_DIRECTORY pird = (PIMAGE_RESOURCE_DIRECTORY)RtlImageDirectoryEntryToData(
 						BaseAddress, FALSE, IMAGE_DIRECTORY_ENTRY_RESOURCE, &s))
 					{
 						char prefix[16];
 						memset(prefix, '\t', sizeof(prefix));
 						prefix[_countof(prefix) - 1] = 0;
 						saw((PBYTE)pird, pird, 0, prefix + _countof(prefix) - 1);
 					}
 					ZwUnmapViewOfSection(NtCurrentProcess(), BaseAddress);
 				}
 			}
 		}
 	}

 	return status;
 }
	void saw(PBYTE Base, PIMAGE_RESOURCE_DIRECTORY pird, ULONG Level, PCSTR prefix)
	{
	PIMAGE_RESOURCE_DIRECTORY_ENTRY Entry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pird + 1);

	if (ULONG n = pird->NumberOfNamedEntries + pird->NumberOfIdEntries)
	{
	do
	{
	WCHAR name[16];
	UNICODE_STRING Name;
	if (Entry->NameIsString)
	{
	PIMAGE_RESOURCE_DIR_STRING_U ps = (PIMAGE_RESOURCE_DIR_STRING_U)(Base + Entry->NameOffset);
	Name.MaximumLength = Name.Length = ps->Length * sizeof(WCHAR);
	Name.Buffer = ps->NameString;
	}
	else
	{
	if (2 == Level)
	{
	if (MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_UK) == Entry->Id)
	{
	Entry->Id = MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US);
	}
	}
	swprintf_s(name, _countof(name), L"#%x", Entry->Id);
	RtlInitUnicodeString(&Name, name);
	}

	union {
	PBYTE pv;
	PIMAGE_RESOURCE_DIRECTORY p;
	PIMAGE_RESOURCE_DATA_ENTRY pirde;
	};

	pv = Base + Entry->OffsetToDirectory;

	DbgPrint("%s%wZ", prefix, &Name);
	if (Entry->DataIsDirectory)
	{
	DbgPrint("\n");
	saw(Base, p, Level + 1, prefix - 1);
	}
	else
	{
	DbgPrint(": [%x] (%x) %x\n", pirde->Size, pirde->CodePage, pirde->OffsetToData);
	}

	} while (Entry++, --n);
	}
	}

	NTSTATUS saw(PCWSTR psz)
	{
	NTSTATUS status;
	UNICODE_STRING ObjectName;
	if (0 <= (status = RtlDosPathNameToNtPathName_U_WithStatus(psz, &ObjectName, 0, 0)))
	{
	OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName, OBJ_CASE_INSENSITIVE };
	IO_STATUS_BLOCK iosb;
	status = NtOpenFile(&oa.RootDirectory, FILE_ALL_ACCESS, &oa, &iosb, 0, FILE_SYNCHRONOUS_IO_NONALERT);
	RtlFreeUnicodeString(&ObjectName);

	if (0 <= status)
	{
	HANDLE hSection;
	status = NtCreateSection(&hSection, SECTION_MAP_WRITE\|SECTION_MAP_READ, 0, 0, PAGE_READWRITE, SEC_COMMIT, oa.RootDirectory);
	NtClose(oa.RootDirectory);
	if (0 <= status)
	{
	PVOID BaseAddress = 0;
	SIZE_T ViewSize = 0;
	status = ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress,
	0, 0, 0, &ViewSize, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE);//PAGE_READONLY //
	NtClose(hSection);
	if (0 <= status)
	{
	ULONG s;
	if (PIMAGE_RESOURCE_DIRECTORY pird = (PIMAGE_RESOURCE_DIRECTORY)RtlImageDirectoryEntryToData(
	BaseAddress, FALSE, IMAGE_DIRECTORY_ENTRY_RESOURCE, &s))
	{
	char prefix[16];
	memset(prefix, '\t', sizeof(prefix));
	prefix[_countof(prefix) - 1] = 0;
	saw((PBYTE)pird, pird, 0, prefix + _countof(prefix) - 1);
	}
	ZwUnmapViewOfSection(NtCurrentProcess(), BaseAddress);
	}
	}
	}
	}

	return status;
	}