The following information was supplied by Michael Calkins in a member’s request to find a way to extract icons from EXE files. There is no warranty implied and users should use the information and code at their own risk! We are not responsible for any damages!
COFF Specifications
There are 3 layers to the resource tables, Type, Name, and Language, The Microsoft PE and COFF specifications can be found here:
http://msdn.microsoft.com/en-us/windows/hardware/gg463119
Image Extraction Procedure
DIM nam AS STRING * 8
DIM fil AS STRING
DIM k AS STRING
DIM dw AS _UNSIGNED LONG
DIM ul AS _UNSIGNED LONG
DIM coff AS _UNSIGNED LONG
DIM SectionTable AS _UNSIGNED LONG
DIM ImageBase AS _UNSIGNED LONG
DIM rsrc AS _UNSIGNED LONG
DIM pe32plus AS LONG
DIM w AS _UNSIGNED INTEGER
DIM SizeOfOptionalHeader AS _UNSIGNED INTEGER
DIM SHARED NumberOfSections AS _UNSIGNED INTEGER
DIM NumberOfRvaAndSizes AS _UNSIGNED LONG
CLS
LINE INPUT "Name of the PE image to open? "; fil
IF _FILEEXISTS(fil) = 0 THEN PRINT "File not found.": END
OPEN fil FOR BINARY ACCESS READ AS 1
GET 1, 1 + 0, w
IF w <> &H5A4D THEN PRINT "No MZ signature.": END
GET 1, 1 + &H3C, dw
coff = dw + 4
GET 1, dw + 1, dw
IF dw <> &H4550& THEN PRINT "No PE signature.": END
GET 1, 1 + coff + 2, NumberOfSections
IF NumberOfSections = 0 THEN PRINT "No sections.": END
PRINT "NumberOfSections:"; NumberOfSections
DIM SHARED secsva(0 TO NumberOfSections - 1) AS _UNSIGNED LONG
DIM SHARED secsfp(0 TO NumberOfSections - 1) AS _UNSIGNED LONG
GET 1, 1 + coff + 16, SizeOfOptionalHeader
IF SizeOfOptionalHeader = 0 THEN PRINT "No optional header.": END
PRINT "SizeOfOptionalHeader:", SPACE$(4); word$(SizeOfOptionalHeader)
GET 1, 1 + coff + 20, w
SELECT CASE w
CASE &H10B: pe32plus = 0: PRINT "PE32"
CASE &H20B: pe32plus = -1: PRINT "PE32+"
CASE ELSE: PRINT "Unknown Magic.": END
END SELECT
GET 1, 1 + coff + 20 + 28 + (-4 AND pe32plus), ImageBase
PRINT "ImageBase:", "", dword$(ImageBase)
GET 1, 1 + coff + 20 + 92 + (16 AND pe32plus), NumberOfRvaAndSizes
IF NumberOfRvaAndSizes < 3 THEN PRINT "No resource table.": END
PRINT "NumberOfRvaAndSizes:"; NumberOfRvaAndSizes
GET 1, 1 + coff + 20 + 112 + (16 AND pe32plus), rsrc
PRINT "Rva of resource table:", dword$(rsrc)
GET 1, 1 + coff + 20 + 4 + 112 + (16 AND pe32plus), dw
PRINT "Size of resource table:", dword$(dw)
IF (rsrc = 0) OR (dw = 0) THEN PRINT "No resource table.": END
SectionTable = coff + 20 + SizeOfOptionalHeader
PRINT "section", "va", "file ptr"
FOR w = 0 TO NumberOfSections - 1
GET 1, 1 + SectionTable + (40 * w), nam
GET 1, 1 + SectionTable + 12 + (40 * w), ul
GET 1, 1 + SectionTable + 20 + (40 * w), dw
PRINT nam, dword$(ul), dword$(dw)
secsva(w) = ul
secsfp(w) = dw
NEXT
PRINT
PRINT "Proceed? ";
DO
k = LCASE$(INKEY$)
IF k = "n" THEN PRINT k: END
LOOP UNTIL k = "y"
PRINT k
processtable rva2fp(rsrc), rva2fp(rsrc), 0
SYSTEM
SUB processtable (bs AS _UNSIGNED LONG, addr AS _UNSIGNED LONG, level AS INTEGER)
DIM k AS STRING
DIM dw AS _UNSIGNED LONG
DIM numnamest8 AS _UNSIGNED LONG
DIM dat AS _UNSIGNED LONG
DIM siz AS _UNSIGNED LONG
DIM so AS LONG
DIM sc AS LONG
DIM numnames AS _UNSIGNED INTEGER
DIM numids AS _UNSIGNED INTEGER
DIM w AS _UNSIGNED INTEGER
DIM ln AS _UNSIGNED INTEGER
DIM x AS _UNSIGNED INTEGER
DIM y AS _UNSIGNED INTEGER
DIM b AS _UNSIGNED _BYTE
GET 1, 1 + addr + 12, numnames
GET 1, 1 + addr + 14, numids
DIM nams(0 TO numnames + (numnames > 0)) AS STRING
DIM namsrva(0 TO numnames + (numnames > 0)) AS _UNSIGNED LONG
DIM ids(0 TO numids + (numids > 0)) AS _UNSIGNED LONG
DIM idsrva(0 TO numids + (numids > 0)) AS _UNSIGNED LONG
'get named entries
FOR x = 0 TO numnames - 1
GET 1, 1 + addr + 16 + (x * 8), dw
dw = rva2fp(dw)
GET 1, 1 + dw, ln
FOR y = 0 TO ln - 1
GET 1, , w
SELECT CASE w
CASE &H20 TO &H7E: nams(x) = nams(x) + CHR$(w)
CASE ELSE: nams(x) = nams(x) + CHR$(&H1A)
END SELECT
IF y = 68 THEN EXIT FOR
NEXT
GET 1, 1 + addr + 16 + 4 + (x * 8), namsrva(x)
NEXT
'get numbered entries:
numnamest8 = numnames * 8
FOR x = 0 TO numids - 1
GET 1, 1 + addr + 16 + numnamest8 + (x * 8), ids(x)
GET 1, 1 + addr + 16 + 4 + numnamest8 + (x * 8), idsrva(x)
NEXT
'display:
VIEW PRINT
DO
CLS 0 'qb64 bug? not locating to 1,1?
LOCATE 1, 1
SELECT CASE level
CASE 0: PRINT "1st level - Type";
CASE 1: PRINT "2nd level - Name";
CASE 2: PRINT "3rd level - Language";
CASE ELSE: PRINT LTRIM$(STR$(level)) + "th level";
END SELECT
PRINT "", "file ptr: "; dword$(addr); ". Press 'D' to dump."
PRINT numnames; "names in this level, in this branch."
PRINT numids; "IDs in this level, in this branch."
IF (numnames OR numids) = 0 THEN
IF level THEN
PRINT "Press any key to go up one level."
SLEEP: DO: LOOP WHILE LEN(INKEY$)
EXIT SUB
ELSE
END
END IF
END IF
PRINT "names are unicode. For simplicity, non ASCII chars will be shown as " + CHR$(&H1A) + "."
IF level THEN
PRINT "BKSP or ESC to go up one level."
ELSE
PRINT "BKSP or ESC to exit."
END IF
PRINT "UP, DOWN, PGUP, PGDN, HOME, END to navigate list."
PRINT "ENTER to select."
PRINT STRING$(80, &HC4);
LOCATE 22, 1
PRINT STRING$(80, &HC4);
sc = 0
so = 0
DO
COLOR 7, 0
LOCATE 8, 1: PRINT dword$(sc)
FOR x = 0 TO 11
LOCATE 10 + x, 1
IF x + so = sc THEN COLOR 15, 1 ELSE COLOR 7, 0
IF (x + so) < numnames THEN
PRINT nams(x + so); SPACE$(70 - LEN(nams(x + so)));
PRINT dword$(bs + (namsrva(x + so) AND &H7FFFFFFF&));
COLOR 7, 0
LOCATE 7, 18
IF namsrva(x + so) AND &H80000000~& THEN
PRINT "(descend)";
ELSE
PRINT "(extract)";
END IF
ELSEIF (x + so) < (numnames + numids) THEN
PRINT "ID: " + dword$(ids(x + so - numnames)); SPACE$(56);
PRINT dword$(bs + (idsrva(x + so - numnames)));
COLOR 7, 0
LOCATE 7, 18
IF idsrva(x + (so - numnames)) AND &H80000000~& THEN
PRINT "(descend)";
ELSE
PRINT "(extract)";
END IF
ELSE
PRINT SPACE$(80);
END IF
NEXT
DO
k = INKEY$
LOOP UNTIL LEN(k)
SELECT CASE k
CASE "d", "D"
dump addr
EXIT DO
CASE MKI$(&H4800) 'up
IF sc > 0 THEN
sc = sc - 1
IF sc < so THEN so = sc
END IF
CASE MKI$(&H5000) 'down
IF sc < (numnames + numids - 1) THEN
sc = sc + 1
IF sc > (so + 11) THEN
so = sc - 11
IF so > sc THEN so = 0 'unsigned
END IF
END IF
CASE MKI$(&H4700) 'home
sc = 0
so = 0
CASE MKI$(&H4F00) 'end
sc = numnames + numids - 1
so = sc - 11
IF so < 0 THEN so = 0
CASE MKI$(&H4900) 'pgup
sc = sc - 12
so = so - 12
IF sc < 0 THEN sc = 0
IF so < 0 THEN so = 0
CASE MKI$(&H5100) 'pgdn
sc = sc + 12
IF sc > (numnames + numids - 1) THEN sc = numnames + numids - 1
so = sc - 11
IF so < 0 THEN so = 0
CASE CHR$(&H8), CHR$(&H1B) 'bksp, esc
EXIT SUB
CASE CHR$(&HD) 'enter
IF sc < numnames THEN
dw = namsrva(sc)
ELSE
dw = idsrva(sc - numnames)
END IF
IF dw AND &H80000000~& THEN
'the spec says its an rfa, but it seems to be an offset in the section/table
processtable bs, bs + (dw AND &H7FFFFFFF&), level + 1
EXIT DO
ELSE
'the spec says its an rfa, but it seems to be an offset in the section/table
dw = bs + dw
GET 1, 1 + dw, dat
GET 1, 1 + 4 + dw, siz
LOCATE 24, 1
PRINT dword$(siz) + " bytes.";
LOCATE 23, 1
LINE INPUT "(leave blank to cancel) Output file? "; k
IF LEN(k) THEN
IF _FILEEXISTS(k) THEN
PRINT
PRINT "File already exists.";
ELSE
OPEN k FOR BINARY AS 2
SEEK 1, 1 + rva2fp(dat)
FOR dw = 1 TO siz
GET 1, , b
PUT 2, , b
NEXT
CLOSE 2
PRINT
PRINT "Done.";
END IF
SLEEP: DO: LOOP WHILE LEN(INKEY$)
END IF
EXIT DO
END IF
END SELECT
LOOP
LOOP
END SUB
FUNCTION word$ (w AS _UNSIGNED INTEGER)
DIM t AS STRING
t = LCASE$(HEX$(w))
word = "0x" + STRING$(4 - LEN(t), &H30) + t
END FUNCTION
FUNCTION dword$ (dw AS _UNSIGNED LONG)
DIM t AS STRING
t = LCASE$(HEX$(dw))
dword = "0x" + STRING$(8 - LEN(t), &H30) + t
END FUNCTION
FUNCTION rva2fp~& (rva AS _UNSIGNED LONG)
DIM w AS _UNSIGNED INTEGER
FOR w = 0 TO NumberOfSections - 1
IF rva < secsva(w) THEN EXIT FOR
NEXT
w = w - 1
IF w > NumberOfSections - 1 THEN PRINT dword$(rva), w: SLEEP
rva2fp = rva + (secsfp(w) - secsva(w))
END FUNCTION
SUB dump (addr AS _UNSIGNED LONG)
DIM t AS STRING
DIM dw AS _UNSIGNED LONG
DIM ul AS _UNSIGNED LONG
DIM b AS _UNSIGNED _BYTE
VIEW PRINT
ul = addr
DO
COLOR 7, 0
CLS 0
SEEK 1, 1 + ul
FOR dw = ul TO (ul AND &HFFFFFFF0) + &H15F
IF (1 + ul) > LOF(1) THEN EXIT FOR
GET 1, , b
IF (dw AND &HF) = 0 THEN
t = LCASE$(HEX$(dw))
COLOR 7
PRINT STRING$(8 - LEN(t), &H30) + t; SPACE$(2);
END IF
IF (dw AND &H4) THEN COLOR 3 ELSE COLOR 2
LOCATE , 14 + ((dw AND &HF) * 3)
t = LCASE$(HEX$(b))
IF b < &H10 THEN PRINT "0" + t; ELSE PRINT t;
LOCATE , 65 + (dw AND &HF)
SELECT CASE b
CASE 7, 9 TO &HD, &H1F: PRINT ".";
CASE ELSE: PRINT CHR$(b);
END SELECT
NEXT
PRINT
COLOR 7
LINE INPUT "(leave blank to cancel) Address: 0x"; t
IF LTRIM$(t) = "" THEN EXIT DO
ul = VAL("&h" + t + "&") AND &H7FFFFFFF
LOOP
END SUB
Public domain October 2011 by Michael Calkins based on the Microsoft PE and COFF spec, Revision 8.2 - September 21, 2010
If you open c:\windows\system32\shell32.dll, and save the first item (descend the first entry, then the first entry of the next level, etc), it’s an .AVI file of a flashlight searching a folder. If you go down the first entry of the first level, but the last entry of the second level, it’s an .AVI of a globe throwing a page at a folder. Save both files as AVI to view the video.
I wouldn’t consider the program finished. There’s some double checking, tweaking, and optimizing that could be done. For example, the dump sub could probably use an extra variable, and could probably use some increased functionality. I wrote it to help me debug the part that reads the resource tables. As I say in the comments, the part that gives the address of either the “leaf” or the next table lower seems to be relative to the start of the main table or section, not an actual RVA.
With things like:
GET 1, 1 + coff + 20 + 28 + (-4 AND pe32plus), ImageBase
That could obviously be optimized by combining the 1 + 20 + 28. By leaving it uncombined, though, it documents itself better in terms of helping the human reader match it up with the specification. 1 because QBASIC’s GET/PUT/SEEK idiotically starts at 1 instead of 0. Coff because we want an offset from the start of the coff header, 20 to skip the 20 byte coff main header, 28 because that’s the offset of ImageBase in the optional header, and (-4 AND pe32plus) because the offset is 24 if the Magic is PE32+. Either QB64 or GCC will probably optimize it anyway, I would think.
In the Section table, the name of the field is VirtualAddress, but the description seems to say that it is an RVA. My program assumes that it is an RVA. The rva2fp function finds which section a given RVA is in, and then uses the difference between the RVA and the file pointer for that section to turn the given RVA into a file pointer.
Regards, Michael Calkins
Revision 2
I’ve made a few minor changes to the program. It will show you the first 400 bytes when you choose to export the data. Also, by moving the initialization of sc and so outside the loop, you will now come back to the correct entry upon ascending a level. I experimented with code to PSET the data, but it is commented out.
'october 2011, michael calkins
'my code is public domain, but it's based on Microsoft's spec, so I'm not sure
'what kind of patents or copyrights apply.
'based on the Microsoft PE and COFF spec, Revision 8.2 - September 21, 2010
'http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx
DIM nam AS STRING * 8
DIM fil AS STRING
DIM k AS STRING
DIM dw AS _UNSIGNED LONG
DIM ul AS _UNSIGNED LONG
DIM coff AS _UNSIGNED LONG
DIM SectionTable AS _UNSIGNED LONG
DIM ImageBase AS _UNSIGNED LONG
DIM rsrc AS _UNSIGNED LONG
DIM pe32plus AS LONG
DIM w AS _UNSIGNED INTEGER
DIM SizeOfOptionalHeader AS _UNSIGNED INTEGER
DIM SHARED NumberOfSections AS _UNSIGNED INTEGER
DIM NumberOfRvaAndSizes AS _UNSIGNED LONG
CLS
LINE INPUT "Name of the PE image to open? "; fil
IF _FILEEXISTS(fil) = 0 THEN PRINT "File not found.": END
OPEN fil FOR BINARY ACCESS READ AS 1
GET 1, 1 + 0, w
IF w <> &H5A4D THEN PRINT "No MZ signature.": END
GET 1, 1 + &H3C, dw
coff = dw + 4
GET 1, dw + 1, dw
IF dw <> &H4550& THEN PRINT "No PE signature.": END
GET 1, 1 + coff + 2, NumberOfSections
IF NumberOfSections = 0 THEN PRINT "No sections.": END
PRINT "NumberOfSections:"; NumberOfSections
DIM SHARED secsva(0 TO NumberOfSections - 1) AS _UNSIGNED LONG
DIM SHARED secsfp(0 TO NumberOfSections - 1) AS _UNSIGNED LONG
GET 1, 1 + coff + 16, SizeOfOptionalHeader
IF SizeOfOptionalHeader = 0 THEN PRINT "No optional header.": END
PRINT "SizeOfOptionalHeader:", SPACE$(4); word$(SizeOfOptionalHeader)
GET 1, 1 + coff + 20, w
SELECT CASE w
CASE &H10B: pe32plus = 0: PRINT "PE32"
CASE &H20B: pe32plus = -1: PRINT "PE32+"
CASE ELSE: PRINT "Unknown Magic.": END
END SELECT
GET 1, 1 + coff + 20 + 28 + (-4 AND pe32plus), ImageBase
PRINT "ImageBase:", "", dword$(ImageBase)
GET 1, 1 + coff + 20 + 92 + (16 AND pe32plus), NumberOfRvaAndSizes
IF NumberOfRvaAndSizes < 3 THEN PRINT "No resource table.": END
PRINT "NumberOfRvaAndSizes:"; NumberOfRvaAndSizes
GET 1, 1 + coff + 20 + 112 + (16 AND pe32plus), rsrc
PRINT "Rva of resource table:", dword$(rsrc)
GET 1, 1 + coff + 20 + 4 + 112 + (16 AND pe32plus), dw
PRINT "Size of resource table:", dword$(dw)
IF (rsrc = 0) OR (dw = 0) THEN PRINT "No resource table.": END
SectionTable = coff + 20 + SizeOfOptionalHeader
PRINT "section", "va", "file ptr"
FOR w = 0 TO NumberOfSections - 1
GET 1, 1 + SectionTable + (40 * w), nam
GET 1, 1 + SectionTable + 12 + (40 * w), ul
GET 1, 1 + SectionTable + 20 + (40 * w), dw
PRINT nam, dword$(ul), dword$(dw)
secsva(w) = ul
secsfp(w) = dw
NEXT
PRINT
PRINT "Proceed? ";
DO
k = LCASE$(INKEY$)
IF k = "n" THEN PRINT k: END
LOOP UNTIL k = "y"
PRINT k
processtable rva2fp(rsrc), rva2fp(rsrc), 0
SYSTEM
SUB processtable (bs AS _UNSIGNED LONG, addr AS _UNSIGNED LONG, level AS INTEGER)
DIM k AS STRING
DIM dw AS _UNSIGNED LONG
DIM numnamest8 AS _UNSIGNED LONG
DIM dat AS _UNSIGNED LONG
DIM siz AS _UNSIGNED LONG
DIM so AS LONG
DIM sc AS LONG
DIM numnames AS _UNSIGNED INTEGER
DIM numids AS _UNSIGNED INTEGER
DIM w AS _UNSIGNED INTEGER
DIM ln AS _UNSIGNED INTEGER
DIM x AS _UNSIGNED INTEGER
DIM y AS _UNSIGNED INTEGER
DIM b AS _UNSIGNED _BYTE
GET 1, 1 + addr + 12, numnames
GET 1, 1 + addr + 14, numids
DIM nams(0 TO numnames + (numnames > 0)) AS STRING
DIM namsrva(0 TO numnames + (numnames > 0)) AS _UNSIGNED LONG
DIM ids(0 TO numids + (numids > 0)) AS _UNSIGNED LONG
DIM idsrva(0 TO numids + (numids > 0)) AS _UNSIGNED LONG
'get named entries
FOR x = 0 TO numnames - 1
GET 1, 1 + addr + 16 + (x * 8), dw
dw = rva2fp(dw)
GET 1, 1 + dw, ln
FOR y = 0 TO ln - 1
GET 1, , w
SELECT CASE w
CASE &H20 TO &H7E: nams(x) = nams(x) + CHR$(w)
CASE ELSE: nams(x) = nams(x) + CHR$(&H1A)
END SELECT
IF y = 68 THEN EXIT FOR
NEXT
GET 1, 1 + addr + 16 + 4 + (x * 8), namsrva(x)
NEXT
'get numbered entries:
numnamest8 = numnames * 8
FOR x = 0 TO numids - 1
GET 1, 1 + addr + 16 + numnamest8 + (x * 8), ids(x)
GET 1, 1 + addr + 16 + 4 + numnamest8 + (x * 8), idsrva(x)
NEXT
'display:
VIEW PRINT
sc = 0
so = 0
DO
CLS 0 'qb64 bug? not locating to 1,1?
LOCATE 1, 1
SELECT CASE level
CASE 0: PRINT "1st level - Type";
CASE 1: PRINT "2nd level - Name";
CASE 2: PRINT "3rd level - Language";
CASE ELSE: PRINT LTRIM$(STR$(level)) + "th level";
END SELECT
PRINT "", "file ptr: "; dword$(addr); ". Press 'D' to dump."
PRINT numnames; "names in this level, in this branch."
PRINT numids; "IDs in this level, in this branch."
IF (numnames OR numids) = 0 THEN
IF level THEN
PRINT "Press any key to go up one level."
SLEEP: DO: LOOP WHILE LEN(INKEY$)
EXIT SUB
ELSE
END
END IF
END IF
PRINT "names are unicode. For simplicity, non ASCII chars will be shown as " + CHR$(&H1A) + "."
IF level THEN
PRINT "BKSP or ESC to go up one level."
ELSE
PRINT "BKSP or ESC to exit."
END IF
PRINT "UP, DOWN, PGUP, PGDN, HOME, END to navigate list."
PRINT "ENTER to select."
PRINT STRING$(80, &HC4);
LOCATE 22, 1
PRINT STRING$(80, &HC4);
DO
COLOR 7, 0
LOCATE 8, 1: PRINT dword$(sc)
FOR x = 0 TO 11
LOCATE 10 + x, 1
IF x + so = sc THEN COLOR 15, 1 ELSE COLOR 7, 0
IF (x + so) < numnames THEN
PRINT nams(x + so); SPACE$(70 - LEN(nams(x + so)));
PRINT dword$(bs + (namsrva(x + so) AND &H7FFFFFFF&));
COLOR 7, 0
LOCATE 7, 18
IF namsrva(x + so) AND &H80000000~& THEN
PRINT "(descend)";
ELSE
PRINT "(extract)";
END IF
ELSEIF (x + so) < (numnames + numids) THEN
PRINT "ID: " + dword$(ids(x + so - numnames)); SPACE$(56);
PRINT dword$(bs + (idsrva(x + so - numnames)));
COLOR 7, 0
LOCATE 7, 18
IF idsrva(x + (so - numnames)) AND &H80000000~& THEN
PRINT "(descend)";
ELSE
PRINT "(extract)";
END IF
ELSE
PRINT SPACE$(80);
END IF
NEXT
DO
k = INKEY$
LOOP UNTIL LEN(k)
SELECT CASE k
CASE "d", "D"
dump addr
EXIT DO
CASE MKI$(&H4800) 'up
IF sc > 0 THEN
sc = sc - 1
IF sc < so THEN so = sc
END IF
CASE MKI$(&H5000) 'down
IF sc < (numnames + numids - 1) THEN
sc = sc + 1
IF sc > (so + 11) THEN
so = sc - 11
IF so > sc THEN so = 0 'unsigned
END IF
END IF
CASE MKI$(&H4700) 'home
sc = 0
so = 0
CASE MKI$(&H4F00) 'end
sc = numnames + numids - 1
so = sc - 11
IF so < 0 THEN so = 0
CASE MKI$(&H4900) 'pgup
sc = sc - 12
so = so - 12
IF sc < 0 THEN sc = 0
IF so < 0 THEN so = 0
CASE MKI$(&H5100) 'pgdn
sc = sc + 12
IF sc > (numnames + numids - 1) THEN sc = numnames + numids - 1
so = sc - 11
IF so < 0 THEN so = 0
CASE CHR$(&H8), CHR$(&H1B) 'bksp, esc
EXIT SUB
CASE CHR$(&HD) 'enter
IF sc < numnames THEN
dw = namsrva(sc)
ELSE
dw = idsrva(sc - numnames)
END IF
IF dw AND &H80000000~& THEN
'the spec says its an rva, but it seems to be an offset in the section/table
processtable bs, bs + (dw AND &H7FFFFFFF&), level + 1
EXIT DO
ELSE
'the spec says its an rva, but it seems to be an offset in the section/table
dw = bs + dw
GET 1, 1 + dw, dat
GET 1, 1 + 4 + dw, siz
CLS
LOCATE 1, 1 'qb64 seems to default to line 2
SEEK 1, 1 + rva2fp(dat)
FOR dw = 1 TO siz
IF dw > 400 THEN EXIT FOR
GET 1, , b
SELECT CASE b
CASE 7, 9 TO &HD, &H1F: PRINT ".";
CASE ELSE: PRINT CHR$(b);
END SELECT
NEXT
LOCATE 24, 1
PRINT dword$(siz) + " bytes.";
LOCATE 23, 1
LINE INPUT "(leave blank to cancel) Output file? "; k
' IF k = "v" THEN
' INPUT "width in pixels"; w
' SCREEN 13
' SEEK 1, 1 + rva2fp(dat)
' FOR dw = 1 TO siz
' IF dw \ w >= 200 THEN EXIT FOR
' GET 1, , b
' PSET (dw MOD w, dw \ w), b
' NEXT
' SLEEP: DO: LOOP WHILE LEN(INKEY$)
' SCREEN 0
' WIDTH 80, 25
' VIEW PRINT
' CLS
' END IF
IF LEN(k) THEN
IF _FILEEXISTS(k) THEN
PRINT
PRINT "File already exists.";
ELSE
OPEN k FOR BINARY AS 2
SEEK 1, 1 + rva2fp(dat)
FOR dw = 1 TO siz
GET 1, , b
PUT 2, , b
NEXT
CLOSE 2
PRINT
PRINT "Done.";
END IF
SLEEP: DO: LOOP WHILE LEN(INKEY$)
END IF
EXIT DO
END IF
END SELECT
LOOP
LOOP
END SUB
FUNCTION word$ (w AS _UNSIGNED INTEGER)
DIM t AS STRING
t = LCASE$(HEX$(w))
word = "0x" + STRING$(4 - LEN(t), &H30) + t
END FUNCTION
FUNCTION dword$ (dw AS _UNSIGNED LONG)
DIM t AS STRING
t = LCASE$(HEX$(dw))
dword = "0x" + STRING$(8 - LEN(t), &H30) + t
END FUNCTION
FUNCTION rva2fp~& (rva AS _UNSIGNED LONG)
DIM w AS _UNSIGNED INTEGER
FOR w = 0 TO NumberOfSections - 1
IF rva < secsva(w) THEN EXIT FOR
NEXT
w = w - 1
IF w > NumberOfSections - 1 THEN PRINT dword$(rva), w: SLEEP
rva2fp = rva + (secsfp(w) - secsva(w))
END FUNCTION
SUB dump (addr AS _UNSIGNED LONG)
DIM t AS STRING
DIM dw AS _UNSIGNED LONG
DIM ul AS _UNSIGNED LONG
DIM b AS _UNSIGNED _BYTE
VIEW PRINT
ul = addr
DO
COLOR 7, 0
CLS 0
SEEK 1, 1 + ul
FOR dw = ul TO (ul AND &HFFFFFFF0) + &H15F
IF (1 + ul) > LOF(1) THEN EXIT FOR
GET 1, , b
IF (dw AND &HF) = 0 THEN
t = LCASE$(HEX$(dw))
COLOR 7
PRINT STRING$(8 - LEN(t), &H30) + t; SPACE$(2);
END IF
IF (dw AND &H4) THEN COLOR 3 ELSE COLOR 2
LOCATE , 14 + ((dw AND &HF) * 3)
t = LCASE$(HEX$(b))
IF b < &H10 THEN PRINT "0" + t; ELSE PRINT t;
LOCATE , 65 + (dw AND &HF)
SELECT CASE b
CASE 7, 9 TO &HD, &H1F: PRINT ".";
CASE ELSE: PRINT CHR$(b);
END SELECT
NEXT
PRINT
COLOR 7
LINE INPUT "(leave blank to cancel) Address: 0x"; t
IF LTRIM$(t) = "" THEN EXIT DO
ul = VAL("&h" + t + "&") AND &H7FFFFFFF
LOOP
END SUB
The .ICO format:
- http://en.wikipedia.org/wiki/ICO_(file_format)
- http://www.iconolog.org/info/icoFormat.html
- http://en.wikipedia.org/wiki/BMP_file_format
Note that the BMP file header is excluded, but the DIB information header is included. My observations from using Resource Hacker on c:\windows\notepad.exe:
I’ve downloaded Resource Hacker. Note that if you export the first icon of \windows\notepad.exe as a binary file, it is identical to the file exported from my program (verifiable with fc /b). However, if you export it as an icon file, Resource Hacker adds 22 bytes to the beginning of it, a 6 byte ICONDIR structure, and a 16 byte ICONDIRENTRY structure. Resource Hacker is getting this information from the Icon Group resource.
If you export the Icon Group resource as a binary file, you will see that it starts with an ICONDIR structure specifying 9 images. It is followed by an array of 9 structures, 14 bytes each. The first 12 bytes are the same as an ICONDIRENTRY structure. (with a 2x Height difference). The last element, which would be a dword offset in a ICONDIRENTRY structure is instead a word index identifying the particular icon.
You can see what I mean: Use Resource Hacker to export the Icon Group as a binary file, named rhig.bin:
edit /78 rhig.bin
Delete the first 6 bytes, and save it as rhigmod.bin.
edit /14 rhigmod.bin
and you can clearly see the array.
Note that, according to:
http://www.iconolog.org/info/icoFormat.html
There is supposed to be a 2x Height difference between the ICONDIRENTRY structure in the icon file, and the DIB header within the icon file, with the DIB header having 2x the Height. However, when Resource Hacker exported the Icon file, it put 2x the Height in the ICONDIRENTRY structure also, doubling it from the Icon Group data. Icons seem to be Type ID 0x3, and Icon Groups seem to be Type ID 0xe. This seems consistent with:
http://msdn.microsoft.com/en-us/library/ms648009(v=VS.85).aspx
I’ll probably write some code in the next day or two to automate the process of extracting icons from a PE. My observations would need to be double checked before being relied upon. (as always)
Regards, Michael Calkins
Revision 3
The addresses of the strings were also offsets from the start of the main table. So now, it should correctly display the names of named entries. It now displays the names of known Type IDs. It can now accept the PE file name as a command line parameter, so that you can press up, enter, from the cmd prompt to restart it without having to type the name again.
I’ve moved the first horizontal line down 1 line. There is a minor optimization in that there is one less call to rva2fp.
'revision 20120316, michael calkins
'october 2011, michael calkins
'my code is public domain, but it's based on Microsoft's spec, so I'm not sure
'what kind of patents or copyrights apply.
'based on the Microsoft PE and COFF spec, Revision 8.2 - September 21, 2010
'http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx
'bug fixes on 2012 03 16:
' changed NumberOfRvaAndSizes to an _unsigned long
' added _CONTROLCHR OFF to the dump sub, and replaced the select case
DIM nam AS STRING * 8
DIM fil AS STRING
DIM k AS STRING
DIM dw AS _UNSIGNED LONG
DIM ul AS _UNSIGNED LONG
DIM coff AS _UNSIGNED LONG
DIM SectionTable AS _UNSIGNED LONG
DIM ImageBase AS _UNSIGNED LONG
DIM rsrc AS _UNSIGNED LONG
DIM pe32plus AS LONG
DIM w AS _UNSIGNED INTEGER
DIM SizeOfOptionalHeader AS _UNSIGNED INTEGER
DIM SHARED NumberOfSections AS _UNSIGNED INTEGER
DIM NumberOfRvaAndSizes AS _UNSIGNED LONG
CLS
fil = COMMAND$
IF LEN(fil) = 0 THEN LINE INPUT "Name of the PE image to open? "; fil
IF _FILEEXISTS(fil) = 0 THEN PRINT "File not found.": END
OPEN fil FOR BINARY ACCESS READ AS 1
GET 1, 1 + 0, w
IF w <> &H5A4D THEN PRINT "No MZ signature.": END
GET 1, 1 + &H3C, dw
coff = dw + 4
GET 1, dw + 1, dw
IF dw <> &H4550& THEN PRINT "No PE signature.": END
GET 1, 1 + coff + 2, NumberOfSections
IF NumberOfSections = 0 THEN PRINT "No sections.": END
PRINT "NumberOfSections:"; NumberOfSections
DIM SHARED secsva(0 TO NumberOfSections - 1) AS _UNSIGNED LONG
DIM SHARED secsfp(0 TO NumberOfSections - 1) AS _UNSIGNED LONG
GET 1, 1 + coff + 16, SizeOfOptionalHeader
IF SizeOfOptionalHeader = 0 THEN PRINT "No optional header.": END
PRINT "SizeOfOptionalHeader:", SPACE$(4); word$(SizeOfOptionalHeader)
GET 1, 1 + coff + 20, w
SELECT CASE w
CASE &H10B: pe32plus = 0: PRINT "PE32"
CASE &H20B: pe32plus = -1: PRINT "PE32+"
CASE ELSE: PRINT "Unknown Magic.": END
END SELECT
GET 1, 1 + coff + 20 + 28 + (-4 AND pe32plus), ImageBase
PRINT "ImageBase:", "", dword$(ImageBase)
GET 1, 1 + coff + 20 + 92 + (16 AND pe32plus), NumberOfRvaAndSizes
IF NumberOfRvaAndSizes < 3 THEN PRINT "No resource table.": END
PRINT "NumberOfRvaAndSizes:"; NumberOfRvaAndSizes
GET 1, 1 + coff + 20 + 112 + (16 AND pe32plus), rsrc
PRINT "Rva of resource table:", dword$(rsrc)
GET 1, 1 + coff + 20 + 4 + 112 + (16 AND pe32plus), dw
PRINT "Size of resource table:", dword$(dw)
IF (rsrc = 0) OR (dw = 0) THEN PRINT "No resource table.": END
SectionTable = coff + 20 + SizeOfOptionalHeader
PRINT "section", "va", "file ptr"
FOR w = 0 TO NumberOfSections - 1
GET 1, 1 + SectionTable + (40 * w), nam
GET 1, 1 + SectionTable + 12 + (40 * w), ul
GET 1, 1 + SectionTable + 20 + (40 * w), dw
PRINT nam, dword$(ul), dword$(dw)
secsva(w) = ul
secsfp(w) = dw
NEXT
PRINT
PRINT "Proceed? ";
DO
k = LCASE$(INKEY$)
IF k = "n" THEN PRINT k: END
LOOP UNTIL k = "y"
PRINT k
dw = rva2fp(rsrc)
processtable dw, dw, 0
SYSTEM
SUB processtable (bs AS _UNSIGNED LONG, addr AS _UNSIGNED LONG, level AS INTEGER)
DIM k AS STRING
DIM dw AS _UNSIGNED LONG
DIM numnamest8 AS _UNSIGNED LONG
DIM dat AS _UNSIGNED LONG
DIM siz AS _UNSIGNED LONG
DIM so AS LONG
DIM sc AS LONG
DIM numnames AS _UNSIGNED INTEGER
DIM numids AS _UNSIGNED INTEGER
DIM w AS _UNSIGNED INTEGER
DIM ln AS _UNSIGNED INTEGER
DIM x AS _UNSIGNED INTEGER
DIM y AS _UNSIGNED INTEGER
DIM b AS _UNSIGNED _BYTE
GET 1, 1 + addr + 12, numnames
GET 1, 1 + addr + 14, numids
DIM nams(0 TO numnames + (numnames > 0)) AS STRING
DIM namsrva(0 TO numnames + (numnames > 0)) AS _UNSIGNED LONG
DIM ids(0 TO numids + (numids > 0)) AS _UNSIGNED LONG
DIM idsrva(0 TO numids + (numids > 0)) AS _UNSIGNED LONG
'get named entries
FOR x = 0 TO numnames - 1
GET 1, 1 + addr + 16 + (x * 8), dw
'the spec says its an rva, but it seems to be an offset in the section/table
'low 31 bits are an offset from bs
GET 1, 1 + bs + (dw AND &H7FFFFFFF), ln
FOR y = 0 TO ln - 1
GET 1, , w
SELECT CASE w
CASE &H20 TO &H7E: nams(x) = nams(x) + CHR$(w)
CASE ELSE: nams(x) = nams(x) + CHR$(&H1A)
END SELECT
IF y = 68 THEN EXIT FOR
NEXT
GET 1, 1 + addr + 16 + 4 + (x * 8), namsrva(x)
NEXT
'get numbered entries:
numnamest8 = numnames * 8
FOR x = 0 TO numids - 1
GET 1, 1 + addr + 16 + numnamest8 + (x * 8), ids(x)
GET 1, 1 + addr + 16 + 4 + numnamest8 + (x * 8), idsrva(x)
NEXT
'display:
VIEW PRINT
sc = 0
so = 0
DO
CLS 0 'qb64 bug? not locating to 1,1?
LOCATE 1, 1
SELECT CASE level
CASE 0: PRINT "1st level - Type";
CASE 1: PRINT "2nd level - Name";
CASE 2: PRINT "3rd level - Language";
CASE ELSE: PRINT LTRIM$(STR$(level)) + "th level";
END SELECT
PRINT "", "file ptr: "; dword$(addr); ". Press 'D' to dump."
PRINT numnames; "names in this level, in this branch."
PRINT numids; "IDs in this level, in this branch."
IF (numnames OR numids) = 0 THEN
IF level THEN
PRINT "Press any key to go up one level."
SLEEP: DO: LOOP WHILE LEN(INKEY$)
EXIT SUB
ELSE
END
END IF
END IF
PRINT "names are unicode. For simplicity, non ASCII chars will be shown as " + CHR$(&H1A) + "."
IF level THEN
PRINT "BKSP or ESC to go up one level."
ELSE
PRINT "BKSP or ESC to exit."
END IF
PRINT "UP, DOWN, PGUP, PGDN, HOME, END to navigate list."
PRINT "ENTER to select."
LOCATE 9, 1
PRINT STRING$(80, &HC4);
LOCATE 22, 1
PRINT STRING$(80, &HC4);
DO
COLOR 7, 0
LOCATE 8, 1: PRINT dword$(sc)
FOR x = 0 TO 11
LOCATE 10 + x, 1
IF x + so = sc THEN COLOR 15, 1 ELSE COLOR 7, 0
IF (x + so) < numnames THEN
PRINT nams(x + so); SPACE$(70 - LEN(nams(x + so)));
PRINT dword$(bs + (namsrva(x + so) AND &H7FFFFFFF&));
COLOR 7, 0
LOCATE 7, 18
IF namsrva(x + so) AND &H80000000~& THEN
PRINT "(descend)";
ELSE
PRINT "(extract)";
END IF
ELSEIF (x + so) < (numnames + numids) THEN
PRINT "ID: " + dword$(ids(x + so - numnames));
IF level = 0 THEN
PRINT " (RT_";
'derived from:
' http://msdn.microsoft.com/en-us/library/ms648009(v=VS.85).aspx
SELECT CASE ids(x + so - numnames)
CASE 9: PRINT "ACCELERATOR";
CASE 21: PRINT "ANICURSOR";
CASE 22: PRINT "ANIICON";
CASE 2: PRINT "BITMAP";
CASE 1: PRINT "CURSOR";
CASE 5: PRINT "DIALOG";
CASE 17: PRINT "DLGINCLUDE";
CASE 8: PRINT "FONT";
CASE 7: PRINT "FONTDIR";
CASE 12: PRINT "GROUP_CURSOR";
CASE 14: PRINT "GROUP_ICON";
CASE 23: PRINT "HTML";
CASE 3: PRINT "ICON";
CASE 24: PRINT "MANIFEST";
CASE 4: PRINT "MENU";
CASE 11: PRINT "MESSAGETABLE";
CASE 19: PRINT "PLUGPLAY";
CASE 10: PRINT "RCDATA";
CASE 6: PRINT "STRING";
CASE 16: PRINT "VERSION";
CASE 20: PRINT "VXD";
END SELECT
PRINT ")";
END IF
PRINT SPACE$(71 - POS(0));
PRINT dword$(bs + (idsrva(x + so - numnames)));
COLOR 7, 0
LOCATE 7, 18
IF idsrva(x + (so - numnames)) AND &H80000000~& THEN
PRINT "(descend)";
ELSE
PRINT "(extract)";
END IF
ELSE
PRINT SPACE$(80);
END IF
NEXT
DO
k = INKEY$
LOOP UNTIL LEN(k)
SELECT CASE k
CASE "d", "D"
dump addr
EXIT DO
CASE MKI$(&H4800) 'up
IF sc > 0 THEN
sc = sc - 1
IF sc < so THEN so = sc
END IF
CASE MKI$(&H5000) 'down
IF sc < (numnames + numids - 1) THEN
sc = sc + 1
IF sc > (so + 11) THEN
so = sc - 11
IF so > sc THEN so = 0 'unsigned
END IF
END IF
CASE MKI$(&H4700) 'home
sc = 0
so = 0
CASE MKI$(&H4F00) 'end
sc = numnames + numids - 1
so = sc - 11
IF so < 0 THEN so = 0
CASE MKI$(&H4900) 'pgup
sc = sc - 12
so = so - 12
IF sc < 0 THEN sc = 0
IF so < 0 THEN so = 0
CASE MKI$(&H5100) 'pgdn
sc = sc + 12
IF sc > (numnames + numids - 1) THEN sc = numnames + numids - 1
so = sc - 11
IF so < 0 THEN so = 0
CASE CHR$(&H8), CHR$(&H1B) 'bksp, esc
EXIT SUB
CASE CHR$(&HD) 'enter
IF sc < numnames THEN
dw = namsrva(sc)
ELSE
dw = idsrva(sc - numnames)
END IF
IF dw AND &H80000000~& THEN
'the spec says its an rva, but it seems to be an offset in the section/table
processtable bs, bs + (dw AND &H7FFFFFFF&), level + 1
EXIT DO
ELSE
'the spec says its an rva, but it seems to be an offset in the section/table
dw = bs + dw
GET 1, 1 + dw, dat
GET 1, 1 + 4 + dw, siz
CLS
LOCATE 1, 1 'qb64 seems to default to line 2
SEEK 1, 1 + rva2fp(dat)
FOR dw = 1 TO siz
IF dw > 400 THEN EXIT FOR
GET 1, , b
SELECT CASE b
CASE 7, 9 TO &HD, &H1F: PRINT ".";
CASE ELSE: PRINT CHR$(b);
END SELECT
NEXT
LOCATE 24, 1
PRINT dword$(siz) + " bytes.";
LOCATE 23, 1
LINE INPUT "(leave blank to cancel) Output file? "; k
IF LEN(k) THEN
IF _FILEEXISTS(k) THEN
PRINT
PRINT "File already exists.";
ELSE
OPEN k FOR BINARY AS 2
SEEK 1, 1 + rva2fp(dat)
FOR dw = 1 TO siz
GET 1, , b
PUT 2, , b
NEXT
CLOSE 2
PRINT
PRINT "Done.";
END IF
SLEEP: DO: LOOP WHILE LEN(INKEY$)
END IF
EXIT DO
END IF
END SELECT
LOOP
LOOP
END SUB
FUNCTION word$ (w AS _UNSIGNED INTEGER)
DIM t AS STRING
t = LCASE$(HEX$(w))
word = "0x" + STRING$(4 - LEN(t), &H30) + t
END FUNCTION
FUNCTION dword$ (dw AS _UNSIGNED LONG)
DIM t AS STRING
t = LCASE$(HEX$(dw))
dword = "0x" + STRING$(8 - LEN(t), &H30) + t
END FUNCTION
FUNCTION rva2fp~& (rva AS _UNSIGNED LONG)
DIM w AS _UNSIGNED INTEGER
FOR w = 0 TO NumberOfSections - 1
IF rva < secsva(w) THEN EXIT FOR
NEXT
w = w - 1
IF w > NumberOfSections - 1 THEN PRINT dword$(rva), w: SLEEP
rva2fp = rva + (secsfp(w) - secsva(w))
END FUNCTION
SUB dump (addr AS _UNSIGNED LONG)
DIM t AS STRING
DIM dw AS _UNSIGNED LONG
DIM ul AS _UNSIGNED LONG
DIM b AS _UNSIGNED _BYTE
_CONTROLCHR OFF
VIEW PRINT
ul = addr
DO
COLOR 7, 0
CLS 0
SEEK 1, 1 + ul
FOR dw = ul TO (ul AND &HFFFFFFF0) + &H15F
IF (1 + ul) > LOF(1) THEN EXIT FOR
GET 1, , b
IF (dw AND &HF) = 0 THEN
t = LCASE$(HEX$(dw))
COLOR 7
PRINT STRING$(8 - LEN(t), &H30) + t; SPACE$(2);
END IF
IF (dw AND &H4) THEN COLOR 3 ELSE COLOR 2
LOCATE , 14 + ((dw AND &HF) * 3)
t = LCASE$(HEX$(b))
IF b < &H10 THEN PRINT "0" + t; ELSE PRINT t;
LOCATE , 65 + (dw AND &HF)
PRINT CHR$(b);
NEXT
PRINT
COLOR 7
LINE INPUT "(leave blank to cancel) Address: 0x"; t
IF LTRIM$(t) = "" THEN EXIT DO
ul = VAL("&h" + t + "&") AND &H7FFFFFFF
LOOP
END SUB
Extract Icon
Here is a program to extract an icon from a PE file. You specify the PE file, the index of the icon group (the first is 0), the maximum width and colors, and the output file. It will try to find the best matching icon, and extract the icon from the first language. I had earlier said that Resource Hacker gets the information for the ICO header from the icon group data. It could, but it could also get the data from the DIB header. Resource Hacker seems to use several fields that are reserved according to:
http://www.iconolog.org/info/icoFormat.html
I use some of those fields in the icon group data to select the best icon from the group.
Notepad.exe has 1 group of 9 icons: 48, 32, and 16 pixels; 32, 8, and 4 bpp each. The 4 bpp icons are the old fashioned ones. :-) I like both the old and new. C:\Windows\System32\shell32.dll and pifmgr.dll have numerous icons.
'revision date, last person to revise
'revision 20111101, michael calkins
'(derivitives may list sources of derivision)
'october 2011, michael calkins
'my code is public domain, but it's based on Microsoft's spec, so I'm not sure
'what kind of patents or copyrights apply.
'based on the Microsoft PE and COFF spec, Revision 8.2 - September 21, 2010
'http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx
DIM fil AS STRING
DIM n AS LONG
DIM gi AS _UNSIGNED LONG
DIM wi AS LONG
DIM bpp AS LONG
fil = "\windows\notepad.exe"
IF LEN(fil) = 0 THEN LINE INPUT fil
gi = 0 'first icon group is normally 0 in most EXE or DLL files
wi = 32 '16 to 256 max width '<<<<<<<<<<< change settings for other sizes
bpp = 8 '4 to 32 bit max color '<<<<<<<<<<< 4 bit may use older style images
mode = 0 ' 0 = icon, 1 = bitmap
del$ = "delme.ico" 'change file extension to .BMP with mode 1 for bitmaps
IF _FILEEXISTS(del$) THEN KILL del$ 'this file will be erased.
n = geticon(fil, del$, gi, wi, bpp, mode)
IF n THEN
PRINT "error:"; n, geticonerror(n)
END
ELSE
SHELL _DONTWAIT "mspaint " + del$
END IF
SYSTEM
' ---------------------------------------------------
FUNCTION geticon& (fin AS STRING, fout AS STRING, gi AS _UNSIGNED LONG, wi AS _UNSIGNED LONG, co AS _UNSIGNED LONG, m AS _UNSIGNED LONG)
'function extracts the best matching icon from a specified icon group from
'a specified PE image, and saves it to a specified file in a specified format.
'extracts the first language.
'fil = input file name
'fout = output file name
'gi = the number of the Icon Group (0 is first)
'wi = the preferred width (width is given priority over color)
'co = the preferred bits per pixel
'm = mode (0 for .ico, nonzero for .bmp)
'returns 0 for success, nonzero for error.
DIM dw AS _UNSIGNED LONG
DIM coff AS _UNSIGNED LONG
DIM SectionTable AS _UNSIGNED LONG
DIM pe32plus AS LONG
DIM bs AS _UNSIGNED LONG
DIM addr AS _UNSIGNED LONG
DIM nfin AS _UNSIGNED LONG
DIM nfout AS _UNSIGNED LONG
DIM numnamest8 AS _UNSIGNED LONG
DIM dat AS _UNSIGNED LONG
DIM siz AS _UNSIGNED LONG
DIM rva AS _UNSIGNED LONG
DIM fp AS _UNSIGNED LONG
DIM bc AS _UNSIGNED LONG
DIM bw AS _UNSIGNED LONG
DIM w AS _UNSIGNED INTEGER
DIM SizeOfOptionalHeader AS _UNSIGNED INTEGER
DIM NumberOfSections AS _UNSIGNED INTEGER
DIM NumberOfRvaAndSizes AS _UNSIGNED LONG
DIM numnames AS _UNSIGNED INTEGER
DIM numids AS _UNSIGNED INTEGER
DIM x AS _UNSIGNED INTEGER
DIM y AS _UNSIGNED INTEGER
DIM z AS _UNSIGNED INTEGER
DIM b AS _UNSIGNED _BYTE
IF _FILEEXISTS(fin) = 0 THEN geticon = 1: EXIT FUNCTION
nfin = FREEFILE
OPEN fin FOR BINARY ACCESS READ AS nfin
GET nfin, 1 + 0, w
IF w <> &H5A4D THEN geticon = 2: CLOSE nfin: EXIT FUNCTION
GET nfin, 1 + &H3C, dw
coff = dw + 4
GET nfin, dw + 1, dw
IF dw <> &H4550& THEN geticon = 3: CLOSE nfin: EXIT FUNCTION
GET nfin, 1 + coff + 2, NumberOfSections
IF NumberOfSections = 0 THEN geticon = 4: CLOSE nfin: EXIT FUNCTION
DIM secsva(0 TO NumberOfSections - 1) AS _UNSIGNED LONG
DIM secsfp(0 TO NumberOfSections - 1) AS _UNSIGNED LONG
GET nfin, 1 + coff + 16, SizeOfOptionalHeader
IF SizeOfOptionalHeader = 0 THEN geticon = 5: CLOSE nfin: EXIT FUNCTION
GET nfin, 1 + coff + 20, w
SELECT CASE w
CASE &H10B: pe32plus = 0
CASE &H20B: pe32plus = -1
CASE ELSE: geticon = 6: CLOSE nfin: EXIT FUNCTION
END SELECT
GET nfin, 1 + coff + 20 + 92 + (16 AND pe32plus), NumberOfRvaAndSizes
IF NumberOfRvaAndSizes < 3 THEN geticon = 7: CLOSE nfin: EXIT FUNCTION
GET nfin, 1 + coff + 20 + 112 + (16 AND pe32plus), bs
GET nfin, 1 + coff + 20 + 4 + 112 + (16 AND pe32plus), dw
IF (bs = 0) OR (dw = 0) THEN geticon = 8: CLOSE nfin: EXIT FUNCTION
SectionTable = coff + 20 + SizeOfOptionalHeader
FOR w = 0 TO NumberOfSections - 1
GET nfin, 1 + SectionTable + 12 + (40 * w), secsva(w)
GET nfin, 1 + SectionTable + 20 + (40 * w), secsfp(w)
NEXT
rva = bs
GOSUB rva2fp
bs = fp
addr = bs
'group icon, first level
GET nfin, 1 + addr + 12, numnames
GET nfin, 1 + addr + 14, numids
numnamest8 = numnames * 8
FOR x = 0 TO numids - 1
GET nfin, 1 + addr + 16 + numnamest8 + (x * 8), dw
IF dw = &HE THEN
GET nfin, 1 + addr + 16 + 4 + numnamest8 + (x * 8), dw: EXIT FOR
END IF
NEXT
IF x = numids THEN geticon = 9: CLOSE nfin: EXIT FUNCTION
IF dw AND &H80000000~& = 0 THEN geticon = 10: CLOSE nfin: EXIT FUNCTION
addr = bs + (dw AND &H7FFFFFFF&)
'group icon, second level
GET nfin, 1 + addr + 12, numnames
GET nfin, 1 + addr + 14, numids
IF gi >= numnames + numids THEN geticon = 11: CLOSE nfin: EXIT FUNCTION
GET nfin, 1 + addr + 16 + 4 + (gi * 8), dw
IF dw AND &H80000000~& = 0 THEN geticon = 12: CLOSE nfin: EXIT FUNCTION
addr = bs + (dw AND &H7FFFFFFF&)
'group icon, third level
GET nfin, 1 + addr + 12, numnames
GET nfin, 1 + addr + 14, numids
IF 0 = (numnames + numids) THEN geticon = 13: CLOSE nfin: EXIT FUNCTION
GET nfin, 1 + addr + 16 + 4, dw
IF dw AND &H80000000~& THEN geticon = 14: CLOSE nfin: EXIT FUNCTION
'search for best icon within icon group
dw = bs + dw
GET nfin, 1 + dw, rva
GET nfin, 1 + 4 + dw, siz
GOSUB rva2fp
dat = fp
SEEK nfin, 1 + dat
IF siz < 6 THEN geticon = 15: CLOSE nfin: EXIT FUNCTION
GET nfin, 1 + dat, dw
IF dw <> &H10000 THEN geticon = 16: CLOSE nfin: EXIT FUNCTION
GET nfin, 1 + dat + 4, y
IF y = 0 THEN geticon = 17: CLOSE nfin: EXIT FUNCTION
IF siz < (6 + (y * 14)) THEN geticon = 18: CLOSE nfin: EXIT FUNCTION
bc = 0
bw = 0
FOR x = 0 TO y - 1
GET nfin, 1 + dat + 6 + (x * 14), b
IF b = 0 THEN b = 255
'best width, then best color
IF (b >= bw) AND (b <= wi) THEN
GET nfin, 1 + dat + 6 + (x * 14) + 6, w
IF ((w > bc) OR (b > bw)) AND (w <= co) THEN
bc = w
bw = b
GET nfin, 1 + dat + 6 + (x * 14) + 12, z
END IF
END IF
NEXT
IF bc = 0 THEN geticon = 19: CLOSE nfin: EXIT FUNCTION
addr = bs
'icon, first level
GET nfin, 1 + addr + 12, numnames
GET nfin, 1 + addr + 14, numids
numnamest8 = numnames * 8
FOR x = 0 TO numids - 1
GET nfin, 1 + addr + 16 + numnamest8 + (x * 8), dw
IF dw = &H3 THEN
GET nfin, 1 + addr + 16 + 4 + numnamest8 + (x * 8), dw: EXIT FOR
END IF
NEXT
IF x = numids THEN geticon = 20: CLOSE nfin: EXIT FUNCTION
IF dw AND &H80000000~& = 0 THEN geticon = 21: CLOSE nfin: EXIT FUNCTION
addr = bs + (dw AND &H7FFFFFFF&)
'icon, second level
GET nfin, 1 + addr + 12, numnames
GET nfin, 1 + addr + 14, numids
numnamest8 = numnames * 8
FOR x = 0 TO numids - 1
GET nfin, 1 + addr + 16 + numnamest8 + (x * 8), dw
IF dw = z THEN
GET nfin, 1 + addr + 16 + 4 + numnamest8 + (x * 8), dw: EXIT FOR
END IF
NEXT
IF x = numids THEN geticon = 22: CLOSE nfin: EXIT FUNCTION
IF dw AND &H80000000~& = 0 THEN geticon = 23: CLOSE nfin: EXIT FUNCTION
addr = bs + (dw AND &H7FFFFFFF&)
'icon, third level
GET nfin, 1 + addr + 12, numnames
GET nfin, 1 + addr + 14, numids
IF 0 = (numnames + numids) THEN geticon = 24: CLOSE nfin: EXIT FUNCTION
GET nfin, 1 + addr + 16 + 4, dw
IF dw AND &H80000000~& THEN geticon = 25: CLOSE nfin: EXIT FUNCTION
'extract icon
dw = bs + dw
GET nfin, 1 + dw, rva
GET nfin, 1 + 4 + dw, siz
GOSUB rva2fp
dat = fp
IF _FILEEXISTS(fout) THEN geticon = 26: CLOSE nfin: EXIT FUNCTION
nfout = FREEFILE
OPEN fout FOR BINARY AS nfout
GET nfin, 1 + dat + 4, dw 'width, start 4 bytes into BMP header
IF dw < &H100 THEN wide = dw ELSE wide = wi
GET nfin, , dw 'double height
IF dw < &H1FF THEN high = dw \ 2 ELSE high = wi
GET nfin, 1 + dat + 14, w 'bpp
IF w <= &H20 THEN bpp = w ELSE bpp = co
IF m THEN
'Create bitmap format pre-header info of 14 bytes
w = CVI("BM")
PUT nfout, 1, w 'magic
IF bpp <= 8 THEN pal = (2 ^ bpp) * 4: pb = bpp / 8 ELSE pal = 0: pb = 3
dw = 54 + (wide * high * pb) + pal 'file size
PUT nfout, , dw 'file size
dw = 0
PUT nfout, , dw '2 reserved
dw = 54 + pal 'bitmap header offset + palette if used
PUT nfout, , dw 'data offset
ELSE
'Create icon format Icon header and Entry header
w = 0
PUT nfout, 1, w 'reserved
w = 1 '1 = icon, 2 = cursor(this could be set by mode value)
PUT nfout, , w 'resource id
PUT nfout, , w 'icon count is always one in this procedure
b = wide
PUT nfout, , b 'width in Entry header
b = high
PUT nfout, , b 'height
IF bpp < 8 THEN b = 2 ^ bpp ELSE b = 0
PUT nfout, , b 'num of colors
b = 0: w = 0
PUT nfout, , b 'reserved
PUT nfout, , w 'column hot spot for cursor
PUT nfout, , w 'row hot spot for cursor
PUT nfout, , siz 'size of data
dw = 22 'offset of bmp header is 6 + 16 bytes
PUT nfout, , dw
END IF
SEEK nfin, 1 + dat 'seek start of bmp 40 byte header
IF m THEN
GET nfin, , dw
PUT nfout, , dw 'header size
GET nfin, , dw
dw = wide
PUT nfout, , dw 'width
dw = high
PUT nfout, , dw 'height
GET nfin, , dw 'ignore double height
siz = (wide * high * pb) + 28 + pal 'stop at AND mask
END IF
FOR dw = 1 TO siz 'GET remaining image data including
GET nfin, , b ' 'BMP header, palette and mask(s)
PUT nfout, , b
NEXT dw
CLOSE nfout
CLOSE nfin
geticon = 0
EXIT FUNCTION
rva2fp: 'call with rva returns fp modifies w
FOR w = 0 TO NumberOfSections - 1
IF rva < secsva(w) THEN EXIT FOR
NEXT
w = w - 1
IF w > NumberOfSections - 1 THEN geticon = 27: CLOSE nfin: EXIT FUNCTION
fp = rva + (secsfp(w) - secsva(w))
RETURN
END FUNCTION
FUNCTION geticonerror$ (n AS LONG)
'revision date, last person to revise revision 20111031, michael calkins
'(derivitives may list sources of derivision) october 2011, public domain, michael calkins
SELECT CASE n
CASE 0: geticonerror = "success"
CASE 1: geticonerror = "input file not found"
CASE 2: geticonerror = "MZ signature not found"
CASE 3: geticonerror = "PE signature not found"
CASE 4: geticonerror = "no sections found"
CASE 5: geticonerror = "optional header not found"
CASE 6: geticonerror = "unknown PE optional header"
CASE 7: geticonerror = "no resource table"
CASE 8: geticonerror = "no resource table"
CASE 9: geticonerror = "icon groups not found"
CASE 10: geticonerror = "icon group: 1st level entry is a leaf"
CASE 11: geticonerror = "specified icon group not found"
CASE 12: geticonerror = "icon group: 2nd level entry is a leaf"
CASE 13: geticonerror = "no language for specified icon group"
CASE 14: geticonerror = "icon group: 3rd level entry is not a leaf"
CASE 15: geticonerror = "icon group data is too small"
CASE 16: geticonerror = "icon group data is not as expected"
CASE 17: geticonerror = "no icons in group"
CASE 18: geticonerror = "icon array is too small"
CASE 19: geticonerror = "could not find an icon matching the specifications"
CASE 20: geticonerror = "icons not found"
CASE 21: geticonerror = "icon: 1st level entry is a leaf"
CASE 22: geticonerror = "target icon not found"
CASE 23: geticonerror = "icon: 2nd level entry is a leaf"
CASE 24: geticonerror = "no language for target icon"
CASE 25: geticonerror = "icon: 3rd level is not a leaf"
CASE 26: geticonerror = "output file already exists"
CASE 27: geticonerror = "could not convert rva to fp"
CASE ELSE: geticonerror = "unknown error"
END SELECT
END FUNCTION
Note: Change the file name to .BMP and mode to 1 to extract the icon as a bitmap for QB64 to use. QB64 cannot load icons!
Have fun, and don’t forget to double check it before relying on it. I appreciate bug reports, but I’m not responsible for errors.
Regards, Michael Calkins
Extract Resources
'revision 20120316, michael calkins
'october 2011, michael calkins
'my code is public domain, but it's based on Microsoft's spec, so I'm not sure
'what kind of patents or copyrights apply.
'based on the Microsoft PE and COFF spec, Revision 8.2 - September 21, 2010
'http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx
'bug fixes on 2012 03 16:
' changed NumberOfRvaAndSizes to an _unsigned long
' added _CONTROLCHR OFF to the dump sub, and replaced the select case
DIM nam AS STRING * 8
DIM fil AS STRING
DIM k AS STRING
DIM dw AS _UNSIGNED LONG
DIM ul AS _UNSIGNED LONG
DIM coff AS _UNSIGNED LONG
DIM SectionTable AS _UNSIGNED LONG
DIM ImageBase AS _UNSIGNED LONG
DIM rsrc AS _UNSIGNED LONG
DIM pe32plus AS LONG
DIM w AS _UNSIGNED INTEGER
DIM SizeOfOptionalHeader AS _UNSIGNED INTEGER
DIM SHARED NumberOfSections AS _UNSIGNED INTEGER
DIM NumberOfRvaAndSizes AS _UNSIGNED LONG
CLS
fil = COMMAND$
IF LEN(fil) = 0 THEN LINE INPUT "Name of the PE image to open? "; fil
IF _FILEEXISTS(fil) = 0 THEN PRINT "File not found.": END
OPEN fil FOR BINARY ACCESS READ AS 1
GET 1, 1 + 0, w
IF w <> &H5A4D THEN PRINT "No MZ signature.": END
GET 1, 1 + &H3C, dw
coff = dw + 4
GET 1, dw + 1, dw
IF dw <> &H4550& THEN PRINT "No PE signature.": END
GET 1, 1 + coff + 2, NumberOfSections
IF NumberOfSections = 0 THEN PRINT "No sections.": END
PRINT "NumberOfSections:"; NumberOfSections
DIM SHARED secsva(0 TO NumberOfSections - 1) AS _UNSIGNED LONG
DIM SHARED secsfp(0 TO NumberOfSections - 1) AS _UNSIGNED LONG
GET 1, 1 + coff + 16, SizeOfOptionalHeader
IF SizeOfOptionalHeader = 0 THEN PRINT "No optional header.": END
PRINT "SizeOfOptionalHeader:", SPACE$(4); word$(SizeOfOptionalHeader)
GET 1, 1 + coff + 20, w
SELECT CASE w
CASE &H10B: pe32plus = 0: PRINT "PE32"
CASE &H20B: pe32plus = -1: PRINT "PE32+"
CASE ELSE: PRINT "Unknown Magic.": END
END SELECT
GET 1, 1 + coff + 20 + 28 + (-4 AND pe32plus), ImageBase
PRINT "ImageBase:", "", dword$(ImageBase)
GET 1, 1 + coff + 20 + 92 + (16 AND pe32plus), NumberOfRvaAndSizes
IF NumberOfRvaAndSizes < 3 THEN PRINT "No resource table.": END
PRINT "NumberOfRvaAndSizes:"; NumberOfRvaAndSizes
GET 1, 1 + coff + 20 + 112 + (16 AND pe32plus), rsrc
PRINT "Rva of resource table:", dword$(rsrc)
GET 1, 1 + coff + 20 + 4 + 112 + (16 AND pe32plus), dw
PRINT "Size of resource table:", dword$(dw)
IF (rsrc = 0) OR (dw = 0) THEN PRINT "No resource table.": END
SectionTable = coff + 20 + SizeOfOptionalHeader
PRINT "section", "va", "file ptr"
FOR w = 0 TO NumberOfSections - 1
GET 1, 1 + SectionTable + (40 * w), nam
GET 1, 1 + SectionTable + 12 + (40 * w), ul
GET 1, 1 + SectionTable + 20 + (40 * w), dw
PRINT nam, dword$(ul), dword$(dw)
secsva(w) = ul
secsfp(w) = dw
NEXT
PRINT
PRINT "Proceed? ";
DO
k = LCASE$(INKEY$)
IF k = "n" THEN PRINT k: END
LOOP UNTIL k = "y"
PRINT k
dw = rva2fp(rsrc)
processtable dw, dw, 0
SYSTEM
SUB processtable (bs AS _UNSIGNED LONG, addr AS _UNSIGNED LONG, level AS INTEGER)
DIM k AS STRING
DIM dw AS _UNSIGNED LONG
DIM numnamest8 AS _UNSIGNED LONG
DIM dat AS _UNSIGNED LONG
DIM siz AS _UNSIGNED LONG
DIM so AS LONG
DIM sc AS LONG
DIM numnames AS _UNSIGNED INTEGER
DIM numids AS _UNSIGNED INTEGER
DIM w AS _UNSIGNED INTEGER
DIM ln AS _UNSIGNED INTEGER
DIM x AS _UNSIGNED INTEGER
DIM y AS _UNSIGNED INTEGER
DIM b AS _UNSIGNED _BYTE
GET 1, 1 + addr + 12, numnames
GET 1, 1 + addr + 14, numids
DIM nams(0 TO numnames + (numnames > 0)) AS STRING
DIM namsrva(0 TO numnames + (numnames > 0)) AS _UNSIGNED LONG
DIM ids(0 TO numids + (numids > 0)) AS _UNSIGNED LONG
DIM idsrva(0 TO numids + (numids > 0)) AS _UNSIGNED LONG
'get named entries
FOR x = 0 TO numnames - 1
GET 1, 1 + addr + 16 + (x * 8), dw
'the spec says its an rva, but it seems to be an offset in the section/table
'low 31 bits are an offset from bs
GET 1, 1 + bs + (dw AND &H7FFFFFFF), ln
FOR y = 0 TO ln - 1
GET 1, , w
SELECT CASE w
CASE &H20 TO &H7E: nams(x) = nams(x) + CHR$(w)
CASE ELSE: nams(x) = nams(x) + CHR$(&H1A)
END SELECT
IF y = 68 THEN EXIT FOR
NEXT
GET 1, 1 + addr + 16 + 4 + (x * 8), namsrva(x)
NEXT
'get numbered entries:
numnamest8 = numnames * 8
FOR x = 0 TO numids - 1
GET 1, 1 + addr + 16 + numnamest8 + (x * 8), ids(x)
GET 1, 1 + addr + 16 + 4 + numnamest8 + (x * 8), idsrva(x)
NEXT
'display:
VIEW PRINT
sc = 0
so = 0
DO
CLS 0 'qb64 bug? not locating to 1,1?
LOCATE 1, 1
SELECT CASE level
CASE 0: PRINT "1st level - Type";
CASE 1: PRINT "2nd level - Name";
CASE 2: PRINT "3rd level - Language";
CASE ELSE: PRINT LTRIM$(STR$(level)) + "th level";
END SELECT
PRINT "", "file ptr: "; dword$(addr); ". Press 'D' to dump."
PRINT numnames; "names in this level, in this branch."
PRINT numids; "IDs in this level, in this branch."
IF (numnames OR numids) = 0 THEN
IF level THEN
PRINT "Press any key to go up one level."
SLEEP: DO: LOOP WHILE LEN(INKEY$)
EXIT SUB
ELSE
END
END IF
END IF
PRINT "names are unicode. For simplicity, non ASCII chars will be shown as " + CHR$(&H1A) + "."
IF level THEN
PRINT "BKSP or ESC to go up one level."
ELSE
PRINT "BKSP or ESC to exit."
END IF
PRINT "UP, DOWN, PGUP, PGDN, HOME, END to navigate list."
PRINT "ENTER to select."
LOCATE 9, 1
PRINT STRING$(80, &HC4);
LOCATE 22, 1
PRINT STRING$(80, &HC4);
DO
COLOR 7, 0
LOCATE 8, 1: PRINT dword$(sc)
FOR x = 0 TO 11
LOCATE 10 + x, 1
IF x + so = sc THEN COLOR 15, 1 ELSE COLOR 7, 0
IF (x + so) < numnames THEN
PRINT nams(x + so); SPACE$(70 - LEN(nams(x + so)));
PRINT dword$(bs + (namsrva(x + so) AND &H7FFFFFFF&));
COLOR 7, 0
LOCATE 7, 18
IF namsrva(x + so) AND &H80000000~& THEN
PRINT "(descend)";
ELSE
PRINT "(extract)";
END IF
ELSEIF (x + so) < (numnames + numids) THEN
PRINT "ID: " + dword$(ids(x + so - numnames));
IF level = 0 THEN
PRINT " (RT_";
'derived from:
' http://msdn.microsoft.com/en-us/library/ms648009(v=VS.85).aspx
SELECT CASE ids(x + so - numnames)
CASE 9: PRINT "ACCELERATOR";
CASE 21: PRINT "ANICURSOR";
CASE 22: PRINT "ANIICON";
CASE 2: PRINT "BITMAP";
CASE 1: PRINT "CURSOR";
CASE 5: PRINT "DIALOG";
CASE 17: PRINT "DLGINCLUDE";
CASE 8: PRINT "FONT";
CASE 7: PRINT "FONTDIR";
CASE 12: PRINT "GROUP_CURSOR";
CASE 14: PRINT "GROUP_ICON";
CASE 23: PRINT "HTML";
CASE 3: PRINT "ICON";
CASE 24: PRINT "MANIFEST";
CASE 4: PRINT "MENU";
CASE 11: PRINT "MESSAGETABLE";
CASE 19: PRINT "PLUGPLAY";
CASE 10: PRINT "RCDATA";
CASE 6: PRINT "STRING";
CASE 16: PRINT "VERSION";
CASE 20: PRINT "VXD";
END SELECT
PRINT ")";
END IF
PRINT SPACE$(71 - POS(0));
PRINT dword$(bs + (idsrva(x + so - numnames)));
COLOR 7, 0
LOCATE 7, 18
IF idsrva(x + (so - numnames)) AND &H80000000~& THEN
PRINT "(descend)";
ELSE
PRINT "(extract)";
END IF
ELSE
PRINT SPACE$(80);
END IF
NEXT
DO
k = INKEY$
LOOP UNTIL LEN(k)
SELECT CASE k
CASE "d", "D"
dump addr
EXIT DO
CASE MKI$(&H4800) 'up
IF sc > 0 THEN
sc = sc - 1
IF sc < so THEN so = sc
END IF
CASE MKI$(&H5000) 'down
IF sc < (numnames + numids - 1) THEN
sc = sc + 1
IF sc > (so + 11) THEN
so = sc - 11
IF so > sc THEN so = 0 'unsigned
END IF
END IF
CASE MKI$(&H4700) 'home
sc = 0
so = 0
CASE MKI$(&H4F00) 'end
sc = numnames + numids - 1
so = sc - 11
IF so < 0 THEN so = 0
CASE MKI$(&H4900) 'pgup
sc = sc - 12
so = so - 12
IF sc < 0 THEN sc = 0
IF so < 0 THEN so = 0
CASE MKI$(&H5100) 'pgdn
sc = sc + 12
IF sc > (numnames + numids - 1) THEN sc = numnames + numids - 1
so = sc - 11
IF so < 0 THEN so = 0
CASE CHR$(&H8), CHR$(&H1B) 'bksp, esc
EXIT SUB
CASE CHR$(&HD) 'enter
IF sc < numnames THEN
dw = namsrva(sc)
ELSE
dw = idsrva(sc - numnames)
END IF
IF dw AND &H80000000~& THEN
'the spec says its an rva, but it seems to be an offset in the section/table
processtable bs, bs + (dw AND &H7FFFFFFF&), level + 1
EXIT DO
ELSE
'the spec says its an rva, but it seems to be an offset in the section/table
dw = bs + dw
GET 1, 1 + dw, dat
GET 1, 1 + 4 + dw, siz
CLS
LOCATE 1, 1 'qb64 seems to default to line 2
SEEK 1, 1 + rva2fp(dat)
FOR dw = 1 TO siz
IF dw > 400 THEN EXIT FOR
GET 1, , b
SELECT CASE b
CASE 7, 9 TO &HD, &H1F: PRINT ".";
CASE ELSE: PRINT CHR$(b);
END SELECT
NEXT
LOCATE 24, 1
PRINT dword$(siz) + " bytes.";
LOCATE 23, 1
LINE INPUT "(leave blank to cancel) Output file? "; k
IF LEN(k) THEN
IF _FILEEXISTS(k) THEN
PRINT
PRINT "File already exists.";
ELSE
OPEN k FOR BINARY AS 2
SEEK 1, 1 + rva2fp(dat)
FOR dw = 1 TO siz
GET 1, , b
PUT 2, , b
NEXT
CLOSE 2
PRINT
PRINT "Done.";
END IF
SLEEP: DO: LOOP WHILE LEN(INKEY$)
END IF
EXIT DO
END IF
END SELECT
LOOP
LOOP
END SUB
FUNCTION word$ (w AS _UNSIGNED INTEGER)
DIM t AS STRING
t = LCASE$(HEX$(w))
word = "0x" + STRING$(4 - LEN(t), &H30) + t
END FUNCTION
FUNCTION dword$ (dw AS _UNSIGNED LONG)
DIM t AS STRING
t = LCASE$(HEX$(dw))
dword = "0x" + STRING$(8 - LEN(t), &H30) + t
END FUNCTION
FUNCTION rva2fp~& (rva AS _UNSIGNED LONG)
DIM w AS _UNSIGNED INTEGER
FOR w = 0 TO NumberOfSections - 1
IF rva < secsva(w) THEN EXIT FOR
NEXT
w = w - 1
IF w > NumberOfSections - 1 THEN PRINT dword$(rva), w: SLEEP
rva2fp = rva + (secsfp(w) - secsva(w))
END FUNCTION
SUB dump (addr AS _UNSIGNED LONG)
DIM t AS STRING
DIM dw AS _UNSIGNED LONG
DIM ul AS _UNSIGNED LONG
DIM b AS _UNSIGNED _BYTE
_CONTROLCHR OFF
VIEW PRINT
ul = addr
DO
COLOR 7, 0
CLS 0
SEEK 1, 1 + ul
FOR dw = ul TO (ul AND &HFFFFFFF0) + &H15F
IF (1 + ul) > LOF(1) THEN EXIT FOR
GET 1, , b
IF (dw AND &HF) = 0 THEN
t = LCASE$(HEX$(dw))
COLOR 7
PRINT STRING$(8 - LEN(t), &H30) + t; SPACE$(2);
END IF
IF (dw AND &H4) THEN COLOR 3 ELSE COLOR 2
LOCATE , 14 + ((dw AND &HF) * 3)
t = LCASE$(HEX$(b))
IF b < &H10 THEN PRINT "0" + t; ELSE PRINT t;
LOCATE , 65 + (dw AND &HF)
PRINT CHR$(b);
NEXT
PRINT
COLOR 7
LINE INPUT "(leave blank to cancel) Address: 0x"; t
IF LTRIM$(t) = "" THEN EXIT DO
ul = VAL("&h" + t + "&") AND &H7FFFFFFF
LOOP
END SUB
Code courtesy of Michael Calkins
See Also
- Icons and Cursors
- Bitmaps, _ICON, $EXEICON
- SaveIcon32 (create icons from any image)