PE editing and disassembling (win32 icons)

Started by sydetys, January 08, 2009, 01:42:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

sydetys

January 08, 2009, 01:42:02 PM
Hi

I hope there is some gurus here.

Tell me: is it possible to extract icon from .exe file only using hex editor (=Neo hex editor) and PEditor (=PE Editor 1.7 from Mod and Yoda)?

Is it already as .ico file in .exe?

Or do I need to create blank .ico file and add data from .exe resource area in optional header in that blank .ico file.

I want to make this manually, without APIs or other programs, that way I can learn better about PE executable images.

BTW that PE editor shows automatically icon "RVA to data" and "Size" Do I need those when calculating where icon data starts and where it ends?

ToutEnMasm

#1
January 08, 2009, 02:04:47 PM
Hello,
I am not a guru but try to answer.
To extract an icon you need an "icon extractor" not a PE editor.
Put this terms in google and you will find plentyfull of them.
Have a look on the menu of PEeditor to see if there is a menu to extract icon (not made for that).
What is an Icon ?.
An icon is an image with a limited size  and a special format (.ico).
Study of the PE format allow you to extract icon writing some code.
You can find some example source code here:
        http://asmedit.massmind.org/

Vortex

#2
January 08, 2009, 07:29:28 PM
It's probably easier to use an API function for this purpose :

ExtractIcon Function :

http://msdn.microsoft.com/en-us/library/ms648068(VS.85).aspx

sydetys

#3
January 08, 2009, 09:04:45 PM
Quote from: Vortex on January 08, 2009, 07:29:28 PM
It's probably easier to use an API function for this purpose :

ExtractIcon Function :

http://msdn.microsoft.com/en-us/library/ms648068(VS.85).aspx

I agree to that.

I KNOW I took just icon data out but it won´t show as icon bitmap picture even if added bitmap header.

Win API it will be then...

sydetys

#4
January 08, 2009, 10:48:59 PM
Sorry....I HAD to come by and tell.......I DID IT  :U

hexediting using few good and different PE editors. I managed to learn about BMP header: info in it and constants, and based on those I got the icon out of .exe file.

No APIs needed. great.

There are blanks in my knowledge though: 

what are those two bytes after 1st two bytes which marks header as bitmap (BM) file  I mean after 1st bytes "42 4D" <--constants

anyone knows? ALL other info in header are obvious. dimensions etc.

rags

#5
January 09, 2009, 01:47:50 AM
Read this:
http://www.fortunecity.com/skyscraper/windows/364/bmpffrmt.html

It may help you understand better.
God made Man, but the monkey applied the glue -DEVO

ragdog

#6
January 09, 2009, 09:52:42 AM
Hi

If you need here is a iconextractor (masm32)


greets

[attachment deleted by admin]

sydetys

#7
January 09, 2009, 10:05:21 AM
Doing things on my own is more rewarding,

BTW that link was informative thanx.

So those bytes was about size:  3     4     bfSize     ??     specifies the size of the file in bytes.

I NULLied those..still ico file works fine.

According that link: ICO(bmp) file in resource in executable is without Bitmapheader, it starts straight from bitmapinfoheader. Sure there must is somewhere that main bitmap header (in .rsrc area maybe) but last time I just made blank bmp file and copy pasted that main bitmap header.


Print
Go Up Pages1
User actions