Re-sauce, Part 2

November 18, 2020 in Archaeology, Clustering, File Formats ZOO, Forensic Analysis

In the part 1 I covered the most frequently used resource names. Today I will cover an obscure type of resources instead. Some developers like to use strings to name the resources and use them instead of numerical IDs. Many of these are prefixed with the ‘IDD_’, so it makes for an easy target.

Grepping through a large collections of exported resources one can find the following ‘custom-named’ resource names (see file).

Browsing through the content one can find a number of IDDs that are clearly very old e.g.

  • IDD_WIZ97SHEET
  • IDD_DISKETTE
  • IDD_INSERT_DISK

but also lots of very boring names e.g.

  • IDD_DIALOG1
  • IDD_DIALOG2
  • IDD_DIALOG3
  • IDD_DIALOG4
  • IDD_ABOUTBOX
  • IDD_DIALOG_FONT
  • IDD_FONT
  • IDD_UNUSED1
  • etc.

— most likely names auto-created by RAD resource editors. There are some funny typos e.g. IDD_SPLAHSCREEN. Finally, there same some more enigmatic and interesting names like

  • IDD_DEBUG*
  • IDD_NTOPEN
  • IDD_NTCLOSE
  • IDD_CREDITCARD

but these are not really research-worthy.

How can you use this list?

Apart from being an archaeological curiosity this may actually be quite helpful to know which IDD_ resources are at least known in a ‘good sampleset’ space. With that you could create yara rules, and perhaps more advanced ‘good file’ detections. And if you write a PE Viewer/editor/parser, you could always highlight these as ‘known good resources’.

Overall, curiosity more than anything useful, but that’s one of the reasons why we are digging it… out.

Comments are closed.