1

What is the header and data structure of a .NET resource? I would like to find an equivalent type of documentation to the following, but for .NET resources:

https://learn.microsoft.com/en-us/windows/win32/menurc/resourceheader

As an example, here is a screenshot of four .NET resources in a sample of AgentTesla:

Dotnet Resources

Focusing on one of them as an example and saving it to a file, in a hex editor, you can see the header and where the PNG data begins. Where is documentation about the specific structure of this header and data?

One Dotnet Resource

For reference, here is the hash of the file in the screenshots above: 40cd96e25835eeba956645398ed73a0f0e14563375530fa5f2db3bcf44dd88d7

Utkonos
  • 136
  • 8
  • 1
    I just googled the magic 0xbeefcace and first hit is https://learn.microsoft.com/en-us/dotnet/api/system.resources.resourcemanager.magicnumber?view=net-7.0. Look around here – blabb Aug 11 '23 at 18:07
  • 1
    Typically when looking up constants, search engines are okay...but for details it's better to use code search (like github or similar) as search engines tend to be biased towards normies. As dotnet's runtime is open-source (dotnet/corert) you can use the constant you provided to find the details within its repository. This constant resides in RuntimeResourceSet.cs and is linked at https://github.com/dotnet/corert/blob/master/src/System.Private.CoreLib/shared/System/Resources/RuntimeResourceSet.cs#L98. – Ali Rizvi-Santiago Aug 12 '23 at 16:44

1 Answers1

0

As stated in the comment googling for the magic const 0xbeefcace i stumbled upon the link

Browsing around the description seem to match your res screen shot

4 bytes magic
4 bytes version = 0x1
4 bytes skip count = 0x91
Png header is at 0x24c 0x91x4 + 8 = 244+8 == 24c

blabb
  • 16,376
  • 1
  • 15
  • 30