GS incorectly reported on resource only dlls

[pmisik]

Resource only dll does not contain any code

• OptionalHeader.entryPoint==0
• Export Directory is 0
• Import Directory is 0
• Load Configuration Directory is 0

When analyzing such dlls it reports
Warn: No load config in the PE
And reports
GS : "NotPresent"

It would be better report
GS : "NotApplicable"

[woodruffw]

Thanks for the report.

Is there a flag or field we can test that confirms that a particular DLL only contains resources?

If there is, then I agree that we should change this to NotApplicable. Otherwise, NotPresent is still reasonable IMO.

[woodruffw]

Also, could you clarify what you mean by "resource DLL"? I assumed that it meant a DLL containing only static program resources (like icons, fonts, etc.) but it looks like Microsoft also uses "resource DLL" to refer to a kind of cluster-management DLL: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/mscs/resource-dlls

[pmisik]

Hi
As far as I know there is no flag indicating PE file is resource only dll.
By resource only dll, I mean PE file(s) that does not contain any code (no .text section).
Basically, *.dll.mui files containing only resources (like string tables, images, branding data, …) – no code.
Trivial vcxproj files including only .rc files linked with no entry-point, no c/cpp file.

  <ItemDefinitionGroup>
    <Link>
      <EntryPointSymbol />
      <NoEntryPoint>true</NoEntryPoint>
    </Link>
  </ItemDefinitionGroup>

Please let me know if you need sample project of such dll.
Dumpbin /headers output of such dll looks like this.

Microsoft (R) COFF/PE Dumper Version 14.29.30146.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file xxxx.dll

PE signature found

File Type: DLL

FILE HEADER VALUES
             14C machine (x86)
               2 number of sections
        62B16F5C time date stamp Tue Jun 21 09:12:28 2022
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
            2102 characteristics
                   Executable
                   32 bit word machine
                   DLL

OPTIONAL HEADER VALUES
             10B magic # (PE32)
           14.29 linker version
               0 size of code
          45C000 size of initialized data
               0 size of uninitialized data
               0 entry point
            1000 base of code
            1000 base of data
        10000000 image base (10000000 to 1045DFFF)
            1000 section alignment
             200 file alignment
            6.00 operating system version
            0.00 image version
            6.00 subsystem version
               0 Win32 version
          45E000 size of image
             200 size of headers
          46B6A4 checksum
               2 subsystem (Windows GUI)
             540 DLL characteristics
                   Dynamic base
                   NX compatible
                   No structured exception handler
          100000 size of stack reserve
            1000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
               0 [       0] RVA [size] of Export Directory
               0 [       0] RVA [size] of Import Directory
            2000 [  45BCB8] RVA [size] of Resource Directory
               0 [       0] RVA [size] of Exception Directory
          45C200 [    4AA0] RVA [size] of Certificates Directory
               0 [       0] RVA [size] of Base Relocation Directory
            1000 [      54] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Global Pointer Directory
               0 [       0] RVA [size] of Thread Storage Directory
               0 [       0] RVA [size] of Load Configuration Directory
               0 [       0] RVA [size] of Bound Import Directory
               0 [       0] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of COM Descriptor Directory
               0 [       0] RVA [size] of Reserved Directory


SECTION HEADER #1
  .rdata name
     114 virtual size
    1000 virtual address (10001000 to 10001113)
     200 size of raw data
     200 file pointer to raw data (00000200 to 000003FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

  Debug Directories

        Time Type        Size      RVA  Pointer
    -------- ------- -------- -------- --------
    62B16F5C cv            25 0000106C      26C    Format: RSDS, {XXXXXXxX-xxxx-xxxx-xxxx-xxxxxxxxxxxx}, 1, xxxx.pdb
    62B16F5C feat          14 00001094      294    Counts: Pre-VC++ 11.00=0, C/C++=0, /GS=0, /sdl=0, guardN=0
    62B16F5C coffgrp       6C 000010A8      2A8

SECTION HEADER #2
   .rsrc name
  45BCB8 virtual size
    2000 virtual address (10002000 to 1045DCB7)
  45BE00 size of raw data
     400 file pointer to raw data (00000400 to 0045C1FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

  Summary

        1000 .rdata
      45C000 .rsrc

We internally use more advanced tool that needs pdb’s - Microsoft.binskim for artefact analysis. It does not report such issue. Probably you can have a look how they detect resourceOnlyDll.
Please have a look at https://github.com/microsoft/binskim
As it is Microsoft project, we believe they have best information about PE files.
I report this issue in order to improve your open-source project.

Best regards (live long and prosper)

[woodruffw]

This is very helpful, thanks!

As a first pass, checking for a .text section might be a reasonable solution here. But that's probably not general enough, since a PE could conceivably have executable segment mappings that don't belong to .text.

I'll see what BinSkim does.