16bit system extracting icons

1

So I’m having to extract the 16bit icons from the 16bit apps like C6EE.exe because Vista onwards no longer gets the 16bit icons so shortcuts look lousy amongst other changes.

This is what Raymond Chen has to say on the matter:

Before you get all worked up, bear in mind that 16-bit code can access icons stored in 16-bit modules just fine; that all happens inside the 16-bit emulation layer. What is gone is the ability to access those icons from 32-bit code, or more specifically the ability for 32-bit icon extraction functions like the ExtractIcon function to load those icons from your 16-bit DLL.

The 32-bit code that extracts icons from 16-bit modules doesn’t have the luxury of using kernel functions such as FindResource to locate the icon in the file. Instead, the code must implement its own mini-loader that parses the 16-bit module header, seeks to the resource table, and then parses the resource table looking for the desired icon resource. Only after doing all that can the 32-bit code finally convert the pixels into an icon.

Its an interesting comment, especially the bold bit, because MS are saying the 16bit system has less security so you could do more, its not that locked down.

I’m using the Borland Workshop 4.5 to extract the 16bit icons and noticed in the C6.3 Report Writer exe a number of other resources.
We have DabsDump, RWMAIN which looks like this

DABDUMP RWMAIN_RSC 0 F  RW$rwmain V Clarion Report Writer RWMAIN$APPWIN RWRITER.ICO >  ÿÿÿÿÿÿMS Sans Serif ÿÿ  ~RW01     € € € €   4         (     P     "  d “ R  L                É  € € € €                &File ?FILE_MENU ´   Äÿ¾   ¸  € € € €                      &New... ?ID_FILENEW O    óÿ   ø  € € € €                      &Open... ?ID_FILEOPEN ’    òÿB  9 € € € €                      Pic&k... ?ID_FILEPICK ¿    ñÿ…  | € € € €                      
            € € € €                      &Printer Setup... ?ID_PRINTSETUP :   íÿþ  ì € € € €                      v            € € € €                      E&xit ?ID_EXIT      âÿm  g € € € €                      &Help ?HELP_MENU      Àÿ©  £ € € € €                      þ&Contents ?ID_HELPCONTENTS Q    ìÿí  ã € € € €                     &Search for Help On... ?ID_HELPSEARCH ¡    ëÿB  + € € € €                a     &How to Use Help ?ID_HELPUSINGHELP

Its remarkably like a clarion resource file from the compiling stage I think?

Now considering its possible to stuff pretty much anything into a file and include it as a resource file inside an exe or DLL, like stuffing a dll inside a dll, an example of recursion, [edit] and stenography Steganography - Wikipedia [/edit] I’m left wondering why did MS do this removal of 16bit functionality. Was it really because of security reasons?

There is another file in the resource section called dirselec. Its contents look like this

DIRSELECT DIALOG LOADONCALL MOVEABLE DISCARDABLE 10, 34, 164, 134
STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "Select Directory"
FONT 8, "Helv"
{
 LTEXT "&Directory:", -1, 10, 6, 92, 9
 EDITTEXT 100, 10, 16, 92, 12, ES_AUTOHSCROLL | ES_OEMCONVERT | WS_BORDER | WS_TABSTOP
 LTEXT "", 1088, 10, 16, 92, 9, SS_NOPREFIX | WS_GROUP
 LISTBOX 1121, 10, 32, 92, 68, LBS_STANDARD | LBS_OWNERDRAWFIXED | LBS_HASSTRINGS | WS_TABSTOP
 LTEXT "Dri&ve:", 1091, 10, 102, 92, 9
 COMBOBOX 1137, 10, 112, 92, 68, CBS_DROPDOWNLIST | CBS_OWNERDRAWFIXED | CBS_AUTOHSCROLL | CBS_SORT | CBS_HASSTRINGS | WS_BORDER | WS_VSCROLL | WS_TABSTOP
 DEFPUSHBUTTON "OK", 1, 108, 6, 50, 14, BS_DEFPUSHBUTTON | WS_GROUP | WS_TABSTOP
 PUSHBUTTON "Cancel", 2, 108, 24, 50, 14, WS_GROUP | WS_TABSTOP
 PUSHBUTTON "&Help", 1038, 108, 46, 50, 14, WS_GROUP | WS_TABSTOP
 CHECKBOX "&Read Only", 1040, 108, 68, 50, 12, BS_AUTOCHECKBOX | WS_GROUP | WS_TABSTOP
 LTEXT "File &Name:", 1090, 200, 6, 76, 10
 EDITTEXT 1152, 200, 16, 90, 12, ES_AUTOHSCROLL | ES_OEMCONVERT | NOT WS_TABSTOP | WS_DISABLED | WS_BORDER
 LISTBOX 1120, 200, 32, 90, 68, LBS_STANDARD | LBS_OWNERDRAWFIXED | LBS_HASSTRINGS | LBS_EXTENDEDSEL | WS_DISABLED
 LTEXT "List Files of &Type:", 1089, 200, 102, 90, 9, WS_DISABLED | WS_GROUP
 COMBOBOX 1136, 200, 128, 90, 72, CBS_DROPDOWNLIST | CBS_AUTOHSCROLL | WS_DISABLED | WS_BORDER | WS_VSCROLL
}

So MS are playing this change in icon functionality as

All that you’re losing on Windows Vista is the ability to do an ExtractIcon from your 32-bit program and obtain an icon from a 16-bit DLL. If you have a shortcut to a 16-bit program on your Start menu, the icon for that shortcut will now come up as a generic program icon since Windows Explorer can no longer extract the 16-bit program’s icon from its main EXE. No big loss. But if this really bothers you, you can edit the shortcut’s properties and give it an icon from a 32-bit module.

But I wonder if there is more to this than meets the eye, mainly the 16bit system being a security risk to the 32bit system?

Report Writer shows you what can be stuffed as a file inside the resource section of an exe or dll.

I havent tried any of these tricks inside a 32bit clarion app yet, but I also wonder what I could hide from the AV scanners? For example, could I create a library define, using the name and order of some resource files?

In the reportwriter, there are a number of cursor files starting with the filename 100 that increment by one up to the last filename of 118. Could I use these cursor resource files to define something without without having to define it in code the normal way I wonder?

I think its quite clever if you could do that, because even if an app is decompiled, who would suspect some of the files in a resource section, the order they are included and their names to be anything more?

Which then takes me back to what have MS locked down, if anything, in the resource section of a file on 32 or 64bit Windows?

Would anti virus pick this up?

So there is the EICAR AV test file. Download Anti Malware Testfile – Eicar

Its a string which all AV companies try to detect. I wonder if I could spell out across file names in the resource section, the eicar string and would it get picked up?

Plus could I stuff a pup/pua or virus into some files in the resource section to test if any AV picks it up, at what point would it get picked up, right after compilation or maybe when the file is moved to a new folder, or after its been run?

I think I might be having an interesting test coming up.

2

Or you could use Axialis IconWorkshop and be done with it.

image
image762×603 77.4 KB

3

I used to have that before my systems got hacked and everything destroyed. I saw they do a lifetime thing, but I dont have the domains I used, if I can remember, what domain I did use.

Thing is, what MS did with the icons not showing in the 32bit short cuts wasnt nice either. Its an icon, they make a big deal on making windows backwards compatible and with one foul swoop, they make using 16bit apps hard to do.

I dont see the quality in many of todays programs which is why if I can I still use things like notepad, paint and in this case C6. I havent had a chance to get C11 installed yet in order to write my disaster recovery plan for that app.

4

Dont you just hate it when all the files, all the icons I managed to extract last night, the disaster recovery notes that anyone can follow to get the system backup and running have mysteriously been wiped from the 4month old Windows 10 Pro 20H2 pc, and two USB sticks acting as a simultaneous backup/mirror. I think I’ve got less than 5 external programs installed on here so far, VMware, Notepadd+, RaspberryPi writer, nVidia configureMosaic and Ultramon, not that this implies how the malicious software was delivered.

Someone really doesnt want me using C6, I hope the consequences are worth it.