Can any third-party load embedded resources from my project?

Question

Please refer to one of my previous questions. I'm asking about loading a compiled resource from a DLL. Then refer to the answer by David Heffernan. His suggestion is to use a built-in mechanism to load a resource directly from the DLL's instance, without even using my own exported function. This pointed out a security loophole to me.

If this is really the case, if this type of solution is possible, then can any outside third-party load resources from any Delphi Application/DLL? How secure are embedded resources? Suppose I compile a DLL with an embedded resource. Can someone take this DLL and extract the resource? How easy is it, considering they must know the resource name? Are they able to detect what resources are compiled and get a listing of named resources? If this is so, then I will have to implement my own level of security and encrypt every embedded resource and decrypt it with login.

Answer 1

The resource section of a Windows Portable Executable is accessible and enumerable to any process/user with read privileges over the executable file.

The Windows API provide a series of functions to work with resources, including functions to:

• Adding, Deleting, and Replacing Resources
• Enumerating Resources
• Finding and Loading Resources
• Resource File Formats
• Using Resources

In fact there's plenty of ready tools to perform this operations. Your own Delphi installation have a demo project called Resource Explorer, usually installed in the folder Samples\Delphi\VCL\resXplor.

As you can see, anyone with the knowledge and/or tools can not only read, but delete and replace the resources found in your windows executable, regardless of the compiler that produced it.

You can find more information about the PE file format in the article An In-Depth Look into the Win32 Portable Executable File Format.