When UPX compress your executable, it not only compress the code inside the executable, but also compress the resource data in the executable, thus the resource data becomes not readable for other applications, one scenario is that you compile message table into your executable and use this executable as the resource file for some settings such as use it as the value of "EventMessageFile" for defining your own Event Log source in the Windows registry, unfortunately, if you do so, firstly, the Event Log view will not find the descriptions for your event's ID and category, secondly it might crash your Windows Event Log service and even worse, the service might not be able to recover even its Recovery setting has been set up.
You can reproduce what I have say in following steps:
- Download UPX from https://github.com/upx/upx/releases/tag/v3.91 (latest release at the time this blog is written)
- Find an Event Log source from within "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application", whose EventMessageFile is an EXE and it has some events you can see them in Event Viewer
- Use UPX to compress the EXE you have found in step 2
- Restart the Event Log viewer if it is open
- Check the event then you can see that the first sentence is something lik "The description for Event ID xxx from source yyy cannot be found"
- Try to filter on current log to show event only from that chosen source, the event view might crashes because the Windows Event Log service has crashed by now in some cases.
You can use the keep-resource flag so that UPX will preserve certain resource types
ReplyDelete