I almost have an answer to my last question, but I need help.
The Windows Firewall Rules (Vista and up) are stored in the Registry HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Example rule: v2.0|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|RPort=5722|App=%SystemRoot%\system32\dfsr.exe|Svc=Dfsr|[email protected],-32257|[email protected],-32260|[email protected],-32252|Edge=FALSE|
The field I need to decode is [email protected],-32252
I think it references C:\WINDOWS\System32\FirewallAPI.dll, but I can't figure out how the number works. The file is ~400KB depending.
I tried a few variations like pretending it was an unsigned short, pretending it was not negative, pretending it was offset from the end, but they did not look right when I arrived at the location with my hex editor.
Could somebody give me their ideas? What this number might mean? I hardly know anything about DLL files. It could even be a section number for all I know.
I also tried searching the text for the expected output, but it seems it is neither byte per character, nor is it UTF-16, either that or I am doing something wrong.
Raymond covers it here. Positive numbers are resource indices. Negative numbers (once you've removed the minus sign) are resource identifiers.