In a C# .Net application, is BinaryFormatter used to deserialize resource image data embedded in the application via .resx files and Resource Explorer?

I've been handed a .Net application and the task of eliminating the use of BinaryFormatter due to the security concerns inherent to BinaryFormatter. The original author used Visual Studio Resource Explorer to create .resx files and to embed bitmap image data (images for the GUI, etc..) into a library (dll), and that dll gets linked into the final application, a stand alone exe.

Inside the .resx file, the images are embedded like this:

  <data name="MyImage" type="System.Resources.ResXFileRef, System.Windows.Forms">
    <value>..\images\MyImage.png;System.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=1234567890ABCEF0</value>
  </data>

Inside the auto-generated ResourcesDesigner.cs file, the images are extracted like this:

public static System.Drawing.Bitmap Captured {
    get {
        object obj = ResourceManager.GetObject("MyImage", resourceCulture);
        return ((System.Drawing.Bitmap)(obj));
    }
}

Looking at the compiler output, this .resx file gets converted to a .resources file by CoreResGen, then that .resources file is embedded in the dll, which must be embedded in the exe because the exe is all by itself. My understanding is BinaryFormatter is not used when extracting this embedded resources data from the exe at runtime. Can anyone confirm that this is correct or not?

In a C# .Net application, is BinaryFormatter used to deserialize resource image data embedded in the application via .resx files and Resource Explorer?

I've been handed a .Net application and the task of eliminating the use of BinaryFormatter due to the security concerns inherent to BinaryFormatter. The original author used Visual Studio Resource Explorer to create .resx files and to embed bitmap image data (images for the GUI, etc..) into a library (dll), and that dll gets linked into the final application, a stand alone exe.

Inside the .resx file, the images are embedded like this:

  <data name="MyImage" type="System.Resources.ResXFileRef, System.Windows.Forms">
    <value>..\images\MyImage.png;System.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=1234567890ABCEF0</value>
  </data>

Inside the auto-generated ResourcesDesigner.cs file, the images are extracted like this:

public static System.Drawing.Bitmap Captured {
    get {
        object obj = ResourceManager.GetObject("MyImage", resourceCulture);
        return ((System.Drawing.Bitmap)(obj));
    }
}

Looking at the compiler output, this .resx file gets converted to a .resources file by CoreResGen, then that .resources file is embedded in the dll, which must be embedded in the exe because the exe is all by itself. My understanding is BinaryFormatter is not used when extracting this embedded resources data from the exe at runtime. Can anyone confirm that this is correct or not?

• c#
• resources
• deserialization
• binaryformatter

• 2 Can anyone confirm that this is correct or not?: Yes. You can. View the source code to find the information you're interested in. Reference Source and dotnet source code. – It all makes cents Commented Feb 11 at 4:24
• If you are talking about a WinForms application, see learn.microsoft/en-us/dotnet/standard/serialization/… – Matthew Watson Commented Feb 11 at 9:13
• If a type has a TypeConverter that is able to convert the corresponding type to string or byte[], then ResourceManager (well, in fact ResXDataNode under the hood) uses the type converter rather than a formatter. For Bitmap instances the parent Image class specifies the ImageConverter class that can convert to and from byte[]. – György Kőszeg Commented Feb 11 at 13:15
• It looks like @MatthewWatson's comment is the answer your are looking for. He should consider writing it up as an answer (fleshed out a bit, so it's not just a link only answer – Flydog57 Commented Feb 11 at 22:47
• Thanks all for the comments. From what I can tell, in .Net 8+, BinaryFormatter is not used when extracting resources that are embedded in the binary. But with .Net Framework 4.8.1, BinaryFormatter may still be used. I have to build for both .Net 8 and .Net Framework 4.8.1, so I'm now trying to figure out how to detect when BinaryFormatter is used, and if it's possible to throw an exception if/when it's used in the .Net Framework build. Or better yet, how to exclude it entirely. – Matt Commented Feb 13 at 22:15

1 Answer 1

After much research, this is my understanding.

In the case of .Net 9, BinaryFormatter is completely removed by default. Trying to use it will cause an error.

In the case of .Net 8 and .Net Framework 4.8.1: the compiler uses the info in the .resx file to create a binary .resources file. Those binary .resources files are embedded in the executable at compile time. When using the attribute System.Resources.ResXFileRef for the image files in the .resx files, a TypeConverter is used to create the binary .resources file. And since the image data embedded in the executable is already in binary format, BinaryFormatter is not used to extract it at runtime.

In summary, in my case above BinaryFormatter is not used for .Net Framework or .Net 8+. (I'm compiling the same code for both, to meet customer demands)