Show / Hide Table of Contents

Class PeFile

This class represents a Portable Executable (PE) file and makes the different header and properties accessible.

Inheritance
System.Object
PeFile
Namespace: PeNet
Assembly: PeNet.dll
Syntax
public class PeFile : object

Constructors

| Improve this Doc View Source

PeFile(IRawFile)

Declaration
public PeFile(IRawFile peFile)
Parameters
Type Name Description
IRawFile peFile
| Improve this Doc View Source

PeFile(Stream)

Create a new PeFile object.

Declaration
public PeFile(Stream peFile)
Parameters
Type Name Description
Stream peFile

Stream containing a PE file.

| Improve this Doc View Source

PeFile(Byte[])

Create a new PeFile object.

Declaration
public PeFile(byte[] buff)
Parameters
Type Name Description
System.Byte[] buff

A PE file a byte array.

| Improve this Doc View Source

PeFile(String)

Create a new PeFile object.

Declaration
public PeFile(string peFile)
Parameters
Type Name Description
System.String peFile

Path to a PE file.

Properties

| Improve this Doc View Source

AuthenticodeInfo

Information about a possible Authenticode binary signature.

Declaration
public AuthenticodeInfo AuthenticodeInfo { get; }
Property Value
Type Description
AuthenticodeInfo
| Improve this Doc View Source

ClrComTypeLibId

The COM TypeLib ID of the assembly, if specified, and if the PE is a CLR assembly.

Declaration
public Guid? ClrComTypeLibId { get; }
Property Value
Type Description
System.Nullable<Guid>
| Improve this Doc View Source

ClrModuleVersionIds

The Version ID of each module if the PE is a CLR assembly.

Declaration
public List<Guid>? ClrModuleVersionIds { get; }
Property Value
Type Description
System.Nullable<List<Guid>>
| Improve this Doc View Source

DelayImportedFunctions

Access the delay imported functions as an array of parsed objects.

Declaration
public ImportFunction[] DelayImportedFunctions { get; }
Property Value
Type Description
ImportFunction[]
| Improve this Doc View Source

ExceptionDirectory

Access the array of RuntimeFunction from the Exception header.

Declaration
public RuntimeFunction[] ExceptionDirectory { get; }
Property Value
Type Description
RuntimeFunction[]
| Improve this Doc View Source

ExportedFunctions

Access the exported functions as an array of parsed objects.

Declaration
public ExportFunction[] ExportedFunctions { get; }
Property Value
Type Description
ExportFunction[]
| Improve this Doc View Source

FileSize

Returns the file size in bytes.

Declaration
public long FileSize { get; }
Property Value
Type Description
System.Int64
| Improve this Doc View Source

HasValidAuthenticodeSignature

Returns true if the PE file signature is valid. It does not check if the signature is trusted based on the installed certificates on the system.

Declaration
public bool HasValidAuthenticodeSignature { get; }
Property Value
Type Description
System.Boolean
| Improve this Doc View Source

ImageBoundImportDescriptor

Access the IMAGE_BOUND_IMPORT_DESCRIPTOR form the data directory.

Declaration
public ImageBoundImportDescriptor ImageBoundImportDescriptor { get; }
Property Value
Type Description
ImageBoundImportDescriptor
| Improve this Doc View Source

ImageComDescriptor

Access the ImageCor20Header (COM Descriptor/CLI) from the data directory.

Declaration
public ImageCor20Header ImageComDescriptor { get; }
Property Value
Type Description
ImageCor20Header
| Improve this Doc View Source

ImageDebugDirectory

Access the ImageDebugDirectory of the PE file.

Declaration
public ImageDebugDirectory[] ImageDebugDirectory { get; }
Property Value
Type Description
ImageDebugDirectory[]
| Improve this Doc View Source

ImageDelayImportDescriptors

Access the ImageDelayImportDirectory from the data directory.

Declaration
public ImageDelayImportDescriptor[] ImageDelayImportDescriptors { get; }
Property Value
Type Description
ImageDelayImportDescriptor[]
| Improve this Doc View Source

ImageDosHeader

Access the ImageDosHeader of the PE file.

Declaration
public ImageDosHeader ImageDosHeader { get; }
Property Value
Type Description
ImageDosHeader
| Improve this Doc View Source

ImageExportDirectory

Access the ImageExportDirectory of the PE file.

Declaration
public ImageExportDirectory ImageExportDirectory { get; }
Property Value
Type Description
ImageExportDirectory
| Improve this Doc View Source

ImageImportDescriptors

Access the ImageImportDescriptor array of the PE file.

Declaration
public ImageImportDescriptor[] ImageImportDescriptors { get; }
Property Value
Type Description
ImageImportDescriptor[]
| Improve this Doc View Source

ImageLoadConfigDirectory

Access the ImageLoadConfigDirectory from the data directory.

Declaration
public ImageLoadConfigDirectory ImageLoadConfigDirectory { get; }
Property Value
Type Description
ImageLoadConfigDirectory
| Improve this Doc View Source

ImageNtHeaders

Access the ImageNtHeaders of the PE file.

Declaration
public ImageNtHeaders ImageNtHeaders { get; }
Property Value
Type Description
ImageNtHeaders
| Improve this Doc View Source

ImageRelocationDirectory

Access the ImageBaseRelocation array of the PE file.

Declaration
public ImageBaseRelocation[] ImageRelocationDirectory { get; }
Property Value
Type Description
ImageBaseRelocation[]
| Improve this Doc View Source

ImageResourceDirectory

Access the ImageResourceDirectory of the PE file.

Declaration
public ImageResourceDirectory ImageResourceDirectory { get; }
Property Value
Type Description
ImageResourceDirectory
| Improve this Doc View Source

ImageSectionHeaders

Access the ImageSectionHeader of the PE file.

Declaration
public ImageSectionHeader[] ImageSectionHeaders { get; }
Property Value
Type Description
ImageSectionHeader[]
| Improve this Doc View Source

ImageTlsDirectory

Access the IMAGE_TLS_DIRECTORY from the data directory.

Declaration
public ImageTlsDirectory ImageTlsDirectory { get; }
Property Value
Type Description
ImageTlsDirectory
| Improve this Doc View Source

ImpHash

The Import Hash of the binary if any imports are given else null;

Declaration
public string? ImpHash { get; }
Property Value
Type Description
System.Nullable<System.String>
| Improve this Doc View Source

ImportedFunctions

Access the imported functions as an array of parsed objects.

Declaration
public ImportFunction[] ImportedFunctions { get; }
Property Value
Type Description
ImportFunction[]
| Improve this Doc View Source

Is32Bit

Returns true if the PE file is x32.

Declaration
public bool Is32Bit { get; }
Property Value
Type Description
System.Boolean
| Improve this Doc View Source

Is64Bit

Returns true if the PE file is x64.

Declaration
public bool Is64Bit { get; }
Property Value
Type Description
System.Boolean
| Improve this Doc View Source

IsAuthenticodeSigned

Returns true if the PE file is signed. It does not check if the signature is valid!

Declaration
public bool IsAuthenticodeSigned { get; }
Property Value
Type Description
System.Boolean
| Improve this Doc View Source

IsDll

Returns true if the DLL flag in the File Header is set.

Declaration
public bool IsDll { get; }
Property Value
Type Description
System.Boolean
| Improve this Doc View Source

IsDotNet

Returns true if the file is a .NET executable.

Declaration
public bool IsDotNet { get; }
Property Value
Type Description
System.Boolean
| Improve this Doc View Source

IsDriver

Returns true if the PE file is a system driver based on the Subsytem = 0x1 value in the Optional Header.

Declaration
public bool IsDriver { get; }
Property Value
Type Description
System.Boolean
| Improve this Doc View Source

IsExe

Returns true if the Executable flag in the File Header is set.

Declaration
public bool IsExe { get; }
Property Value
Type Description
System.Boolean
| Improve this Doc View Source

IsTrustedAuthenticodeSignature

Returns true of the PE file signature is trusted based on the installed certificates on the system.

Declaration
public bool IsTrustedAuthenticodeSignature { get; }
Property Value
Type Description
System.Boolean
| Improve this Doc View Source

Md5

The MD5 of hash sum of the binary.

Declaration
public string? Md5 { get; }
Property Value
Type Description
System.Nullable<System.String>
| Improve this Doc View Source

MetaDataHdr

Access the MetaDataHdr from the COM/CLI header.

Declaration
public MetaDataHdr MetaDataHdr { get; }
Property Value
Type Description
MetaDataHdr
| Improve this Doc View Source

MetaDataStreamBlob

Meta Data Stream #Blob as an byte array.

Declaration
public byte[] MetaDataStreamBlob { get; }
Property Value
Type Description
System.Byte[]
| Improve this Doc View Source

MetaDataStreamGuid

Meta Data Stream #GUID.

Declaration
public MetaDataStreamGuid MetaDataStreamGuid { get; }
Property Value
Type Description
MetaDataStreamGuid
| Improve this Doc View Source

MetaDataStreamString

Meta Data Stream #String.

Declaration
public MetaDataStreamString MetaDataStreamString { get; }
Property Value
Type Description
MetaDataStreamString
| Improve this Doc View Source

MetaDataStreamTablesHeader

Access the Meta Data Stream Tables Header from the list of Meta Data Streams of the .Net header.

Declaration
public MetaDataTablesHdr MetaDataStreamTablesHeader { get; }
Property Value
Type Description
MetaDataTablesHdr
| Improve this Doc View Source

MetaDataStreamUs

Meta Data Stream #US (User strings).

Declaration
public MetaDataStreamUs MetaDataStreamUs { get; }
Property Value
Type Description
MetaDataStreamUs
| Improve this Doc View Source

RawFile

The PE binary.

Declaration
public IRawFile RawFile { get; }
Property Value
Type Description
IRawFile
| Improve this Doc View Source

Resources

Access resources of the PE file.

Declaration
public Resources Resources { get; }
Property Value
Type Description
Resources
| Improve this Doc View Source

Sha1

The SHA-1 hash sum of the binary.

Declaration
public string? Sha1 { get; }
Property Value
Type Description
System.Nullable<System.String>
| Improve this Doc View Source

Sha256

The SHA-256 hash sum of the binary.

Declaration
public string? Sha256 { get; }
Property Value
Type Description
System.Nullable<System.String>
| Improve this Doc View Source

SigningAuthenticodeCertificate

Signing X509 Authenticode certificate the binary was signed with

Declaration
public X509Certificate2? SigningAuthenticodeCertificate { get; }
Property Value
Type Description
System.Nullable<X509Certificate2>
| Improve this Doc View Source

TypeRefHash

Compute the TypeRefHash for .NET PE files. If not available, return null.

Declaration
public string? TypeRefHash { get; }
Property Value
Type Description
System.Nullable<System.String>
| Improve this Doc View Source

WinCertificate

Access the WinCertificate from the Security header.

Declaration
public WinCertificate WinCertificate { get; }
Property Value
Type Description
WinCertificate

Methods

| Improve this Doc View Source

AddImport(String, String)

Add a new import to the PE file. If you intend to add multiple imports, use "AddImports" instead.

Declaration
public void AddImport(string module, string function)
Parameters
Type Name Description
System.String module
System.String function
| Improve this Doc View Source

AddImports(List<AdditionalImport>)

Add imports to the PE file.

Declaration
public void AddImports(List<AdditionalImport> additionalImports)
Parameters
Type Name Description
List<AdditionalImport> additionalImports

List with additional imports.

| Improve this Doc View Source

AddSection(String, Byte[], ScnCharacteristicsType)

Add a new section to the PE file.

Declaration
public void AddSection(string name, byte[] unalignedSize, ScnCharacteristicsType characteristics)
Parameters
Type Name Description
System.String name

Name of the section to add. At max. 8 characters.

System.Byte[] unalignedSize

Size in bytes of the new section.

ScnCharacteristicsType characteristics

Section characteristics.

| Improve this Doc View Source

AddSection(String, Int32, ScnCharacteristicsType)

Declaration
public void AddSection(string name, int unalignedSize, ScnCharacteristicsType characteristics)
Parameters
Type Name Description
System.String name
System.Int32 unalignedSize
ScnCharacteristicsType characteristics
| Improve this Doc View Source

GetCrlUrlList()

Get an object which holds information about the Certificate Revocation Lists of the signing certificate if any is present.

Declaration
public CrlUrlList GetCrlUrlList()
Returns
Type Description
CrlUrlList

Certificate Revocation List information or null if binary is not signed.

| Improve this Doc View Source

GroupIcons()

Reads the corresponding IDs from GroupIconDirectoryEntry. Collects the Icons corresponding to the IDs as byte array.

Declaration
public IEnumerable<IEnumerable<byte[]>> GroupIcons()
Returns
Type Description
IEnumerable<IEnumerable<System.Byte[]>>

An enumerable of enumerable of byte arrays with icons corresponding to the individual GroupIcons, an empty enumerable if no GroupIcons or only empty GroupIcons are included.

| Improve this Doc View Source

HasValidAuthenticodeCertChain(Boolean)

Checks if cert is from a trusted CA with a valid certificate chain.

Declaration
public bool HasValidAuthenticodeCertChain(bool useOnlineCrl)
Parameters
Type Name Description
System.Boolean useOnlineCrl

Check certificate chain online or offline.

Returns
Type Description
System.Boolean

True if cert chain is valid and from a trusted CA.

| Improve this Doc View Source

HasValidAuthenticodeCertChain(Nullable<X509Certificate2>, TimeSpan, Boolean, Boolean)

Checks if cert is from a trusted CA with a valid certificate chain.

Declaration
public static bool HasValidAuthenticodeCertChain(X509Certificate2? cert, TimeSpan urlRetrievalTimeout, bool useOnlineCRL = true, bool excludeRoot = true)
Parameters
Type Name Description
System.Nullable<X509Certificate2> cert

X509 Certificate

TimeSpan urlRetrievalTimeout

Timeout to validate the certificate online.

System.Boolean useOnlineCRL

If true, uses online certificate revocation lists, else on the local CRL.

System.Boolean excludeRoot

True if the root certificate should not be validated. False if the whole chain should be validated.

Returns
Type Description
System.Boolean

True if cert chain is valid and from a trusted CA.

| Improve this Doc View Source

Icons()

Reads the location of the Icons from the ResourceDirectory in PeFile, collects the corresponding bytes in an enumerable and adds an ICO-Header to the bytes of each icon. This does not depend on the icon having a group icon directory entry.

Declaration
public IEnumerable<byte[]> Icons()
Returns
Type Description
IEnumerable<System.Byte[]>

An enumerable of icon byte arrays with an ICO-Header, an empty enumerable if no Icons are included.

| Improve this Doc View Source

IsPeFile(MMFile)

Tests if a file is a PE file based on the MZ header. It is not checked if the PE file is correct in all other parts.

Declaration
public static bool IsPeFile(MMFile file)
Parameters
Type Name Description
MMFile file

MMFile of a possible PE file.

Returns
Type Description
System.Boolean

True if the MZ header is set.

| Improve this Doc View Source

IsPeFile(Span<Byte>)

Tests is a buffer is a PE file based on the MZ header. It is not checked if the PE file is correct in all other parts.

Declaration
public static bool IsPeFile(Span<byte> buf)
Parameters
Type Name Description
Span<System.Byte> buf

Byte array containing a possible PE file.

Returns
Type Description
System.Boolean

True if the MZ header is set.

| Improve this Doc View Source

IsPeFile(Stream)

Tests if a file is a PE file based on the MZ header. It is not checked if the PE file is correct in all other parts.

Declaration
public static bool IsPeFile(Stream file)
Parameters
Type Name Description
Stream file

Stream of a possible PE file.

Returns
Type Description
System.Boolean

True if the MZ header is set.

| Improve this Doc View Source

IsPeFile(String)

Tests if a file is a PE file based on the MZ header. It is not checked if the PE file is correct in all other parts.

Declaration
public static bool IsPeFile(string file)
Parameters
Type Name Description
System.String file

Path to a possible PE file.

Returns
Type Description
System.Boolean

True if the MZ header is set.

| Improve this Doc View Source

RemoveSection(String, Boolean)

Remove a section from the PE file.

Declaration
public void RemoveSection(string name, bool removeContent = true)
Parameters
Type Name Description
System.String name

Name of the section to remove.

System.Boolean removeContent

Flag if the content should be removed or only the section header entry.

| Improve this Doc View Source

TryParse(MMFile, out PeFile)

Try to parse the PE file. Best option for large files, as a memory mapped file is used.

Declaration
public static bool TryParse(MMFile file, out PeFile peFile)
Parameters
Type Name Description
MMFile file

Memory mapped file containing a possible PE file.

PeFile peFile

Parsed PE file or Null.

Returns
Type Description
System.Boolean

True if parable PE file and false if not.

| Improve this Doc View Source

TryParse(Stream, out PeFile)

Try to parse the PE file.

Declaration
public static bool TryParse(Stream file, out PeFile peFile)
Parameters
Type Name Description
Stream file

Stream containing a possible PE file.

PeFile peFile

Parsed PE file or Null.

Returns
Type Description
System.Boolean

True if parable PE file and false if not.

| Improve this Doc View Source

TryParse(Byte[], out PeFile)

Try to parse the PE file.

Declaration
public static bool TryParse(byte[] buff, out PeFile peFile)
Parameters
Type Name Description
System.Byte[] buff

Buffer containing a possible PE file.

PeFile peFile

Parsed PE file or Null.

Returns
Type Description
System.Boolean

True if parable PE file and false if not.

| Improve this Doc View Source

TryParse(String, out PeFile)

Try to parse the PE file. Reads the whole file content into memory.

Declaration
public static bool TryParse(string file, out PeFile peFile)
Parameters
Type Name Description
System.String file

Path to a possible PE file.

PeFile peFile

Parsed PE file or Null.

Returns
Type Description
System.Boolean

True if parable PE file and false if not.

  • Improve this Doc
  • View Source
In This Article
Back to top Generated by DocFX