Class PeFile

This class represents a Portable Executable (PE) file and makes the different header and properties accessible.

Inheritance

object

PeFile

Inherited Members

object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.MemberwiseClone()

object.ReferenceEquals(object, object)

object.ToString()

Namespace: PeNet

Assembly: PeNet.dll

Syntax

public class PeFile

Constructors

PeFile(IRawFile)

Declaration

public PeFile(IRawFile peFile)

Parameters

Type	Name	Description
IRawFile	peFile

PeFile(byte[])

Create a new PeFile object.

Declaration

public PeFile(byte[] buff)

Parameters

Type	Name	Description
byte[]	buff	A PE file a byte array.

PeFile(Stream)

Create a new PeFile object.

Declaration

public PeFile(Stream peFile)

Parameters

Type	Name	Description
Stream	peFile	Stream containing a PE file.

PeFile(string)

Create a new PeFile object.

Declaration

public PeFile(string peFile)

Parameters

Type	Name	Description
string	peFile	Path to a PE file.

Properties

AuthenticodeInfo

Information about a possible Authenticode binary signature.

Declaration

public AuthenticodeInfo? AuthenticodeInfo { get; }

Property Value

Type	Description
AuthenticodeInfo

ClrComTypeLibId

The COM TypeLib ID of the assembly, if specified, and if the PE is a CLR assembly.

Declaration

public Guid? ClrComTypeLibId { get; }

Property Value

Type	Description
Guid?

ClrModuleVersionIds

The Version ID of each module if the PE is a CLR assembly.

Declaration

public List<Guid>? ClrModuleVersionIds { get; }

Property Value

Type	Description
List<Guid>

DelayImportedFunctions

Access the delay imported functions as an array of parsed objects.

Declaration

public ImportFunction[]? DelayImportedFunctions { get; }

Property Value

Type	Description
ImportFunction[]

ExceptionDirectory

Access the array of RuntimeFunction from the Exception header.

Declaration

public RuntimeFunction[]? ExceptionDirectory { get; }

Property Value

Type	Description
RuntimeFunction[]

ExportedFunctions

Access the exported functions as an array of parsed objects.

Declaration

public ExportFunction[]? ExportedFunctions { get; }

Property Value

Type	Description
ExportFunction[]

FileSize

Returns the file size in bytes.

Declaration

public long FileSize { get; }

Property Value

Type	Description
long

HasValidAuthenticodeSignature

Returns true if the PE file signature is valid. It does not check if the signature is trusted based on the installed certificates on the system.

Declaration

public bool HasValidAuthenticodeSignature { get; }

Property Value

Type	Description
bool

ImageBoundImportDescriptor

Access the IMAGE_BOUND_IMPORT_DESCRIPTOR form the data directory.

Declaration

public ImageBoundImportDescriptor? ImageBoundImportDescriptor { get; }

Property Value

Type	Description
ImageBoundImportDescriptor

ImageComDescriptor

Access the ImageCor20Header (COM Descriptor/CLI) from the data directory.

Declaration

public ImageCor20Header? ImageComDescriptor { get; }

Property Value

Type	Description
ImageCor20Header

ImageDebugDirectory

Access the ImageDebugDirectory of the PE file.

Declaration

public ImageDebugDirectory[]? ImageDebugDirectory { get; }

Property Value

Type	Description
ImageDebugDirectory[]

ImageDelayImportDescriptors

Access the ImageDelayImportDirectory from the data directory.

Declaration

public ImageDelayImportDescriptor[]? ImageDelayImportDescriptors { get; }

Property Value

Type	Description
ImageDelayImportDescriptor[]

ImageDosHeader

Access the ImageDosHeader of the PE file.

Declaration

public ImageDosHeader? ImageDosHeader { get; }

Property Value

Type	Description
ImageDosHeader

ImageExportDirectory

Access the ImageExportDirectory of the PE file.

Declaration

public ImageExportDirectory? ImageExportDirectory { get; }

Property Value

Type	Description
ImageExportDirectory

ImageImportDescriptors

Access the ImageImportDescriptor array of the PE file.

Declaration

public ImageImportDescriptor[]? ImageImportDescriptors { get; }

Property Value

Type	Description
ImageImportDescriptor[]

ImageLoadConfigDirectory

Access the ImageLoadConfigDirectory from the data directory.

Declaration

public ImageLoadConfigDirectory? ImageLoadConfigDirectory { get; }

Property Value

Type	Description
ImageLoadConfigDirectory

ImageNtHeaders

Access the ImageNtHeaders of the PE file.

Declaration

public ImageNtHeaders? ImageNtHeaders { get; }

Property Value

Type	Description
ImageNtHeaders

ImageRelocationDirectory

Access the ImageBaseRelocation array of the PE file.

Declaration

public ImageBaseRelocation[]? ImageRelocationDirectory { get; }

Property Value

Type	Description
ImageBaseRelocation[]

ImageResourceDirectory

Access the ImageResourceDirectory of the PE file.

Declaration

public ImageResourceDirectory? ImageResourceDirectory { get; }

Property Value

Type	Description
ImageResourceDirectory

ImageSectionHeaders

Access the ImageSectionHeader of the PE file.

Declaration

public ImageSectionHeader[]? ImageSectionHeaders { get; }

Property Value

Type	Description
ImageSectionHeader[]

ImageTlsDirectory

Access the IMAGE_TLS_DIRECTORY from the data directory.

Declaration

public ImageTlsDirectory? ImageTlsDirectory { get; }

Property Value

Type	Description
ImageTlsDirectory

ImpHash

The Import Hash of the binary if any imports are given else null;

Declaration

public string? ImpHash { get; }

Property Value

Type	Description
string

ImportedFunctions

Access the imported functions as an array of parsed objects.

Declaration

public ImportFunction[]? ImportedFunctions { get; }

Property Value

Type	Description
ImportFunction[]

Is32Bit

Returns true if the PE file is x32.

Declaration

public bool Is32Bit { get; }

Property Value

Type	Description
bool

Is64Bit

Returns true if the PE file is x64.

Declaration

public bool Is64Bit { get; }

Property Value

Type	Description
bool

IsAuthenticodeSigned

Returns true if the PE file is signed. It does not check if the signature is valid!

Declaration

public bool IsAuthenticodeSigned { get; }

Property Value

Type	Description
bool

IsDll

Returns true if the DLL flag in the File Header is set.

Declaration

public bool IsDll { get; }

Property Value

Type	Description
bool

IsDotNet

Returns true if the file is a .NET executable.

Declaration

public bool IsDotNet { get; }

Property Value

Type	Description
bool

IsDriver

Returns true if the PE file is a system driver based on the Subsytem = 0x1 value in the Optional Header.

Declaration

public bool IsDriver { get; }

Property Value

Type	Description
bool

IsExe

Returns true if the Executable flag in the File Header is set.

Declaration

public bool IsExe { get; }

Property Value

Type	Description
bool

IsTrustedAuthenticodeSignature

Returns true of the PE file signature is trusted based on the installed certificates on the system.

Declaration

public bool IsTrustedAuthenticodeSignature { get; }

Property Value

Type	Description
bool

Md5

The MD5 of hash sum of the binary.

Declaration

public string? Md5 { get; }

Property Value

Type	Description
string

MetaDataHdr

Access the MetaDataHdr from the COM/CLI header.

Declaration

public MetaDataHdr? MetaDataHdr { get; }

Property Value

Type	Description
MetaDataHdr

MetaDataStreamBlob

Meta Data Stream #Blob as an byte array.

Declaration

public byte[]? MetaDataStreamBlob { get; }

Property Value

Type	Description
byte[]

MetaDataStreamGuid

Meta Data Stream #GUID.

Declaration

public MetaDataStreamGuid? MetaDataStreamGuid { get; }

Property Value

Type	Description
MetaDataStreamGuid

MetaDataStreamString

Meta Data Stream #String.

Declaration

public MetaDataStreamString? MetaDataStreamString { get; }

Property Value

Type	Description
MetaDataStreamString

MetaDataStreamTablesHeader

Access the Meta Data Stream Tables Header from the list of Meta Data Streams of the .Net header.

Declaration

public MetaDataTablesHdr? MetaDataStreamTablesHeader { get; }

Property Value

Type	Description
MetaDataTablesHdr

MetaDataStreamUs

Meta Data Stream #US (User strings).

Declaration

public MetaDataStreamUs? MetaDataStreamUs { get; }

Property Value

Type	Description
MetaDataStreamUs

RawFile

The PE binary.

Declaration

public IRawFile RawFile { get; }

Property Value

Type	Description
IRawFile

Resources

Access resources of the PE file.

Declaration

public Resources? Resources { get; }

Property Value

Type	Description
Resources

Sha1

The SHA-1 hash sum of the binary.

Declaration

public string? Sha1 { get; }

Property Value

Type	Description
string

Sha256

The SHA-256 hash sum of the binary.

Declaration

public string? Sha256 { get; }

Property Value

Type	Description
string

SigningAuthenticodeCertificate

Signing X509 Authenticode certificate the binary was signed with

Declaration

public X509Certificate2? SigningAuthenticodeCertificate { get; }

Property Value

Type	Description
X509Certificate2

TypeRefHash

Compute the TypeRefHash for .NET PE files. If not available, return null.

Declaration

public string? TypeRefHash { get; }

Property Value

Type	Description
string

WinCertificate

Access the WinCertificate from the Security header.

Declaration

public WinCertificate? WinCertificate { get; }

Property Value

Type	Description
WinCertificate

Methods

AddImport(string, string)

Add a new import to the PE file. If you intend to add multiple imports, use "AddImports" instead.

Declaration

public void AddImport(string module, string function)

Parameters

Type	Name	Description
string	module
string	function

AddImports(List<AdditionalImport>)

Add imports to the PE file.

Declaration

public void AddImports(List<AdditionalImport> additionalImports)

Parameters

Type	Name	Description
List<AdditionalImport>	additionalImports	List with additional imports.

AddSection(string, byte[], ScnCharacteristicsType)

Add a new section to the PE file.

Declaration

public void AddSection(string name, byte[] unalignedSize, ScnCharacteristicsType characteristics)

Parameters

Type	Name	Description
string	name	Name of the section to add. At max. 8 characters.
byte[]	unalignedSize	Size in bytes of the new section.
ScnCharacteristicsType	characteristics	Section characteristics.

AddSection(string, int, ScnCharacteristicsType)

Declaration

public void AddSection(string name, int unalignedSize, ScnCharacteristicsType characteristics)

Parameters

Type	Name	Description
string	name
int	unalignedSize
ScnCharacteristicsType	characteristics

GetCrlUrlList()

Get an object which holds information about the Certificate Revocation Lists of the signing certificate if any is present.

Declaration

public CrlUrlList? GetCrlUrlList()

Returns

Type	Description
CrlUrlList	Certificate Revocation List information or null if binary is not signed.

GroupIcons()

Reads the corresponding IDs from GroupIconDirectoryEntry. Collects the Icons corresponding to the IDs as byte array.

Declaration

public IEnumerable<IEnumerable<byte[]>> GroupIcons()

Returns

Type	Description
IEnumerable<IEnumerable<byte[]>>	An enumerable of enumerable of byte arrays with icons corresponding to the individual GroupIcons, an empty enumerable if no GroupIcons or only empty GroupIcons are included.

HasValidAuthenticodeCertChain(bool)

Checks if cert is from a trusted CA with a valid certificate chain.

Declaration

public bool HasValidAuthenticodeCertChain(bool useOnlineCrl)

Parameters

Type	Name	Description
bool	useOnlineCrl	Check certificate chain online or offline.

Returns

Type	Description
bool	True if cert chain is valid and from a trusted CA.

HasValidAuthenticodeCertChain(X509Certificate2?, TimeSpan, bool, bool)

Checks if cert is from a trusted CA with a valid certificate chain.

Declaration

public static bool HasValidAuthenticodeCertChain(X509Certificate2? cert, TimeSpan urlRetrievalTimeout, bool useOnlineCRL = true, bool excludeRoot = true)

Parameters

Type	Name	Description
X509Certificate2	cert	X509 Certificate
TimeSpan	urlRetrievalTimeout	Timeout to validate the certificate online.
bool	useOnlineCRL	If true, uses online certificate revocation lists, else on the local CRL.
bool	excludeRoot	True if the root certificate should not be validated. False if the whole chain should be validated.

Returns

Type	Description
bool	True if cert chain is valid and from a trusted CA.

Icons()

Reads the location of the Icons from the ResourceDirectory in PeFile, collects the corresponding bytes in an enumerable and adds an ICO-Header to the bytes of each icon. This does not depend on the icon having a group icon directory entry.

Declaration

public IEnumerable<byte[]> Icons()

Returns

Type	Description
IEnumerable<byte[]>	An enumerable of icon byte arrays with an ICO-Header, an empty enumerable if no Icons are included.

IsPeFile(MMFile)

Tests if a file is a PE file based on the MZ header. It is not checked if the PE file is correct in all other parts.

Declaration

public static bool IsPeFile(MMFile file)

Parameters

Type	Name	Description
MMFile	file	MMFile of a possible PE file.

Returns

Type	Description
bool	True if the MZ header is set.

IsPeFile(Stream)

Tests if a file is a PE file based on the MZ header. It is not checked if the PE file is correct in all other parts.

Declaration

public static bool IsPeFile(Stream file)

Parameters

Type	Name	Description
Stream	file	Stream of a possible PE file.

Returns

Type	Description
bool	True if the MZ header is set.

IsPeFile(Span<byte>)

Tests is a buffer is a PE file based on the MZ header. It is not checked if the PE file is correct in all other parts.

Declaration

public static bool IsPeFile(Span<byte> buf)

Parameters

Type	Name	Description
Span<byte>	buf	Byte array containing a possible PE file.

Returns

Type	Description
bool	True if the MZ header is set.

IsPeFile(string)

Tests if a file is a PE file based on the MZ header. It is not checked if the PE file is correct in all other parts.

Declaration

public static bool IsPeFile(string file)

Parameters

Type	Name	Description
string	file	Path to a possible PE file.

Returns

Type	Description
bool	True if the MZ header is set.

RemoveSection(string, bool)

Remove a section from the PE file.

Declaration

public void RemoveSection(string name, bool removeContent = true)

Parameters

Type	Name	Description
string	name	Name of the section to remove.
bool	removeContent	Flag if the content should be removed or only the section header entry.

TryParse(MMFile, out PeFile?)

Try to parse the PE file. Best option for large files, as a memory mapped file is used.

Declaration

public static bool TryParse(MMFile file, out PeFile? peFile)

Parameters

Type	Name	Description
MMFile	file	Memory mapped file containing a possible PE file.
PeFile	peFile	Parsed PE file or Null.

Returns

Type	Description
bool	True if parable PE file and false if not.

TryParse(byte[], out PeFile?)

Try to parse the PE file.

Declaration

public static bool TryParse(byte[] buff, out PeFile? peFile)

Parameters

Type	Name	Description
byte[]	buff	Buffer containing a possible PE file.
PeFile	peFile	Parsed PE file or Null.

Returns

Type	Description
bool	True if parable PE file and false if not.

TryParse(Stream, out PeFile?)

Try to parse the PE file.

Declaration

public static bool TryParse(Stream file, out PeFile? peFile)

Parameters

Type	Name	Description
Stream	file	Stream containing a possible PE file.
PeFile	peFile	Parsed PE file or Null.

Returns

Type	Description
bool	True if parable PE file and false if not.

TryParse(string, out PeFile?)

Try to parse the PE file. Reads the whole file content into memory.

Declaration

public static bool TryParse(string file, out PeFile? peFile)

Parameters

Type	Name	Description
string	file	Path to a possible PE file.
PeFile	peFile	Parsed PE file or Null.

Returns

Type	Description
bool	True if parable PE file and false if not.