PeNet is a library to parse and analyse Windows Portable Executables (PE) files. It is completely written in C# and compiles to a cross-platform conform .Net Standard library.
Besides access to all typical PE structures (native and .Net header), some utility function like the Import Hash used in malware-analysis are provided.
This paragraph gives a short introduction on how to use PeNet with a few examples. For a full API documentation, see the link in the header. For more example check the Article link in the header.
Install the library
You can install PeNet into your project directly from Nuget.
Open a PE file
You can open a file on disk or parse a byte array of a PE file.
var peHeader1 = new PeNet.PeFile(@"C:\Windows\System32\kernel32.dll");
var bin = File.ReadAllBytes(@"C:\Windows\System32\kernel32.dll"); var peHeader2 = new PeNet.PeFile(bin);
For more information on the different methods to open a parse a PE file see: Parser options
Work with the PE header
The parsed PE header is split into multiple modules and sub-modules. To see how the parser structures the PE header and which information can be found where see the API documentation page (link in header). Here are a few examples on how to access different parts of the PE header. For more examples, check the Article link in the header.
Get the file alignment of the PE file:
var fileAlignment = peHeader.WindowsSpecificFields.FileAlignment;
Get the import descriptors of the PE file:
var if = peHeader.DataDirectories.ImageImportDescriptors;
Get the imported and exported functions of the PE file in a parsed form:
var if = peHeader.ImportedFunctions; var ef = peHeader.ExportedFunctions;