tags:

views:

452

answers:

4
+1  Q: 

Parsing plain Win32 PE File (Exe/DLL) in .NET

I need to parse plain Win32 DLL/Exe and need to get all imports and exports from it and to show it on console or GUI(say Win Forms). Is it possible to parse Win32 DLL/Exe in C#.NET, read its export table,import table and get managed types from it. As its unmanaged PE(.NET doesn't allows you to convert unmanaged PE files to managed .NET assemblies, only it generates COM managed assemblies).

So how to parse export and import tables of PE files and take all methods(signatures from it) in managed form.(e.g if char* as argument, it should display as IntPtr)

A: 

There is an open source project on codeplex called "PInvoke Interop Assistant" which allows extraction of method signatures from native dlls i.e for exported functions:

http://clrinterop.codeplex.com/releases/view/14120

If your intentions comply with the licensing agreement, perhaps you could look at the source code for that.

Update

Oops jumped the gun there. The tool I mentioned above does not work with native dlls, it only works with header files...

chibacity  2010-05-23 14:39:07
This is only for COM. You have to first convert unmanaged COM binary to managed assembly using tlbimp.exe and then this will show up all signatures. For case of plain Win32(Exe/Dll), first we cannot convert it to manage assemblies(i.e Interop not possible for getting types) As tlbimp always looks for tlbs which are part of COM binaries. So Win32 DLL failed to be work for InterOp Assistant
Usman  2010-05-23 14:44:44
It is not for COM, it is for generating PInvoke signatures but does not actually work with native dlls - only header files. I will edit my answer.
chibacity  2010-05-23 14:49:49
+2  A: 

As regards the second part of your question, getting the method signatures, this is, as a general rule, impossible. That information is not usually stored in the PE itself. For C++ functions it can be possible, because the mangled name will encode that information, but many DLLs do not expose C++ interfaces. For COM interfaces, this information is stored in a type library, often embedded as a resource in the PE. To see if this is possible for the specific dlls you have in mind you can use dumpbin and undec to see if the functions are C++ mangled names. If not, you will need some other source of information like header files to create proper P/Invoke signatures (in which case you probably don't need to parse the PE file).

Logan Capaldo  2010-05-23 15:10:33
+1  A: 

Parsing PE files is possible using the Microsoft Portable Executable Specification Document. However, as Logan noted, the signatures are not included in the PE file; only the names of the exported functions are included.

UPDATE: If your dll is a C++ dll created by a recent version of Microsoft's C++ compiler, then you can undecorate the mangled name to get most of the signature by calling this function: UnDecorateSymbolName from Debugging Tools for Windows. However, the return value is not included in the mangled name.

Stephen Cleary  2010-05-24 02:38:47
names are decorated. When you undecorate them you get exact signatures(apart from parameter names, just types). SO by this way you got almost 90% of the signature.
Usman  2010-05-24 06:31:10
The vast majority of Windows's DLLs have C style interfaces and unmangled names with no parameter information. If you have some specific dlls in mind, then like I said you can check those with dumpbin.
Logan Capaldo  2010-05-24 12:17:08
See updated answer re undecorating mangled C++ names.
Stephen Cleary  2010-05-24 18:02:43
yes this is what actual answer is..We can undecorate the mangled C++ name and can get actual signature most of but return type if not included then problems and worries here..:-(
Usman  2010-05-25 08:15:58
A: 

There is a parser known as PeParser - available at www.wintor.net/en/pestudio.html. Using PInvoke, you can consume it from .NET and get details shown by PeStudio.

marc ochsenmeier  2010-08-31 19:56:14

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?