10

I need to parse plain Win32 DLL/Exe and get all imports and exports from it to show on console or GUI (i.e. Win Forms). Is it possible to parse Win32 DLL/Exe in C#.NET by reading its export/import tables and get managed types from it? As it's unmanaged PE, .NET doesn't allows you to convert unmanaged PE files to managed .NET assemblies, it only generates COM managed assemblies.

How can I parse these tables and take all of its methods (signatures) in managed form. (e.g. if char* as argument, it should display as IntPtr).

Christopher Markieta
  • 5,674
  • 10
  • 43
  • 60
Usman
  • 2,742
  • 4
  • 44
  • 82
  • Usman, there's no such think as "C#.NET". – John Saunders May 24 '10 at 02:49
  • @John : C# belongs to .NET..? I've said something strange..? – Usman May 25 '10 at 08:17
  • 1
    no, C# is a programming language, which is largely independent of the .NET Framework. There are several other programming languages which can use the .NET Framework just as well as C# can. – John Saunders May 25 '10 at 08:52
  • 2
    I think C#.NET is an appropriate specification to make considering C# could also be running on Mono. C# is a language that got its start on .NET, the statement is completely appropriate. – thegravian Oct 19 '11 at 16:48

3 Answers3

4

Have a look at the PeNet library for .Net. It can parse and list you all Exports/Imports of a DLL. You can get it from github or directly as a NuGet package. https://github.com/secana/PeNet https://www.nuget.org/packages/PeNet/

(disclaimer: I'm the author of the project)

secana
  • 671
  • 6
  • 15
2

As regards the second part of your question, getting the method signatures, this is, as a general rule, impossible. That information is not usually stored in the PE itself. For C++ functions it can be possible, because the mangled name will encode that information, but many DLLs do not expose C++ interfaces. For COM interfaces, this information is stored in a type library, often embedded as a resource in the PE. To see if this is possible for the specific dlls you have in mind you can use dumpbin and undec to see if the functions are C++ mangled names. If not, you will need some other source of information like header files to create proper P/Invoke signatures (in which case you probably don't need to parse the PE file).

Logan Capaldo
  • 39,555
  • 5
  • 63
  • 78
2

Parsing PE files is possible using the Microsoft Portable Executable Specification Document. However, as Logan noted, the signatures are not included in the PE file; only the names of the exported functions are included.

UPDATE: If your dll is a C++ dll created by a recent version of Microsoft's C++ compiler, then you can undecorate the mangled name to get most of the signature by calling this function: UnDecorateSymbolName from Debugging Tools for Windows. However, the return value is not included in the mangled name.

Stephen Cleary
  • 437,863
  • 77
  • 675
  • 810
  • names are decorated. When you undecorate them you get exact signatures(apart from parameter names, just types). SO by this way you got almost 90% of the signature. – Usman May 24 '10 at 06:31
  • The vast majority of Windows's DLLs have C style interfaces and unmangled names with no parameter information. If you have some specific dlls in mind, then like I said you can check those with dumpbin. – Logan Capaldo May 24 '10 at 12:17
  • yes this is what actual answer is.. We can undecorate the mangled C++ name and can get actual signature most of but return type if not included then problems and worries here..:-( – Usman May 25 '10 at 08:15