Parsing plain Win32 PE File (Exe/DLL) in .NET

Question

I need to parse plain Win32 DLL/Exe and get all imports and exports from it to show on console or GUI (i.e. Win Forms). Is it possible to parse Win32 DLL/Exe in C#.NET by reading its export/import tables and get managed types from it? As it's unmanaged PE, .NET doesn't allows you to convert unmanaged PE files to managed .NET assemblies, it only generates COM managed assemblies.

How can I parse these tables and take all of its methods (signatures) in managed form. (e.g. if char* as argument, it should display as IntPtr).

Answer 1

Parsing PE files is possible using the Microsoft Portable Executable Specification Document. However, as Logan noted, the signatures are not included in the PE file; only the names of the exported functions are included.

UPDATE: If your dll is a C++ dll created by a recent version of Microsoft's C++ compiler, then you can undecorate the mangled name to get most of the signature by calling this function: UnDecorateSymbolName from Debugging Tools for Windows. However, the return value is not included in the mangled name.

Answer 2

Have a look at the PeNet library for .Net. It can parse and list you all Exports/Imports of a DLL. You can get it from github or directly as a NuGet package. https://github.com/secana/PeNet https://www.nuget.org/packages/PeNet/

(disclaimer: I'm the author of the project)

Answer 3

As regards the second part of your question, getting the method signatures, this is, as a general rule, impossible. That information is not usually stored in the PE itself. For C++ functions it can be possible, because the mangled name will encode that information, but many DLLs do not expose C++ interfaces. For COM interfaces, this information is stored in a type library, often embedded as a resource in the PE. To see if this is possible for the specific dlls you have in mind you can use dumpbin and undec to see if the functions are C++ mangled names. If not, you will need some other source of information like header files to create proper P/Invoke signatures (in which case you probably don't need to parse the PE file).