C# Class PeNet.Utility

This class provides useful functions to work with PE files.
Datei anzeigen Open project: secana/PeNet

Public Methods

Method Description
BytesToUInt16 ( this buff, ulong i ) : ushort

Convert a two bytes in a byte array to an 16 bit unsigned integer.

BytesToUInt32 ( this buff, uint i ) : uint

Convert 4 consecutive bytes out of a buffer to an 32 bit unsigned integer.

BytesToUInt64 ( this buff, ulong i ) : ulong

Convert 8 consecutive byte in a buffer to an 64 bit unsigned integer.

GetName ( ulong name, byte buff ) : string

Get a name (C string) at a specific position in a buffer.

GetNameLength ( ulong name, byte buff ) : ulong

For a given offset in an byte array, find the next null value which terminates a C string.

IsSignatureValid ( string filePath ) : bool

Checks if the digital signature of a PE file is valid. Since .Net has not function for it, PInvoke is used to query the native API like here http://geekswithblogs.net/robp/archive/2007/05/04/112250.aspx

IsSigned ( string filePath ) : bool

Checks is a PE file is digitally signed. It does not verify the signature!

IsValidCertChain ( X509Certificate2 cert, bool online ) : bool

Checks if cert is from a trusted CA with a valid certificate chain.

IsValidCertChain ( string filePath, bool online ) : bool

Checks if cert is from a trusted CA with a valid certificate chain.

MD5 ( byte buff ) : string

Compute the MD5 from a byte array.

MD5 ( string file ) : string

Compute the MD5 from a file.

RVAtoFileMapping ( this RVA, ICollection sh ) : uint

Map an relative virtual address to the raw file address.

RVAtoFileMapping ( this RVA, ICollection sh ) : ulong

Map an relative virtual address to the raw file address.

ResolveFileCharacteristics ( ushort characteristics ) : FileCharacteristics

Resolves the characteristics attribute from the COFF header to an object which holds all the characteristics a boolean properties.

ResolveResourceId ( uint id ) : string

Resolve the resource identifier of resource entries to a human readable string with a meaning.

ResolveSectionFlags ( uint sectionFlags ) : List

Resolves the section flags to human readable strings.

ResolveSectionName ( byte name ) : string

Converts the section name (UTF-8 byte array) to a string.

ResolveSubsystem ( ushort subsystem ) : string

Resolve the subsystem attribute to a human readable string.

ResolveTargetMachine ( ushort targetMachine ) : string

Resolves the target machine number to a string containing the name of the target machine.

SetUInt16 ( this buff, ulong offset, ushort value ) : void

Set an UInt16 value at an offset in an byte array.

SetUInt32 ( this buff, uint offset, uint value ) : void

Sets an UInt32 value at an offset in a buffer.

SetUInt64 ( this buff, ulong offset, ulong value ) : void

Sets an UInt64 value at an offset in a buffer.

Sha1 ( byte buff ) : string

Compute the SHA-1 from a byte array.

Sha1 ( string file ) : string

Compute the SHA-1 from a file.

Sha256 ( byte buff ) : string

Compute the SHA-256 from a byte array.

Sha256 ( string file ) : string

Compute the SHA-256 from a file.

ToHexString ( this input, ulong from, ulong length ) : List

Convert a sub array of an byte array to an hex string where every byte is separated by an whitespace.

ToHexString ( this value ) : string

Convert ushort into a hexadecimal string.

ToHexString ( this bytes ) : string

Convert a sequence of bytes into a hexadecimal string.

ToHexString ( this values ) : string

Convert a sequence of ushorts into a hexadecimal string.

ToIntFromHexString ( this hexString ) : long

Converts a hex string of the form 0x435A4DE3 to a long value.

VAtoFileMapping ( this VA, ICollection sh ) : uint

Map an virtual address to the raw file address.

VAtoFileMapping ( this VA, ICollection sh ) : ulong

Map an virtual address to the raw file address.

Private Methods

Method Description
BytesToUInt16 ( byte b1, byte b2 ) : ushort

Convert to bytes to an 16 bit unsigned integer.

BytesToUInt32 ( byte b1, byte b2, byte b3, byte b4 ) : uint

Convert 4 bytes to an 32 bit unsigned integer.

BytesToUInt64 ( byte b1, byte b2, byte b3, byte b4, byte b5, byte b6, byte b7, byte b8 ) : ulong

Converts 8 bytes to an 64 bit unsigned integer.

GetOrdinal ( uint ordinal, byte buff ) : ushort
PropertiesToString ( object obj, string format ) : string
UInt16ToBytes ( ushort value ) : byte[]

Convert an UIn16 to an byte array.

UInt32ToBytes ( uint value ) : byte[]

Convert an UInt32 value into an byte array.

UInt64ToBytes ( ulong value ) : byte[]

Convert an UIn64 value into an byte array.

Method Details

BytesToUInt16() public static method

Convert a two bytes in a byte array to an 16 bit unsigned integer.
public static BytesToUInt16 ( this buff, ulong i ) : ushort
buff this Byte buffer.
i ulong Position of the high byte. Low byte is i+1.
return ushort

BytesToUInt32() public static method

Convert 4 consecutive bytes out of a buffer to an 32 bit unsigned integer.
public static BytesToUInt32 ( this buff, uint i ) : uint
buff this Byte buffer.
i uint Offset of the highest byte.
return uint

BytesToUInt64() public static method

Convert 8 consecutive byte in a buffer to an 64 bit unsigned integer.
public static BytesToUInt64 ( this buff, ulong i ) : ulong
buff this Byte buffer.
i ulong Offset of the highest byte.
return ulong

GetName() public static method

Get a name (C string) at a specific position in a buffer.
public static GetName ( ulong name, byte buff ) : string
name ulong Offset of the string.
buff byte Containing buffer.
return string

GetNameLength() public static method

For a given offset in an byte array, find the next null value which terminates a C string.
public static GetNameLength ( ulong name, byte buff ) : ulong
name ulong Offset of the string.
buff byte Buffer which contains the string.
return ulong

IsSignatureValid() public static method

Checks if the digital signature of a PE file is valid. Since .Net has not function for it, PInvoke is used to query the native API like here http://geekswithblogs.net/robp/archive/2007/05/04/112250.aspx
public static IsSignatureValid ( string filePath ) : bool
filePath string Path to a PE file.
return bool

IsSigned() public static method

Checks is a PE file is digitally signed. It does not verify the signature!
public static IsSigned ( string filePath ) : bool
filePath string Path to a PE file.
return bool

IsValidCertChain() public static method

Checks if cert is from a trusted CA with a valid certificate chain.
public static IsValidCertChain ( X509Certificate2 cert, bool online ) : bool
cert System.Security.Cryptography.X509Certificates.X509Certificate2 X509 Certificate
online bool Check certificate chain online or offline.
return bool

IsValidCertChain() public static method

Checks if cert is from a trusted CA with a valid certificate chain.
public static IsValidCertChain ( string filePath, bool online ) : bool
filePath string Path to a PE file.
online bool Check certificate chain online or offline.
return bool

MD5() public static method

Compute the MD5 from a byte array.
public static MD5 ( byte buff ) : string
buff byte Binary as a byte buffer.
return string

MD5() public static method

Compute the MD5 from a file.
public static MD5 ( string file ) : string
file string Path to the file
return string

RVAtoFileMapping() public static method

Map an relative virtual address to the raw file address.
public static RVAtoFileMapping ( this RVA, ICollection sh ) : uint
RVA this Relative Virtual Address
sh ICollection Section Headers
return uint

RVAtoFileMapping() public static method

Map an relative virtual address to the raw file address.
public static RVAtoFileMapping ( this RVA, ICollection sh ) : ulong
RVA this Relative Virtual Address
sh ICollection Section Headers
return ulong

ResolveFileCharacteristics() public static method

Resolves the characteristics attribute from the COFF header to an object which holds all the characteristics a boolean properties.
public static ResolveFileCharacteristics ( ushort characteristics ) : FileCharacteristics
characteristics ushort File header characteristics.
return FileCharacteristics

ResolveResourceId() public static method

Resolve the resource identifier of resource entries to a human readable string with a meaning.
public static ResolveResourceId ( uint id ) : string
id uint Resource identifier.
return string

ResolveSectionFlags() public static method

Resolves the section flags to human readable strings.
public static ResolveSectionFlags ( uint sectionFlags ) : List
sectionFlags uint Sections flags from the SectionHeader object.
return List

ResolveSectionName() public static method

Converts the section name (UTF-8 byte array) to a string.
public static ResolveSectionName ( byte name ) : string
name byte Section name byte array.
return string

ResolveSubsystem() public static method

Resolve the subsystem attribute to a human readable string.
public static ResolveSubsystem ( ushort subsystem ) : string
subsystem ushort Subsystem attribute.
return string

ResolveTargetMachine() public static method

Resolves the target machine number to a string containing the name of the target machine.
public static ResolveTargetMachine ( ushort targetMachine ) : string
targetMachine ushort Target machine value from the COFF header.
return string

SetUInt16() public static method

Set an UInt16 value at an offset in an byte array.
public static SetUInt16 ( this buff, ulong offset, ushort value ) : void
buff this Buffer in which the value is set.
offset ulong Offset where the value is set.
value ushort The value to set.
return void

SetUInt32() public static method

Sets an UInt32 value at an offset in a buffer.
public static SetUInt32 ( this buff, uint offset, uint value ) : void
buff this Buffer to set the value in.
offset uint Offset in the array for the value.
value uint Value to set.
return void

SetUInt64() public static method

Sets an UInt64 value at an offset in a buffer.
public static SetUInt64 ( this buff, ulong offset, ulong value ) : void
buff this Buffer to set the value in.
offset ulong Offset in the array for the value.
value ulong Value to set.
return void

Sha1() public static method

Compute the SHA-1 from a byte array.
public static Sha1 ( byte buff ) : string
buff byte Binary as a byte buffer.
return string

Sha1() public static method

Compute the SHA-1 from a file.
public static Sha1 ( string file ) : string
file string Path to the file
return string

Sha256() public static method

Compute the SHA-256 from a byte array.
public static Sha256 ( byte buff ) : string
buff byte Binary as a byte buffer.
return string

Sha256() public static method

Compute the SHA-256 from a file.
public static Sha256 ( string file ) : string
file string Path to the file
return string

ToHexString() public static method

Convert a sub array of an byte array to an hex string where every byte is separated by an whitespace.
public static ToHexString ( this input, ulong from, ulong length ) : List
input this Byte array.
from ulong Index in the byte array where the hex string starts.
length ulong Length of the hex string in the byte array.
return List

ToHexString() public static method

Convert ushort into a hexadecimal string.
public static ToHexString ( this value ) : string
value this Value
return string

ToHexString() public static method

Convert a sequence of bytes into a hexadecimal string.
public static ToHexString ( this bytes ) : string
bytes this Byte sequence.
return string

ToHexString() public static method

Convert a sequence of ushorts into a hexadecimal string.
public static ToHexString ( this values ) : string
values this Value sequence.
return string

ToIntFromHexString() public static method

Converts a hex string of the form 0x435A4DE3 to a long value.
public static ToIntFromHexString ( this hexString ) : long
hexString this
return long

VAtoFileMapping() public static method

Map an virtual address to the raw file address.
public static VAtoFileMapping ( this VA, ICollection sh ) : uint
VA this Virtual Address
sh ICollection Section Headers
return uint

VAtoFileMapping() public static method

Map an virtual address to the raw file address.
public static VAtoFileMapping ( this VA, ICollection sh ) : ulong
VA this Virtual Address
sh ICollection Section Headers
return ulong