Yesterday I wanted to make a small API hook detector in C#. It has to parse PE file, find exported functions, read bytes from the beginning of function and then compare them with the bytes in process memory. Sounds simple, right?
Well, good luck finding a PE parser that actually works!
Looking for PE parser
Most of PE parsers stop at parsing DOS header, NT headers and section headers. But I needed something that would also parse export table for me. After a couple of Google searches I ended up with PEReader by DKorablin. From the first look it's decent and even has a demo application. What else could you want?
Hmmm, how about working correctly on really simple files? 😉
Sorry, nope.
It sure finds exported functions but it mismatches function names & RVAs. So, if you wanted to examine, say, CreateFileW, you will end up examining DeleteFileA. Or some other random API. Great job!
But it's opensource. Just fix it and submit a patch!
Umm, no. I was looking for a PE parser that I can take, load it in VS and use it. I don't want to spend days hunting down bugs and fixing them - this stops me from doing what I really want to do.
So, dear opensourcer, if you are publishing your code, make sure it actually works. If it doesn't work, please don't publish it at all - it's not helping anyone. Don't waste other people's time..
P.S. I ended up with using DNLib and writing my own PE export parsing. At least, I know it works properly..
mind passign me the project? sounds interesting 🙂
Sure, after it's done. 😉
If you're looking for generic hook detector, HookShark is my current favorite. Too bad it's not being updated anymore, and the source was never published.
you should have tried "B@S.Reversing.dll" framework 😉
Thank you Kurapica, it looks great! I generally try to use the same libraries for all my tools and until now I had never seen B@S framework. You should try to get it on the Google search results for "PE Parser C#", "PE Reader C#", or even "IMAGE_DIRECTORY_ENTRY_EXPORT C#" 😉
Right now it can be downloaded from http://board.b-at-s.info/index.php?showtopic=9695 Maybe upload it to bitbucket/github?
Please upload it there if you find it useful.
Hi! Yeah, this post is really old...
But I'm author of PEReader assembly in github.
If you would mind to share with me your sample code (expecting/get), I'll try to fix it.
Thanks in advice.