Hash Checking On Startup

Give your assembly a Strong Name (read the docs) and the .NET framework will
perform the integrity validation for you when the assembly is loaded.

--

Carlos J. Quintero (Visual Developer - .NET MVP)

The MZ-Tools all-in-one add-in, now for .NET: http://www.mztools.com
"Henry C. Wu" <he***********@gmail.com> escribió en el mensaje
news:44**************************@posting.google.c om...

Hi, I'm trying to implement a way to security check the Hash of the
Application.ExecutablePath. I placed the following ran the ff
procedure at Sub Main

Private Sub CheckHash()
Dim fs As New System.IO.FileStream(Application.ExecutablePath,
System.IO.FileMode.Open, System.IO.FileAccess.Read)
Dim shaM As New System.Security.Cryptography.SHA512Managed
Dim bt As Byte() = shaM.ComputeHash(fs)
Console.WriteLine(BitConverter.ToString(bt))

Dim test As String =
"68-B4-A8-E1-FB-A7-5A-76-A9-26-4E-71-F1-7F-1F-93-9F-74-AF-6F-80-A4-A1-AC-34-
89-11-8E-43-E7-34-77-BD-B4-6F-1C-B9-C3-F7-29-63-DD-EA-1C-FF-93-6E-18-49-1C-D
2-9C-42-10-FD-0D-C3-AC-E5-42-D5-44-9E-E4" If BitConverter.ToString(bt) = test Then
MsgBox("Same")
Else
MsgBox("Not The same")
End If
fs.Close()
End Sub
My problem is that whenever I generate the Hash value for
MyApplication.exe and store it at Dim test As String ="....." the
value of BitConverter.ToString(bt) changes, thus it would not match no
matter what I do.

Any insights on how to check the MyApplication.exe executable on
StartUp?

Thanks,
Henry

Hi, thanks for the tip.

I'm following the article on how to give your .NET assembly a Strong
Name.
http://www.codeguru.com/columns/Expe...cle.php/c4643/
Specifically the procedure to use when obfuscating your assembly.

'Begin Snippet------------------------------

Practically, this means that you end up using the delay-signing
process when obfuscating an assembly with a strong name. The typical
usage pattern for a developer using obfuscation is:

a) Build the assembly with delay signing enabled.
b) Enable strong name verification skipping for the assembly (sn.exe
-Vr).
c) Debug and test the assembly.
d) Obfuscate the assembly.
e) Debug and test the obfuscated version.
f) Delay sign the assembly (sn.exe -R).

'End Snippet------------------------------

My Question is
1) How do you "embed" the PublicPrivateKeyFile.snk to the VB Solution?
What I mean is for example you will distribute your application, will
you distribute it with the PublicPrivateKeyFile.snk on the same
directory with your EXE application?

2) After creating the PublicPrivateKeyFile.snk using SN.exe, I copy &
pasted it to my Project's Solution directory & BIN directory,...

doing the follwoing would result to an error:
<Assembly: AssemblyKeyFile("PublicPrivateKeyFile.snk")>

but doing this corrected the error:
<Assembly: AssemblyKeyFile("E:\My Projects\Visual
Basic\vbVideoPatternGenerator\bin\PublicPrivateKey File.snk")>

I've been reading the Visual Studio .NET help, & it says there that
VB's IDE will automatically check for it under your project's Solution
directory. I wonder why it still renedered that error.

3)Step B on the Snippet above,..is the following correct to apply
verification skipping for my assembly?

sn.exe -Vr E:\My Projects\Visual
Basic\vbVideoPatternGenerator\bin\vbMyProject.exe

Is this the correct way? I'm in doubt a bit because the example was:
sn.exe -Vr YourAssembly.dll

But my assembly doesnt have a DLL.

4)Lastly, when accomplishing everything above. How can I check if I
have done the correct procedure? I mean is there a way to "test" & see
if the assembly is manipulated,...then the application *must not*
start.

Thanks, I appreciate if someone will help me out here in detail
because this is new to me.

Thanks,
Henry

Hi, thanks for the tip.

I'm following the article on how to give your .NET assembly a Strong
Name.
http://www.codeguru.com/columns/Expe...cle.php/c4643/
Specifically the procedure to use when obfuscating your assembly.

'Begin Snippet------------------------------

Practically, this means that you end up using the delay-signing
process when obfuscating an assembly with a strong name. The typical
usage pattern for a developer using obfuscation is:

a) Build the assembly with delay signing enabled.
b) Enable strong name verification skipping for the assembly (sn.exe
-Vr).
c) Debug and test the assembly.
d) Obfuscate the assembly.
e) Debug and test the obfuscated version.
f) Delay sign the assembly (sn.exe -R).

'End Snippet------------------------------

My Question is
1) How do you "embed" the PublicPrivateKeyFile.snk to the VB Solution?
What I mean is for example you will distribute your application, will
you distribute it with the PublicPrivateKeyFile.snk on the same
directory with your EXE application?

2) After creating the PublicPrivateKeyFile.snk using SN.exe, I copy &
pasted it to my Project's Solution directory & BIN directory,...

doing the follwoing would result to an error:
<Assembly: AssemblyKeyFile("PublicPrivateKeyFile.snk")>

but doing this corrected the error:
<Assembly: AssemblyKeyFile("E:\My Projects\Visual
Basic\vbVideoPatternGenerator\bin\PublicPrivateKey File.snk")>

I've been reading the Visual Studio .NET help, & it says there that
VB's IDE will automatically check for it under your project's Solution
directory. I wonder why it still renedered that error.

3)Step B on the Snippet above,..is the following correct to apply
verification skipping for my assembly?

sn.exe -Vr E:\My Projects\Visual
Basic\vbVideoPatternGenerator\bin\vbMyProject.exe

Is this the correct way? I'm in doubt a bit because the example was:
sn.exe -Vr YourAssembly.dll

But my assembly doesnt have a DLL.

4)Lastly, when accomplishing everything above. How can I check if I
have done the correct procedure? I mean is there a way to "test" & see
if the assembly is manipulated,...then the application *must not*
start.

Thanks, I appreciate if someone will help me out here in detail
because this is new to me.

Thanks,
Henry

Hi,

1) How do you "embed" the PublicPrivateKeyFile.snk to the VB Solution?
What I mean is for example you will distribute your application, will
you distribute it with the PublicPrivateKeyFile.snk on the same
directory with your EXE application?
You don´t need to add it. You just set the <Assembly: AssemblyKeyFile>
attribute in the AssemblyInfo.vb file pointing to that file. The .snk is
only needed by the VS.NET when building the assembly, but it is not needed
by the executable once built (so you don´t copy it to the Bin folder).
2) After creating the PublicPrivateKeyFile.snk using SN.exe, I copy &
pasted it to my Project's Solution directory & BIN directory,...
See previous paragraph about the bin folder
doing the follwoing would result to an error:
<Assembly: AssemblyKeyFile("PublicPrivateKeyFile.snk")>

but doing this corrected the error:
<Assembly: AssemblyKeyFile("E:\My Projects\Visual
Basic\vbVideoPatternGenerator\bin\PublicPrivateKey File.snk")>

I've been reading the Visual Studio .NET help, & it says there that
VB's IDE will automatically check for it under your project's Solution
directory. I wonder why it still renedered that error.
There is a bug in the docs. Try adding \.. until it works:

<Assembly: AssemblyKeyFile("PublicPrivateKeyFile.snk")>
<Assembly: AssemblyKeyFile("..\PublicPrivateKeyFile.snk")>
<Assembly: AssemblyKeyFile("..\..\PublicPrivateKeyFile.snk")>
3)Step B on the Snippet above,..is the following correct to apply
verification skipping for my assembly?

sn.exe -Vr E:\My Projects\Visual
Basic\vbVideoPatternGenerator\bin\vbMyProject.exe

Is this the correct way? I'm in doubt a bit because the example was:
sn.exe -Vr YourAssembly.dll

But my assembly doesnt have a DLL.
Yes, it sn.exe -Vr <assembly> is correct.
4)Lastly, when accomplishing everything above. How can I check if I
have done the correct procedure? I mean is there a way to "test" & see
if the assembly is manipulated,...then the application *must not*
start.

Yes.

sn.exe -v or sn.exe -vf verify the strong name of the assembly. Type sn.exe
/? to see the command line options usage.

The ultimate proof is to use an hex editor and change a character of a
string of your assembly, for example changing the case. The exe should give
an error when launched.

--

Carlos J. Quintero (Visual Developer - .NET MVP)

The MZ-Tools all-in-one add-in, now for .NET: http://www.mztools.com

Thanks so much for info!!! I appreciate it! My assembly is now
obfuscated & strong named.

Thanks again,
Henry