|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
API to access loaded assembly hash--- Dominick Baier - DevelopMentor http://www.leastprivilege.com try { Assembly a = Assembly.LoadFrom(args[0]); IEnumerator it = a.Evidence.GetEnumerator(); while (it.MoveNext()) { Console.WriteLine(it.Current); } } catch (Exception ex) { Console.WriteLine(ex.Message); } nntp://news.microsoft.com/microsoft.public.dotnet.security/<3211D764-E2EC-454A-A067-D46F6451E***@microsoft.com> Hi, I'm not able to find any API to retrieve at runtime the hash of an assembly. 1/ is there any existing API (I might not have looked in the correct namespaces/classes) ? 2/ if not, why is'nt there any ? any security implication ? is it planned to have one in .Net 2.0 ? Note: I know that I can compute the hash manually (using interop or not). [microsoft.public.dotnet.security] Thanks Dominick. Based from that, here is how to get the sha1 hash.
Assembly a = Assembly.GetExecutingAssembly(); foreach(object o in a.Evidence) { Hash aHash = o as Hash; if ( aHash == null ) continue; byte[] sha1Hash = aHash.SHA1; string base64 = Convert.ToBase64String(sha1Hash); Console.WriteLine("SHA1 Hash:{0}", base64); } I have one question. Is this doing a sha1 hash over the assembly bytes as they exist or some other metadata stored in the Evidence? "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> gives you the hash. see the code attached.wrote in message news:#L1zzqnFFHA.1348@TK2MSFTNGP14.phx.gbl... > You can iterate through the evidence collection of a loaded assembly which Show quoteHide quote > nntp://news.microsoft.com/microsoft.public.dotnet.security/<3211D764-E2EC-454A-A067-D46F6451E***@microsoft.com>> > > --- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > try > > { > > Assembly a = Assembly.LoadFrom(args[0]); > > IEnumerator it = a.Evidence.GetEnumerator(); > > while (it.MoveNext()) > > { > > Console.WriteLine(it.Current); > > } > > } > > catch (Exception ex) > > { > > Console.WriteLine(ex.Message); > > } > > Show quoteHide quote > > Hi, > > I'm not able to find any API to retrieve at runtime the hash of an assembly. > > 1/ is there any existing API (I might not have looked in the correct > namespaces/classes) ? > > 2/ if not, why is'nt there any ? any security implication ? is it planned to > have one in .Net 2.0 ? > > Note: I know that I can compute the hash manually (using interop or not). > > [microsoft.public.dotnet.security] It's stored separately in runtime evidence and is subject to spoofing in the
same way as the strong name public key used in evidence. If you're trying to use it to verify code identity, it would be at least somewhat safer to read it directly out of the PE file. However, if it's possible to fake the assembly load path, that won't be particularly reliable either since you could end up reading the data from the wrong (or, actually, the right <g>) file. Show quoteHide quote "William Stacey [MVP]" <staceywREM***@mvps.org> wrote in message news:uvrDLJtFFHA.3728@TK2MSFTNGP14.phx.gbl... > Thanks Dominick. Based from that, here is how to get the sha1 hash. > Assembly a = Assembly.GetExecutingAssembly(); > foreach(object o in a.Evidence) > { > Hash aHash = o as Hash; > if ( aHash == null ) > continue; > byte[] sha1Hash = aHash.SHA1; > string base64 = Convert.ToBase64String(sha1Hash); > Console.WriteLine("SHA1 Hash:{0}", base64); > } > > I have one question. Is this doing a sha1 hash over the assembly bytes as > they exist or some other metadata stored in the Evidence? > > -- > William Stacey, MVP > http://mvp.support.microsoft.com > > "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> > wrote in message news:#L1zzqnFFHA.1348@TK2MSFTNGP14.phx.gbl... >> You can iterate through the evidence collection of a loaded assembly >> which > gives you the hash. see the code attached. >> >> >> >> --- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >> >> try >> >> { >> >> Assembly a = Assembly.LoadFrom(args[0]); >> >> IEnumerator it = a.Evidence.GetEnumerator(); >> >> while (it.MoveNext()) >> >> { >> >> Console.WriteLine(it.Current); >> >> } >> >> } >> >> catch (Exception ex) >> >> { >> >> Console.WriteLine(ex.Message); >> >> } >> >> > nntp://news.microsoft.com/microsoft.public.dotnet.security/<3211D764-E2EC-454A-A067-D46F6451E***@microsoft.com> >> >> Hi, >> >> I'm not able to find any API to retrieve at runtime the hash of an > assembly. >> >> 1/ is there any existing API (I might not have looked in the correct >> namespaces/classes) ? >> >> 2/ if not, why is'nt there any ? any security implication ? is it >> planned > to >> have one in .Net 2.0 ? >> >> Note: I know that I can compute the hash manually (using interop or >> not). >> >> [microsoft.public.dotnet.security] > Based on some tests, it would seem the GetRawData() internal method returns
the data from the assembly that is used to sign the assem. So it seems it read directly from the file so changing the file will change the rawdata and hence a md5 or sha1 hash. Are you seeing something different? Show quoteHide quote "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message nntp://news.microsoft.com/microsoft.public.dotnet.security/<3211D764-E2EC-454A-A067-D46F6451E***@microsoft.com>news:uj7qaxzFFHA.3608@TK2MSFTNGP14.phx.gbl... > It's stored separately in runtime evidence and is subject to spoofing in the > same way as the strong name public key used in evidence. If you're trying > to use it to verify code identity, it would be at least somewhat safer to > read it directly out of the PE file. However, if it's possible to fake the > assembly load path, that won't be particularly reliable either since you > could end up reading the data from the wrong (or, actually, the right <g>) > file. > > > > "William Stacey [MVP]" <staceywREM***@mvps.org> wrote in message > news:uvrDLJtFFHA.3728@TK2MSFTNGP14.phx.gbl... > > Thanks Dominick. Based from that, here is how to get the sha1 hash. > > Assembly a = Assembly.GetExecutingAssembly(); > > foreach(object o in a.Evidence) > > { > > Hash aHash = o as Hash; > > if ( aHash == null ) > > continue; > > byte[] sha1Hash = aHash.SHA1; > > string base64 = Convert.ToBase64String(sha1Hash); > > Console.WriteLine("SHA1 Hash:{0}", base64); > > } > > > > I have one question. Is this doing a sha1 hash over the assembly bytes as > > they exist or some other metadata stored in the Evidence? > > > > -- > > William Stacey, MVP > > http://mvp.support.microsoft.com > > > > "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> > > wrote in message news:#L1zzqnFFHA.1348@TK2MSFTNGP14.phx.gbl... > >> You can iterate through the evidence collection of a loaded assembly > >> which > > gives you the hash. see the code attached. > >> > >> > >> > >> --- > >> Dominick Baier - DevelopMentor > >> http://www.leastprivilege.com > >> > >> try > >> > >> { > >> > >> Assembly a = Assembly.LoadFrom(args[0]); > >> > >> IEnumerator it = a.Evidence.GetEnumerator(); > >> > >> while (it.MoveNext()) > >> > >> { > >> > >> Console.WriteLine(it.Current); > >> > >> } > >> > >> } > >> > >> catch (Exception ex) > >> > >> { > >> > >> Console.WriteLine(ex.Message); > >> > >> } > >> > >> > > Show quoteHide quote > >> > >> Hi, > >> > >> I'm not able to find any API to retrieve at runtime the hash of an > > assembly. > >> > >> 1/ is there any existing API (I might not have looked in the correct > >> namespaces/classes) ? > >> > >> 2/ if not, why is'nt there any ? any security implication ? is it > >> planned > > to > >> have one in .Net 2.0 ? > >> > >> Note: I know that I can compute the hash manually (using interop or > >> not). > >> > >> [microsoft.public.dotnet.security] > > > > Yes, but only when I deliberately spoof the hash. <g>
The path that uses GetRawData is only taken when the m_rawData field has not been otherwise populated. There are, however, other ways that the field's value can be set, and one of these paths is used when the hash is populated from evidence. If the evidence provides a hash different from the actual assembly's, the evidence hash will be retrieved with no indication that it is incorrect. That said, it would appear that initializing the hash from the assembly (e.g.: new Hash(targetAssembly)), as opposed to reading the hash from evidence, isn't subject to the same trivial evidence spoofing. However, it may be subject to other spoofing techniques that I haven't tried. Show quoteHide quote "William Stacey [MVP]" <staceywREM***@mvps.org> wrote in message news:emGLCRKGFHA.4088@TK2MSFTNGP09.phx.gbl... > Based on some tests, it would seem the GetRawData() internal method > returns > the data from the assembly that is used to sign the assem. So it seems it > read directly from the file so changing the file will change the rawdata > and > hence a md5 or sha1 hash. Are you seeing something different? > > -- > William Stacey, MVP > http://mvp.support.microsoft.com > > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message > news:uj7qaxzFFHA.3608@TK2MSFTNGP14.phx.gbl... >> It's stored separately in runtime evidence and is subject to spoofing in > the >> same way as the strong name public key used in evidence. If you're >> trying >> to use it to verify code identity, it would be at least somewhat safer to >> read it directly out of the PE file. However, if it's possible to fake > the >> assembly load path, that won't be particularly reliable either since you >> could end up reading the data from the wrong (or, actually, the right >> <g>) >> file. >> >> >> >> "William Stacey [MVP]" <staceywREM***@mvps.org> wrote in message >> news:uvrDLJtFFHA.3728@TK2MSFTNGP14.phx.gbl... >> > Thanks Dominick. Based from that, here is how to get the sha1 hash. >> > Assembly a = Assembly.GetExecutingAssembly(); >> > foreach(object o in a.Evidence) >> > { >> > Hash aHash = o as Hash; >> > if ( aHash == null ) >> > continue; >> > byte[] sha1Hash = aHash.SHA1; >> > string base64 = Convert.ToBase64String(sha1Hash); >> > Console.WriteLine("SHA1 Hash:{0}", base64); >> > } >> > >> > I have one question. Is this doing a sha1 hash over the assembly bytes > as >> > they exist or some other metadata stored in the Evidence? >> > >> > -- >> > William Stacey, MVP >> > http://mvp.support.microsoft.com >> > >> > "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> >> > wrote in message news:#L1zzqnFFHA.1348@TK2MSFTNGP14.phx.gbl... >> >> You can iterate through the evidence collection of a loaded assembly >> >> which >> > gives you the hash. see the code attached. >> >> >> >> >> >> >> >> --- >> >> Dominick Baier - DevelopMentor >> >> http://www.leastprivilege.com >> >> >> >> try >> >> >> >> { >> >> >> >> Assembly a = Assembly.LoadFrom(args[0]); >> >> >> >> IEnumerator it = a.Evidence.GetEnumerator(); >> >> >> >> while (it.MoveNext()) >> >> >> >> { >> >> >> >> Console.WriteLine(it.Current); >> >> >> >> } >> >> >> >> } >> >> >> >> catch (Exception ex) >> >> >> >> { >> >> >> >> Console.WriteLine(ex.Message); >> >> >> >> } >> >> >> >> >> > > nntp://news.microsoft.com/microsoft.public.dotnet.security/<3211D764-E2EC-454A-A067-D46F6451E***@microsoft.com> >> >> >> >> Hi, >> >> >> >> I'm not able to find any API to retrieve at runtime the hash of an >> > assembly. >> >> >> >> 1/ is there any existing API (I might not have looked in the correct >> >> namespaces/classes) ? >> >> >> >> 2/ if not, why is'nt there any ? any security implication ? is it >> >> planned >> > to >> >> have one in .Net 2.0 ? >> >> >> >> Note: I know that I can compute the hash manually (using interop or >> >> not). >> >> >> >> [microsoft.public.dotnet.security] >> > >> >> > > Yes, but only when I deliberately spoof the hash. <g> How would you spoof data in my Hash object (other then debugger). You couldload an assem in your appdomain and update private vars in your Hash object, but wouldn't you need to ref my Hash object to spoof anything? tia By setting evidence (e.g.: via AppDomain.Load overload that takes evidence
argument), one assembly can cause another assembly's hash to appear different than it actually is. No debugging or reflection into low accessibility members is required. Spoofing of the non-evidence approach would depend on how the private GetRawData method is implemented. For example, if it reads the data from the assembly file on disk, it may be possible to spoof the hash by either faking the assembly path or swapping out the source file after the assembly has already been loaded. Either way, the lower level API would not be reading the hash data from the file that was the actual source of the loaded assembly. This is the same sort of thing I was suggesting might be possible wrt your public key comparison a couple of weeks ago. Show quoteHide quote "William Stacey [MVP]" <staceywREM***@mvps.org> wrote in message news:%23n3E1sOGFHA.2032@tk2msftngp13.phx.gbl... >> Yes, but only when I deliberately spoof the hash. <g> > > How would you spoof data in my Hash object (other then debugger). You > could > load an assem in your appdomain and update private vars in your Hash > object, > but wouldn't you need to ref my Hash object to spoof anything? tia > > -- > William Stacey, MVP > http://mvp.support.microsoft.com > > > Spoofing of the non-evidence approach would depend on how the private Yeh, I guess we need to see how GetRawData is implemented. Cheers.> GetRawData method is implemented. For example, if it reads the data from I've got this planned for another blog entry down the line, but you'll find
that hashing all of the bytes of an assembly isn't going to get you the same hash that is in the signature. There are various parts of the PE file that we skip over when creating that hash, so you'll need to do the same when calculating yours. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- > From: "William Stacey [MVP]" <staceywREM***@mvps.org> <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> Show quoteHide quote > Subject: Re: API to access loaded assembly hash TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1> Date: Tue, 22 Feb 2005 11:07:21 -0500 > Lines: 10 > MIME-Version: 1.0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > X-Priority: 3 > X-MSMail-Priority: Normal > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > Message-ID: <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > Newsgroups: microsoft.public.dotnet.security > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 > Path: 2.phx.gbl Show quoteHide quote > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9198 > X-Tomcat-NG: microsoft.public.dotnet.security > > > Spoofing of the non-evidence approach would depend on how the private > > GetRawData method is implemented. For example, if it reads the data from > > Yeh, I guess we need to see how GetRawData is implemented. Cheers. > > -- > William Stacey, MVP > http://mvp.support.microsoft.com > > > Thanks Shawn. Using Hash.SHA1() should get you the same hash each time
however - correct? Then the problem becomes storing the const byte[] of the hash you produce as a verifier. You would have to figure out how to skip those bytes in the raw data (or zero them) before calculating the hash. Sound right? -- Show quoteHide quoteWilliam Stacey, MVP http://mvp.support.microsoft.com ""Shawn Farkas [MS]"" <shaw***@online.microsoft.com> wrote in message news:hWvH6Q6GFHA.400@TK2MSFTNGXA02.phx.gbl... TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1> I've got this planned for another blog entry down the line, but you'll find > that hashing all of the bytes of an assembly isn't going to get you the > same hash that is in the signature. There are various parts of the PE file > that we skip over when creating that hash, so you'll need to do the same > when calculating yours. > > -Shawn > http://blogs.msdn.com/shawnfa > -- > This posting is provided "AS IS" with no warranties, and confers no rights. > > > Note: > For the benefit of the community-at-large, all responses to this message > are best directed to the newsgroup/thread from which they originated. > -------------------- > > From: "William Stacey [MVP]" <staceywREM***@mvps.org> > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > Subject: Re: API to access loaded assembly hash > > Date: Tue, 22 Feb 2005 11:07:21 -0500 > > Lines: 10 > > MIME-Version: 1.0 > > Content-Type: text/plain; > > charset="iso-8859-1" > > Content-Transfer-Encoding: 7bit > > X-Priority: 3 > > X-MSMail-Priority: Normal > > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > > Message-ID: <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > Newsgroups: microsoft.public.dotnet.security > > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 > > Path: > Show quoteHide quote > 2.phx.gbl > > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9198 > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > > Spoofing of the non-evidence approach would depend on how the private > > > GetRawData method is implemented. For example, if it reads the data > from > > > > Yeh, I guess we need to see how GetRawData is implemented. Cheers. > > > > -- > > William Stacey, MVP > > http://mvp.support.microsoft.com > > > > > > > Right, Hash.SHA1() should do it for you. If you were to do it over the raw
assembly, the algorighm actually involves skipping over the bytes not hashed instead of zeroing them out. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- > From: "William Stacey [MVP]" <staceywREM***@mvps.org> <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> Show quoteHide quote > Subject: Re: API to access loaded assembly hash TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1> Date: Sat, 26 Feb 2005 10:59:45 -0500 > Lines: 74 > MIME-Version: 1.0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > X-Priority: 3 > X-MSMail-Priority: Normal > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > Message-ID: <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> > Newsgroups: microsoft.public.dotnet.security > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 > Path: 5.phx.gbl Show quoteHide quote > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9264 TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1> X-Tomcat-NG: microsoft.public.dotnet.security > > Thanks Shawn. Using Hash.SHA1() should get you the same hash each time > however - correct? Then the problem becomes storing the const byte[] of the > hash you produce as a verifier. You would have to figure out how to skip > those bytes in the raw data (or zero them) before calculating the hash. > Sound right? > > -- > William Stacey, MVP > http://mvp.support.microsoft.com > > ""Shawn Farkas [MS]"" <shaw***@online.microsoft.com> wrote in message > news:hWvH6Q6GFHA.400@TK2MSFTNGXA02.phx.gbl... > > I've got this planned for another blog entry down the line, but you'll > find > > that hashing all of the bytes of an assembly isn't going to get you the > > same hash that is in the signature. There are various parts of the PE > file > > that we skip over when creating that hash, so you'll need to do the same > > when calculating yours. > > > > -Shawn > > http://blogs.msdn.com/shawnfa > > -- > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > > > > Note: > > For the benefit of the community-at-large, all responses to this message > > are best directed to the newsgroup/thread from which they originated. > > -------------------- > > > From: "William Stacey [MVP]" <staceywREM***@mvps.org> > > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > Subject: Re: API to access loaded assembly hash > > > Date: Tue, 22 Feb 2005 11:07:21 -0500 > > > Lines: 10 > > > MIME-Version: 1.0 > > > Content-Type: text/plain; > > > charset="iso-8859-1" > > > Content-Transfer-Encoding: 7bit > > > X-Priority: 3 > > > X-MSMail-Priority: Normal > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > > > Message-ID: <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > Newsgroups: microsoft.public.dotnet.security > > > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 > > > Path: > > > Show quoteHide quote > > 2.phx.gbl > > > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9198 > > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > > > > Spoofing of the non-evidence approach would depend on how the private > > > > GetRawData method is implemented. For example, if it reads the data > > from > > > > > > Yeh, I guess we need to see how GetRawData is implemented. Cheers. > > > > > > -- > > > William Stacey, MVP > > > http://mvp.support.microsoft.com > > > > > > > > > > > > > Sorry -- brain fart there .... Hash.SHA1() is going to hash over the entire
assembly. It's not the same thing as a strong name hash. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- > X-Tomcat-ID: 502502817 <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> Show quoteHide quote > MIME-Version: 1.0 TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1> Content-Type: text/plain > Content-Transfer-Encoding: 7bit > From: shaw***@online.microsoft.com ("Shawn Farkas [MS]") > Organization: Microsoft > Date: Mon, 28 Feb 2005 21:41:15 GMT > Subject: Re: API to access loaded assembly hash > X-Tomcat-NG: microsoft.public.dotnet.security > Message-ID: <JIZw84dHFHA.1***@TK2MSFTNGXA02.phx.gbl> > Newsgroups: microsoft.public.dotnet.security > Lines: 114 > Path: TK2MSFTNGXA02.phx.gbl > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9276 > NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 > > Right, Hash.SHA1() should do it for you. If you were to do it over the raw > assembly, the algorighm actually involves skipping over the bytes not > hashed instead of zeroing them out. > > -Shawn > http://blogs.msdn.com/shawnfa > -- > This posting is provided "AS IS" with no warranties, and confers no rights. > > > Note: > For the benefit of the community-at-large, all responses to this message > are best directed to the newsgroup/thread from which they originated. > -------------------- > > From: "William Stacey [MVP]" <staceywREM***@mvps.org> > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> > > Subject: Re: API to access loaded assembly hash > > Date: Sat, 26 Feb 2005 10:59:45 -0500 > > Lines: 74 > > MIME-Version: 1.0 > > Content-Type: text/plain; > > charset="iso-8859-1" > > Content-Transfer-Encoding: 7bit > > X-Priority: 3 > > X-MSMail-Priority: Normal > > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > > Message-ID: <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> > > Newsgroups: microsoft.public.dotnet.security > > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 > > Path: > Show quoteHide quote > 5.phx.gbl TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1> > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9264 > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > Thanks Shawn. Using Hash.SHA1() should get you the same hash each time > > however - correct? Then the problem becomes storing the const byte[] of > the > > hash you produce as a verifier. You would have to figure out how to skip > > those bytes in the raw data (or zero them) before calculating the hash. > > Sound right? > > > > -- > > William Stacey, MVP > > http://mvp.support.microsoft.com > > > > ""Shawn Farkas [MS]"" <shaw***@online.microsoft.com> wrote in message > > news:hWvH6Q6GFHA.400@TK2MSFTNGXA02.phx.gbl... > > > I've got this planned for another blog entry down the line, but you'll > > find > > > that hashing all of the bytes of an assembly isn't going to get you the > > > same hash that is in the signature. There are various parts of the PE > > file > > > that we skip over when creating that hash, so you'll need to do the same > > > when calculating yours. > > > > > > -Shawn > > > http://blogs.msdn.com/shawnfa > > > -- > > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > > > > > > > > Note: > > > For the benefit of the community-at-large, all responses to this message > > > are best directed to the newsgroup/thread from which they originated. > > > -------------------- > > > > From: "William Stacey [MVP]" <staceywREM***@mvps.org> > > > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > > > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > > > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > > > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > > > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > > Subject: Re: API to access loaded assembly hash > > > > Date: Tue, 22 Feb 2005 11:07:21 -0500 > > > > Lines: 10 > > > > MIME-Version: 1.0 > > > > Content-Type: text/plain; > > > > charset="iso-8859-1" > > > > Content-Transfer-Encoding: 7bit > > > > X-Priority: 3 > > > > X-MSMail-Priority: Normal > > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > > > > Message-ID: <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > > Newsgroups: microsoft.public.dotnet.security > > > > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 > > > > Path: > > > > > > Show quoteHide quote > > > 2.phx.gbl > > > > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9198 > > > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > > > > > > Spoofing of the non-evidence approach would depend on how the > private > > > > > GetRawData method is implemented. For example, if it reads the data > > > from > > > > > > > > Yeh, I guess we need to see how GetRawData is implemented. Cheers. > > > > > > > > -- > > > > William Stacey, MVP > > > > http://mvp.support.microsoft.com > > > > > > > > > > > > > > > > > > > > > And to reply to myself 3 levels deep :-)
Here's the post I promised last week: http://blogs.msdn.com/shawnfa/archive/2005/02/28/382027.aspx -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- > X-Tomcat-ID: 553211297 <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> <JIZw84dHFHA.1***@TK2MSFTNGXA02.phx.gbl> Show quoteHide quote > MIME-Version: 1.0 TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1> Content-Type: text/plain > Content-Transfer-Encoding: 7bit > From: shaw***@online.microsoft.com ("Shawn Farkas [MS]") > Organization: Microsoft > Date: Mon, 28 Feb 2005 23:19:37 GMT > Subject: Re: API to access loaded assembly hash > X-Tomcat-NG: microsoft.public.dotnet.security > Message-ID: <7VI26veHFHA.***@TK2MSFTNGXA02.phx.gbl> > Newsgroups: microsoft.public.dotnet.security > Lines: 159 > Path: TK2MSFTNGXA02.phx.gbl > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9278 > NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 > > Sorry -- brain fart there .... Hash.SHA1() is going to hash over the entire > assembly. It's not the same thing as a strong name hash. > > -Shawn > http://blogs.msdn.com/shawnfa > -- > This posting is provided "AS IS" with no warranties, and confers no rights. > > > Note: > For the benefit of the community-at-large, all responses to this message > are best directed to the newsgroup/thread from which they originated. > -------------------- > > X-Tomcat-ID: 502502817 > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> > <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> > > MIME-Version: 1.0 > > Content-Type: text/plain > > Content-Transfer-Encoding: 7bit > > From: shaw***@online.microsoft.com ("Shawn Farkas [MS]") > > Organization: Microsoft > > Date: Mon, 28 Feb 2005 21:41:15 GMT > > Subject: Re: API to access loaded assembly hash > > X-Tomcat-NG: microsoft.public.dotnet.security > > Message-ID: <JIZw84dHFHA.1***@TK2MSFTNGXA02.phx.gbl> > > Newsgroups: microsoft.public.dotnet.security > > Lines: 114 > > Path: TK2MSFTNGXA02.phx.gbl > > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9276 > > NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 > > > > Right, Hash.SHA1() should do it for you. If you were to do it over the > raw > > assembly, the algorighm actually involves skipping over the bytes not > > hashed instead of zeroing them out. > > > > -Shawn > > http://blogs.msdn.com/shawnfa > > -- > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > > > > Note: > > For the benefit of the community-at-large, all responses to this message > > are best directed to the newsgroup/thread from which they originated. > > -------------------- > > > From: "William Stacey [MVP]" <staceywREM***@mvps.org> > > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> > > > Subject: Re: API to access loaded assembly hash > > > Date: Sat, 26 Feb 2005 10:59:45 -0500 > > > Lines: 74 > > > MIME-Version: 1.0 > > > Content-Type: text/plain; > > > charset="iso-8859-1" > > > Content-Transfer-Encoding: 7bit > > > X-Priority: 3 > > > X-MSMail-Priority: Normal > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > > > Message-ID: <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> > > > Newsgroups: microsoft.public.dotnet.security > > > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 > > > Path: > > > Show quoteHide quote > > 5.phx.gbl 24.247.172.74> > > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9264 > > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > > > Thanks Shawn. Using Hash.SHA1() should get you the same hash each time > > > however - correct? Then the problem becomes storing the const byte[] > of > > the > > > hash you produce as a verifier. You would have to figure out how to > skip > > > those bytes in the raw data (or zero them) before calculating the hash. > > > Sound right? > > > > > > -- > > > William Stacey, MVP > > > http://mvp.support.microsoft.com > > > > > > ""Shawn Farkas [MS]"" <shaw***@online.microsoft.com> wrote in message > > > news:hWvH6Q6GFHA.400@TK2MSFTNGXA02.phx.gbl... > > > > I've got this planned for another blog entry down the line, but you'll > > > find > > > > that hashing all of the bytes of an assembly isn't going to get you > the > > > > same hash that is in the signature. There are various parts of the PE > > > file > > > > that we skip over when creating that hash, so you'll need to do the > same > > > > when calculating yours. > > > > > > > > -Shawn > > > > http://blogs.msdn.com/shawnfa > > > > -- > > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > > > > > > > > > > > Note: > > > > For the benefit of the community-at-large, all responses to this > message > > > > are best directed to the newsgroup/thread from which they originated. > > > > -------------------- > > > > > From: "William Stacey [MVP]" <staceywREM***@mvps.org> > > > > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > > > > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > > > > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > > > > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > > > > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > > > Subject: Re: API to access loaded assembly hash > > > > > Date: Tue, 22 Feb 2005 11:07:21 -0500 > > > > > Lines: 10 > > > > > MIME-Version: 1.0 > > > > > Content-Type: text/plain; > > > > > charset="iso-8859-1" > > > > > Content-Transfer-Encoding: 7bit > > > > > X-Priority: 3 > > > > > X-MSMail-Priority: Normal > > > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > > > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > > > > > Message-ID: <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > > > Newsgroups: microsoft.public.dotnet.security > > > > > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net > > > > > Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1> > > > > > > > > > Show quoteHide quote > > > > 2.phx.gbl > > > > > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9198 > > > > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > > > > > > > > Spoofing of the non-evidence approach would depend on how the > > private > > > > > > GetRawData method is implemented. For example, if it reads the > data > > > > from > > > > > > > > > > Yeh, I guess we need to see how GetRawData is implemented. Cheers. > > > > > > > > > > -- > > > > > William Stacey, MVP > > > > > http://mvp.support.microsoft.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks Shawn. Read your blog. I take it Hash.SHA1 would also include any
embedded resources (i.e. strings, bitmaps, etc)? -- Show quoteHide quoteWilliam Stacey, MVP http://mvp.support.microsoft.com ""Shawn Farkas [MS]"" <shaw***@online.microsoft.com> wrote in message news:socDzvfHFHA.400@TK2MSFTNGXA02.phx.gbl... TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1> And to reply to myself 3 levels deep :-) > > Here's the post I promised last week: > http://blogs.msdn.com/shawnfa/archive/2005/02/28/382027.aspx > > -Shawn > http://blogs.msdn.com/shawnfa > -- > This posting is provided "AS IS" with no warranties, and confers no rights. > > > Note: > For the benefit of the community-at-large, all responses to this message > are best directed to the newsgroup/thread from which they originated. > -------------------- > > X-Tomcat-ID: 553211297 > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> > <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> > <JIZw84dHFHA.1***@TK2MSFTNGXA02.phx.gbl> > > MIME-Version: 1.0 > > Content-Type: text/plain > > Content-Transfer-Encoding: 7bit > > From: shaw***@online.microsoft.com ("Shawn Farkas [MS]") > > Organization: Microsoft > > Date: Mon, 28 Feb 2005 23:19:37 GMT > > Subject: Re: API to access loaded assembly hash > > X-Tomcat-NG: microsoft.public.dotnet.security > > Message-ID: <7VI26veHFHA.***@TK2MSFTNGXA02.phx.gbl> > > Newsgroups: microsoft.public.dotnet.security > > Lines: 159 > > Path: TK2MSFTNGXA02.phx.gbl > > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9278 > > NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 > > > > Sorry -- brain fart there .... Hash.SHA1() is going to hash over the > entire > > assembly. It's not the same thing as a strong name hash. > > > > -Shawn > > http://blogs.msdn.com/shawnfa > > -- > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > > > > Note: > > For the benefit of the community-at-large, all responses to this message > > are best directed to the newsgroup/thread from which they originated. > > -------------------- > > > X-Tomcat-ID: 502502817 > > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> > > <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> > > > MIME-Version: 1.0 > > > Content-Type: text/plain > > > Content-Transfer-Encoding: 7bit > > > From: shaw***@online.microsoft.com ("Shawn Farkas [MS]") > > > Organization: Microsoft > > > Date: Mon, 28 Feb 2005 21:41:15 GMT > > > Subject: Re: API to access loaded assembly hash > > > X-Tomcat-NG: microsoft.public.dotnet.security > > > Message-ID: <JIZw84dHFHA.1***@TK2MSFTNGXA02.phx.gbl> > > > Newsgroups: microsoft.public.dotnet.security > > > Lines: 114 > > > Path: TK2MSFTNGXA02.phx.gbl > > > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9276 > > > NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 > > > > > > Right, Hash.SHA1() should do it for you. If you were to do it over the > > raw > > > assembly, the algorighm actually involves skipping over the bytes not > > > hashed instead of zeroing them out. > > > > > > -Shawn > > > http://blogs.msdn.com/shawnfa > > > -- > > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > > > > > > > > Note: > > > For the benefit of the community-at-large, all responses to this > message > > > are best directed to the newsgroup/thread from which they originated. > > > -------------------- > > > > From: "William Stacey [MVP]" <staceywREM***@mvps.org> > > > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > > > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > > > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > > > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > > > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> > > > > Subject: Re: API to access loaded assembly hash > > > > Date: Sat, 26 Feb 2005 10:59:45 -0500 > > > > Lines: 74 > > > > MIME-Version: 1.0 > > > > Content-Type: text/plain; > > > > charset="iso-8859-1" > > > > Content-Transfer-Encoding: 7bit > > > > X-Priority: 3 > > > > X-MSMail-Priority: Normal > > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > > > > Message-ID: <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> > > > > Newsgroups: microsoft.public.dotnet.security > > > > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 > > > > Path: > > > > > > Show quoteHide quote > > > 5.phx.gbl TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1> > > > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9264 > > > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > > > > > Thanks Shawn. Using Hash.SHA1() should get you the same hash each > time > > > > however - correct? Then the problem becomes storing the const byte[] > > of > > > the > > > > hash you produce as a verifier. You would have to figure out how to > > skip > > > > those bytes in the raw data (or zero them) before calculating the > hash. > > > > Sound right? > > > > > > > > -- > > > > William Stacey, MVP > > > > http://mvp.support.microsoft.com > > > > > > > > ""Shawn Farkas [MS]"" <shaw***@online.microsoft.com> wrote in message > > > > news:hWvH6Q6GFHA.400@TK2MSFTNGXA02.phx.gbl... > > > > > I've got this planned for another blog entry down the line, but > you'll > > > > find > > > > > that hashing all of the bytes of an assembly isn't going to get you > > the > > > > > same hash that is in the signature. There are various parts of the > PE > > > > file > > > > > that we skip over when creating that hash, so you'll need to do the > > same > > > > > when calculating yours. > > > > > > > > > > -Shawn > > > > > http://blogs.msdn.com/shawnfa > > > > > -- > > > > > This posting is provided "AS IS" with no warranties, and confers no > > > > rights. > > > > > > > > > > > > > > > Note: > > > > > For the benefit of the community-at-large, all responses to this > > message > > > > > are best directed to the newsgroup/thread from which they > originated. > > > > > -------------------- > > > > > > From: "William Stacey [MVP]" <staceywREM***@mvps.org> > > > > > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > > > > > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > > > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > > > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > > > > > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > > > > > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > > > > > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > > > > Subject: Re: API to access loaded assembly hash > > > > > > Date: Tue, 22 Feb 2005 11:07:21 -0500 > > > > > > Lines: 10 > > > > > > MIME-Version: 1.0 > > > > > > Content-Type: text/plain; > > > > > > charset="iso-8859-1" > > > > > > Content-Transfer-Encoding: 7bit > > > > > > X-Priority: 3 > > > > > > X-MSMail-Priority: Normal > > > > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > > > > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > > > > > > Message-ID: <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > > > > Newsgroups: microsoft.public.dotnet.security > > > > > > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net > 24.247.172.74 > > > > > > Path: > > > > > > > > > > > > > > > > > > > > 2.phx.gbl microsoft.public.dotnet.security:9198> > > > > > Xref: TK2MSFTNGXA02.phx.gbl Show quoteHide quote > > > > > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > > > > > > > > > > Spoofing of the non-evidence approach would depend on how the > > > private > > > > > > > GetRawData method is implemented. For example, if it reads the > > data > > > > > from > > > > > > > > > > > > Yeh, I guess we need to see how GetRawData is implemented. > Cheers. > > > > > > > > > > > > -- > > > > > > William Stacey, MVP > > > > > > http://mvp.support.microsoft.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Absolutely -- Hash.SHA1 includes everything that's in the assembly's PE
file. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- > From: "William Stacey [MVP]" <staceywREM***@mvps.org> <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> <JIZw84dHFHA.1***@TK2MSFTNGXA02.phx.gbl> <7VI26veHFHA.***@TK2MSFTNGXA02.phx.gbl> <socDzvfHFHA.***@TK2MSFTNGXA02.phx.gbl> Show quoteHide quote > Subject: Re: API to access loaded assembly hash TK2MSFTNGXA02.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP0> Date: Tue, 1 Mar 2005 00:04:08 -0500 > Lines: 252 > MIME-Version: 1.0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > X-Priority: 3 > X-MSMail-Priority: Normal > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > Message-ID: <#ysf00hHFHA.2***@tk2msftngp13.phx.gbl> > Newsgroups: microsoft.public.dotnet.security > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 > Path: 8.phx.gbl!tk2msftngp13.phx.gbl Show quoteHide quote > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9281 24.247.172.74> X-Tomcat-NG: microsoft.public.dotnet.security > > Thanks Shawn. Read your blog. I take it Hash.SHA1 would also include any > embedded resources (i.e. strings, bitmaps, etc)? > > -- > William Stacey, MVP > http://mvp.support.microsoft.com > > ""Shawn Farkas [MS]"" <shaw***@online.microsoft.com> wrote in message > news:socDzvfHFHA.400@TK2MSFTNGXA02.phx.gbl... > > And to reply to myself 3 levels deep :-) > > > > Here's the post I promised last week: > > http://blogs.msdn.com/shawnfa/archive/2005/02/28/382027.aspx > > > > -Shawn > > http://blogs.msdn.com/shawnfa > > -- > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > > > > Note: > > For the benefit of the community-at-large, all responses to this message > > are best directed to the newsgroup/thread from which they originated. > > -------------------- > > > X-Tomcat-ID: 553211297 > > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> > > <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> > > <JIZw84dHFHA.1***@TK2MSFTNGXA02.phx.gbl> > > > MIME-Version: 1.0 > > > Content-Type: text/plain > > > Content-Transfer-Encoding: 7bit > > > From: shaw***@online.microsoft.com ("Shawn Farkas [MS]") > > > Organization: Microsoft > > > Date: Mon, 28 Feb 2005 23:19:37 GMT > > > Subject: Re: API to access loaded assembly hash > > > X-Tomcat-NG: microsoft.public.dotnet.security > > > Message-ID: <7VI26veHFHA.***@TK2MSFTNGXA02.phx.gbl> > > > Newsgroups: microsoft.public.dotnet.security > > > Lines: 159 > > > Path: TK2MSFTNGXA02.phx.gbl > > > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9278 > > > NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 > > > > > > Sorry -- brain fart there .... Hash.SHA1() is going to hash over the > > entire > > > assembly. It's not the same thing as a strong name hash. > > > > > > -Shawn > > > http://blogs.msdn.com/shawnfa > > > -- > > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > > > > > > > > Note: > > > For the benefit of the community-at-large, all responses to this message > > > are best directed to the newsgroup/thread from which they originated. > > > -------------------- > > > > X-Tomcat-ID: 502502817 > > > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > > > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > > > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > > > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > > > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> > > > <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> > > > > MIME-Version: 1.0 > > > > Content-Type: text/plain > > > > Content-Transfer-Encoding: 7bit > > > > From: shaw***@online.microsoft.com ("Shawn Farkas [MS]") > > > > Organization: Microsoft > > > > Date: Mon, 28 Feb 2005 21:41:15 GMT > > > > Subject: Re: API to access loaded assembly hash > > > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > Message-ID: <JIZw84dHFHA.1***@TK2MSFTNGXA02.phx.gbl> > > > > Newsgroups: microsoft.public.dotnet.security > > > > Lines: 114 > > > > Path: TK2MSFTNGXA02.phx.gbl > > > > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9276 > > > > NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 > > > > > > > > Right, Hash.SHA1() should do it for you. If you were to do it over > the > > > raw > > > > assembly, the algorighm actually involves skipping over the bytes not > > > > hashed instead of zeroing them out. > > > > > > > > -Shawn > > > > http://blogs.msdn.com/shawnfa > > > > -- > > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > > > > > > > > > > > Note: > > > > For the benefit of the community-at-large, all responses to this > > message > > > > are best directed to the newsgroup/thread from which they originated. > > > > -------------------- > > > > > From: "William Stacey [MVP]" <staceywREM***@mvps.org> > > > > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > > > > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > > > > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > > > > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > > > > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > > <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > > <hWvH6Q6GFHA.***@TK2MSFTNGXA02.phx.gbl> > > > > > Subject: Re: API to access loaded assembly hash > > > > > Date: Sat, 26 Feb 2005 10:59:45 -0500 > > > > > Lines: 74 > > > > > MIME-Version: 1.0 > > > > > Content-Type: text/plain; > > > > > charset="iso-8859-1" > > > > > Content-Transfer-Encoding: 7bit > > > > > X-Priority: 3 > > > > > X-MSMail-Priority: Normal > > > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > > > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > > > > > Message-ID: <uWGFK1BHFHA.2***@TK2MSFTNGP15.phx.gbl> > > > > > Newsgroups: microsoft.public.dotnet.security > > > > > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net > > > > > Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1> > > > > > > > > > Show quoteHide quote > > > > 5.phx.gbl TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1> > > > > Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9264 > > > > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > > > > > > > Thanks Shawn. Using Hash.SHA1() should get you the same hash each > > time > > > > > however - correct? Then the problem becomes storing the const > byte[] > > > of > > > > the > > > > > hash you produce as a verifier. You would have to figure out how to > > > skip > > > > > those bytes in the raw data (or zero them) before calculating the > > hash. > > > > > Sound right? > > > > > > > > > > -- > > > > > William Stacey, MVP > > > > > http://mvp.support.microsoft.com > > > > > > > > > > ""Shawn Farkas [MS]"" <shaw***@online.microsoft.com> wrote in > message > > > > > news:hWvH6Q6GFHA.400@TK2MSFTNGXA02.phx.gbl... > > > > > > I've got this planned for another blog entry down the line, but > > you'll > > > > > find > > > > > > that hashing all of the bytes of an assembly isn't going to get > you > > > the > > > > > > same hash that is in the signature. There are various parts of > the > > PE > > > > > file > > > > > > that we skip over when creating that hash, so you'll need to do > the > > > same > > > > > > when calculating yours. > > > > > > > > > > > > -Shawn > > > > > > http://blogs.msdn.com/shawnfa > > > > > > -- > > > > > > This posting is provided "AS IS" with no warranties, and confers > no > > > > > rights. > > > > > > > > > > > > > > > > > > Note: > > > > > > For the benefit of the community-at-large, all responses to this > > > message > > > > > > are best directed to the newsgroup/thread from which they > > originated. > > > > > > -------------------- > > > > > > > From: "William Stacey [MVP]" <staceywREM***@mvps.org> > > > > > > > References: <#L1zzqnFFHA.1***@TK2MSFTNGP14.phx.gbl> > > > > > > <uvrDLJtFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > > > > <uj7qaxzFFHA.3***@TK2MSFTNGP14.phx.gbl> > > > > > > <emGLCRKGFHA.4***@TK2MSFTNGP09.phx.gbl> > > > > > > <urbtLqNGFHA.3***@TK2MSFTNGP12.phx.gbl> > > > > > > <#n3E1sOGFHA.2***@tk2msftngp13.phx.gbl> > > > > > > <#ydBwBPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > > > > > Subject: Re: API to access loaded assembly hash > > > > > > > Date: Tue, 22 Feb 2005 11:07:21 -0500 > > > > > > > Lines: 10 > > > > > > > MIME-Version: 1.0 > > > > > > > Content-Type: text/plain; > > > > > > > charset="iso-8859-1" > > > > > > > Content-Transfer-Encoding: 7bit > > > > > > > X-Priority: 3 > > > > > > > X-MSMail-Priority: Normal > > > > > > > X-Newsreader: Microsoft Outlook Express 6.00.3790.224 > > > > > > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 > > > > > > > Message-ID: <OPZrsmPGFHA.1***@TK2MSFTNGP12.phx.gbl> > > > > > > > Newsgroups: microsoft.public.dotnet.security > > > > > > > NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net > > 24.247.172.74 > > > > > > > Path: > > > > > > > > > > > > > > > > > > > > > Show quoteHide quote > > > > > > 2.phx.gbl > > > > > > > Xref: TK2MSFTNGXA02.phx.gbl > microsoft.public.dotnet.security:9198 > > > > > > > X-Tomcat-NG: microsoft.public.dotnet.security > > > > > > > > > > > > > > > Spoofing of the non-evidence approach would depend on how the > > > > private > > > > > > > > GetRawData method is implemented. For example, if it reads > the > > > data > > > > > > from > > > > > > > > > > > > > > Yeh, I guess we need to see how GetRawData is implemented. > > Cheers. > > > > > > > > > > > > > > -- > > > > > > > William Stacey, MVP > > > > > > > http://mvp.support.microsoft.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 
Other interesting topics
Medium Level Trust and Reflection
Method SetThreadPrincipal Make Security to Directory Windows authentication Forms authentication fails on Windows XP PRO Encrypting short data w/ asymmetric cipher Forms authentication periodically requires re-login Troubleshoot Caspol System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, Publi Windows user controls in a web page: Security |
|||||||||||||||||||||||
