0

I have a dll that is digitally signed, when my application start I want check that this dll is "original", in particular isn't replaced with a fake one. How can I do this checking the Authenticode signature?

I never did something like this, and I need a bit help to start.

UPDATE

I want prevent someone from replacing the dll with their own and provide their own api method to this dll, and thus myApp.exe always appearing properly licensed.

I asked to the author and he tell me:

"There are steps you can take to prevent the type of cracking you mentioned. For instance, somewhere in your code you can verify TurboActivate by checking that the Authenticode signature is still valid (TurboActivate is code-signed). Or, if you want a simpler solution, you can do a simple MD5 or CRC check. This will prevent "drop in" replacement of TurboActivate with a malicious version."

PRENDETEVELO NEL CULO
  • 123
  • 1
  • 11
  • 1
    Use a strong named assembly - https://stackoverflow.com/questions/2354129/why-use-strong-named-assemblies – auburg Feb 23 '18 at 13:38
  • @auburg the dll is not mine, is provided by another author so I does not have access to the code – PRENDETEVELO NEL CULO Feb 23 '18 at 13:40
  • Afaik .Net does that automatically when you use a strong named signed library by including the public key in the reference. – Manfred Radlwimmer Feb 23 '18 at 13:40
  • If you load this dll dynamically (as you would with Addins/Plugins) that's of course another story. Keep in mind however that just because a signature is valid doesn't mean it's the one you are looking for. – Manfred Radlwimmer Feb 23 '18 at 13:45
  • @ManfredRadlwimmer Well the signature cannot be replicated by malicious user, the signature is done using a private key so this should be enought (I guess?) to prevent fake dll – PRENDETEVELO NEL CULO Feb 23 '18 at 13:48
  • @FacundoColidio **If** you know the author and **only** allow known authors, and all authors keep their keys secure, then yes - that would be a reasonable assumption. – Manfred Radlwimmer Feb 23 '18 at 13:49
  • @ManfredRadlwimmer yep I know the author, is a dll that allow software licensing – PRENDETEVELO NEL CULO Feb 23 '18 at 13:50
  • 1
    @FacundoColidio One thing to keep in mind is that **your** program can (thanks to the wonders of decompilers and other useful tools) also be easily modified - e.g. remove the check completely or replace the IL code where you check the license with a function that always returns true. (You could consider this the simplest form of cracking) – Manfred Radlwimmer Feb 23 '18 at 13:52
  • @ManfredRadlwimmer yep I know this, but at least I want make the life of this people a little harder against my app. I know that I cannot stop craking at all, but my goal is get payed from honest people. Do you have any answer to my question? – PRENDETEVELO NEL CULO Feb 23 '18 at 13:55
  • @FacundoColidio If you find yourself in a situation where you have to worry about someone replacing a dll, then you are probably up against someone who can do the same to you what you fear they might do to the other guy. Copy Protection and Licensing is never 100% secure, it's always a matter of effort and money. – Manfred Radlwimmer Feb 23 '18 at 13:56
  • @FacundoColidio My recommendation would be - simply add a reference of this dll to your project and let .Net take care of the rest (just like nvoigt said). Maybe sign your own assemblies too. – Manfred Radlwimmer Feb 23 '18 at 13:56
  • @ManfredRadlwimmer I share your opinion. Microsoft and adobe cannot stop piracy,so also I cannot stop this, this would be crazy to think. However, I would like to understand if there is a way to save the hash of the dll and check it every time the app starts. I cannot add this ddl as reference, this simply return error – PRENDETEVELO NEL CULO Feb 23 '18 at 13:58
  • @FacundoColidio *"I cannot add this ddl as reference"* Oh, that's odd, what's the error? Is it a native dll maybe (not .Net)? That would be an important detail. – Manfred Radlwimmer Feb 23 '18 at 14:01
  • @ManfredRadlwimmer the error is this: `A reference to TurboActivate.dll could not be added. Please make sure the file is accessible, and that it is a valid assembly or com component.`. The dll is a native library. That means I can't add it as reference. – PRENDETEVELO NEL CULO Feb 23 '18 at 14:03
  • @FacundoColidio Oh, well that certainly changes things. Maybe this helps: https://blogs.msdn.microsoft.com/windowsmobile/2006/05/17/programmatically-checking-the-authenticode-signature-on-a-file/ That article is quite old and for windows mobile, but maybe it still works that way. – Manfred Radlwimmer Feb 23 '18 at 14:09
  • One crazy low-budget idea: Include the dll as a resource in your program and save it in a temp dir every time you run the check. – Manfred Radlwimmer Feb 23 '18 at 14:10
  • @ManfredRadlwimmer mmm could you please provide a little example? For example in the article say to pass filename, this will read automatically the path of the dll? is not very clear to me, thanks! – PRENDETEVELO NEL CULO Feb 23 '18 at 14:11
  • @FacundoColidio I'm afraid this is a bit out-of-scope for this question and I (luckily) never had to do this myself. If this too complicated you might want to go with the *"you can do a simple MD5 or CRC check"* part. (Just don't use those two, a SHA checksum would be better since MD5 is broken and the CRC part a ridiculous suggestion to begin with) – Manfred Radlwimmer Feb 23 '18 at 14:14
  • @ManfredRadlwimmer I understood, there is some articles that explain how to do this with SHA? thanks – PRENDETEVELO NEL CULO Feb 23 '18 at 14:17
  • @FacundoColidio I'm sure there are plenty here on SO ([this one for example](https://stackoverflow.com/a/18535893/3214843)). Generate the hash, save it in your code (e.g. `byte[] hash = {0x01, ...}` and compare it to the one you generate from the dll. Just remember that this leaves you open to the same kind of vulnerabilities mentioned earlier. – Manfred Radlwimmer Feb 23 '18 at 14:19
  • 1
    Tampering with a native dll is way harder and more work than just tampering with your program to circumwent the *calling* of the dll. Checking the native dll in that case is kinda pointless... like reinforcing the steel door with extra lead bands while it is set right next to an open window. – nvoigt Feb 23 '18 at 14:20
  • @ManfredRadlwimmer so I should pass to FileUri the file name? and for nvoigt, yep the native dll is developed in c++, that is more difficult to decompile, but in my country there is a saying "security is never enough". maybe what am I doing is useless, maybe someone will have the determination to break my application and destroy all my effort. But I do not see why not take precautions just because it would not do any good. You close the front door when you go out? This stops ordinary thieves, not professional thieves of course. – PRENDETEVELO NEL CULO Feb 23 '18 at 14:25

1 Answers1

1

If the dll is a regular reference of your program, the check will be done automatically for you and your program won't start if it has been tampered with. You don't need to do anything extra, it's part of the normal startup and finding all referenced assemblies routine.

If this assembly is loaded "behind your back" at some point in your program, you can look at it and check it's token:

var assembly = AppDomain.CurrentDomain.GetAssemblies().First(a => a.FullName.Contains("TurboActive"));
var token = assembly.GetName().GetPublicKeyToken();

// check if token is *their* valid token
nvoigt
  • 75,013
  • 26
  • 93
  • 142
  • @FacundoColidio Are you looking for something like certificate pinning but for dlls? You might want to provide a bit more detail in your question - simply "checking" the signature might not be enough depending on what you are trying to do. – Manfred Radlwimmer Feb 23 '18 at 13:46
  • @nvoigt unfortunately I get on the first line of your code: "the sequence does not contains elements", maybe this is because the dll is loaded dynamically – PRENDETEVELO NEL CULO Feb 23 '18 at 14:05
  • Then there are no dlls loaded at the time you call it. You need to call it after the dll is loaded (whenever that may be... I wonder how that works, a dll is loaded, but you did not reference anything... sounds fishy. – nvoigt Feb 23 '18 at 14:08
  • @nvoigt Turns out the dll is not a .Net assembly – Manfred Radlwimmer Feb 23 '18 at 14:09
  • Ahm, I just read that it's a native dll? Then this won't work. – nvoigt Feb 23 '18 at 14:09