 | |
API to access loaded assembly hash
Dotnet Security microsoft.public.dotnet.security
 |
| | Thread Tools | Search this Thread | Display Modes |
#11
 
| |||
| |||
|
Re: API to access loaded assembly hash -
02-26-2005
, 10:59 AM
|
I've got this planned for another blog entry down the line, but you'll find that hashing all of the bytes of an assembly isn't going to get you the same hash that is in the signature. There are various parts of the PE file that we skip over when creating that hash, so you'll need to do the same when calculating yours. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- From: "William Stacey [MVP]" <staceywREMOVE (AT) mvps (DOT) org References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl Subject: Re: API to access loaded assembly hash Date: Tue, 22 Feb 2005 11:07:21 -0500 Lines: 10 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.3790.224 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 Message-ID: <OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGP08.phx.gbl!TK2MSFTNGP1 2.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9198 X-Tomcat-NG: microsoft.public.dotnet.security Spoofing of the non-evidence approach would depend on how the private GetRawData method is implemented. For example, if it reads the data from Yeh, I guess we need to see how GetRawData is implemented. Cheers. -- William Stacey, MVP http://mvp.support.microsoft.com |
#12
| |||
| |||
|
|
From: "William Stacey [MVP]" <staceywREMOVE (AT) mvps (DOT) org References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl |
<emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl>
<urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl>
<#n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl>
<#ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl>
<OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl>
<hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl>
Quote:
|
Subject: Re: API to access loaded assembly hash Date: Sat, 26 Feb 2005 10:59:45 -0500 Lines: 74 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.3790.224 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 Message-ID: <uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGP08.phx.gbl!TK2MSFTNGP1 |
Quote:
|
Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9264 X-Tomcat-NG: microsoft.public.dotnet.security Thanks Shawn. Using Hash.SHA1() should get you the same hash each time however - correct? Then the problem becomes storing the const byte[] of the hash you produce as a verifier. You would have to figure out how to skip those bytes in the raw data (or zero them) before calculating the hash. Sound right? -- William Stacey, MVP http://mvp.support.microsoft.com ""Shawn Farkas [MS]"" <shawnfa (AT) online (DOT) microsoft.com> wrote in message news:hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl... I've got this planned for another blog entry down the line, but you'll find that hashing all of the bytes of an assembly isn't going to get you the same hash that is in the signature. There are various parts of the PE file that we skip over when creating that hash, so you'll need to do the same when calculating yours. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- From: "William Stacey [MVP]" <staceywREMOVE (AT) mvps (DOT) org References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl Subject: Re: API to access loaded assembly hash Date: Tue, 22 Feb 2005 11:07:21 -0500 Lines: 10 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.3790.224 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 Message-ID: <OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGP08.phx.gbl!TK2MSFTNGP1 2.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9198 X-Tomcat-NG: microsoft.public.dotnet.security Spoofing of the non-evidence approach would depend on how the private GetRawData method is implemented. For example, if it reads the data from Yeh, I guess we need to see how GetRawData is implemented. Cheers. -- William Stacey, MVP http://mvp.support.microsoft.com |
#13
| |||
| |||
|
|
X-Tomcat-ID: 502502817 References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl |
<emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl>
<urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl>
<#n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl>
<#ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl>
<OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl>
<hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl>
<uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl>
Quote:
|
MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit From: shawnfa (AT) online (DOT) microsoft.com ("Shawn Farkas [MS]") Organization: Microsoft Date: Mon, 28 Feb 2005 21:41:15 GMT Subject: Re: API to access loaded assembly hash X-Tomcat-NG: microsoft.public.dotnet.security Message-ID: <JIZw84dHFHA.1140 (AT) TK2MSFTNGXA02 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security Lines: 114 Path: TK2MSFTNGXA02.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9276 NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 Right, Hash.SHA1() should do it for you. If you were to do it over the raw assembly, the algorighm actually involves skipping over the bytes not hashed instead of zeroing them out. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- From: "William Stacey [MVP]" <staceywREMOVE (AT) mvps (DOT) org References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl Subject: Re: API to access loaded assembly hash Date: Sat, 26 Feb 2005 10:59:45 -0500 Lines: 74 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.3790.224 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 Message-ID: <uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGP08.phx.gbl!TK2MSFTNGP1 5.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9264 X-Tomcat-NG: microsoft.public.dotnet.security Thanks Shawn. Using Hash.SHA1() should get you the same hash each time however - correct? Then the problem becomes storing the const byte[] of the hash you produce as a verifier. You would have to figure out how to skip those bytes in the raw data (or zero them) before calculating the hash. Sound right? -- William Stacey, MVP http://mvp.support.microsoft.com ""Shawn Farkas [MS]"" <shawnfa (AT) online (DOT) microsoft.com> wrote in message news:hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl... I've got this planned for another blog entry down the line, but you'll find that hashing all of the bytes of an assembly isn't going to get you the same hash that is in the signature. There are various parts of the PE file that we skip over when creating that hash, so you'll need to do the same when calculating yours. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- From: "William Stacey [MVP]" <staceywREMOVE (AT) mvps (DOT) org References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl Subject: Re: API to access loaded assembly hash Date: Tue, 22 Feb 2005 11:07:21 -0500 Lines: 10 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.3790.224 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 Message-ID: <OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGP08.phx.gbl!TK2MSFTNGP1 2.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9198 X-Tomcat-NG: microsoft.public.dotnet.security Spoofing of the non-evidence approach would depend on how the private GetRawData method is implemented. For example, if it reads the data from Yeh, I guess we need to see how GetRawData is implemented. Cheers. -- William Stacey, MVP http://mvp.support.microsoft.com |
#14
| |||
| |||
|
|
X-Tomcat-ID: 553211297 References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl |
<emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl>
<urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl>
<#n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl>
<#ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl>
<OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl>
<hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl>
<uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl>
<JIZw84dHFHA.1140 (AT) TK2MSFTNGXA02 (DOT) phx.gbl>
Quote:
|
MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit From: shawnfa (AT) online (DOT) microsoft.com ("Shawn Farkas [MS]") Organization: Microsoft Date: Mon, 28 Feb 2005 23:19:37 GMT Subject: Re: API to access loaded assembly hash X-Tomcat-NG: microsoft.public.dotnet.security Message-ID: <7VI26veHFHA.712 (AT) TK2MSFTNGXA02 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security Lines: 159 Path: TK2MSFTNGXA02.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9278 NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 Sorry -- brain fart there .... Hash.SHA1() is going to hash over the entire assembly. It's not the same thing as a strong name hash. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- X-Tomcat-ID: 502502817 References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit From: shawnfa (AT) online (DOT) microsoft.com ("Shawn Farkas [MS]") Organization: Microsoft Date: Mon, 28 Feb 2005 21:41:15 GMT Subject: Re: API to access loaded assembly hash X-Tomcat-NG: microsoft.public.dotnet.security Message-ID: <JIZw84dHFHA.1140 (AT) TK2MSFTNGXA02 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security Lines: 114 Path: TK2MSFTNGXA02.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9276 NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 Right, Hash.SHA1() should do it for you. If you were to do it over the raw assembly, the algorighm actually involves skipping over the bytes not hashed instead of zeroing them out. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- From: "William Stacey [MVP]" <staceywREMOVE (AT) mvps (DOT) org References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl Subject: Re: API to access loaded assembly hash Date: Sat, 26 Feb 2005 10:59:45 -0500 Lines: 74 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.3790.224 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 Message-ID: <uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGP08.phx.gbl!TK2MSFTNGP1 5.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9264 X-Tomcat-NG: microsoft.public.dotnet.security Thanks Shawn. Using Hash.SHA1() should get you the same hash each time however - correct? Then the problem becomes storing the const byte[] of the hash you produce as a verifier. You would have to figure out how to skip those bytes in the raw data (or zero them) before calculating the hash. Sound right? -- William Stacey, MVP http://mvp.support.microsoft.com ""Shawn Farkas [MS]"" <shawnfa (AT) online (DOT) microsoft.com> wrote in message news:hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl... I've got this planned for another blog entry down the line, but you'll find that hashing all of the bytes of an assembly isn't going to get you the same hash that is in the signature. There are various parts of the PE file that we skip over when creating that hash, so you'll need to do the same when calculating yours. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- From: "William Stacey [MVP]" <staceywREMOVE (AT) mvps (DOT) org References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl Subject: Re: API to access loaded assembly hash Date: Tue, 22 Feb 2005 11:07:21 -0500 Lines: 10 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.3790.224 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 Message-ID: <OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGP08.phx.gbl!TK2MSFTNGP1 2.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9198 X-Tomcat-NG: microsoft.public.dotnet.security Spoofing of the non-evidence approach would depend on how the private GetRawData method is implemented. For example, if it reads the data from Yeh, I guess we need to see how GetRawData is implemented. Cheers. -- William Stacey, MVP http://mvp.support.microsoft.com |
#15
| |||
| |||
|
|
And to reply to myself 3 levels deep :-) Here's the post I promised last week: http://blogs.msdn.com/shawnfa/archiv...28/382027.aspx -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- X-Tomcat-ID: 553211297 References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl JIZw84dHFHA.1140 (AT) TK2MSFTNGXA02 (DOT) phx.gbl MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit From: shawnfa (AT) online (DOT) microsoft.com ("Shawn Farkas [MS]") Organization: Microsoft Date: Mon, 28 Feb 2005 23:19:37 GMT Subject: Re: API to access loaded assembly hash X-Tomcat-NG: microsoft.public.dotnet.security Message-ID: <7VI26veHFHA.712 (AT) TK2MSFTNGXA02 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security Lines: 159 Path: TK2MSFTNGXA02.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9278 NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 Sorry -- brain fart there .... Hash.SHA1() is going to hash over the entire assembly. It's not the same thing as a strong name hash. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- X-Tomcat-ID: 502502817 References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit From: shawnfa (AT) online (DOT) microsoft.com ("Shawn Farkas [MS]") Organization: Microsoft Date: Mon, 28 Feb 2005 21:41:15 GMT Subject: Re: API to access loaded assembly hash X-Tomcat-NG: microsoft.public.dotnet.security Message-ID: <JIZw84dHFHA.1140 (AT) TK2MSFTNGXA02 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security Lines: 114 Path: TK2MSFTNGXA02.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9276 NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 Right, Hash.SHA1() should do it for you. If you were to do it over the raw assembly, the algorighm actually involves skipping over the bytes not hashed instead of zeroing them out. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- From: "William Stacey [MVP]" <staceywREMOVE (AT) mvps (DOT) org References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl Subject: Re: API to access loaded assembly hash Date: Sat, 26 Feb 2005 10:59:45 -0500 Lines: 74 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.3790.224 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 Message-ID: <uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGP08.phx.gbl!TK2MSFTNGP1 5.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9264 X-Tomcat-NG: microsoft.public.dotnet.security Thanks Shawn. Using Hash.SHA1() should get you the same hash each time however - correct? Then the problem becomes storing the const byte[] of the hash you produce as a verifier. You would have to figure out how to skip those bytes in the raw data (or zero them) before calculating the hash. Sound right? -- William Stacey, MVP http://mvp.support.microsoft.com ""Shawn Farkas [MS]"" <shawnfa (AT) online (DOT) microsoft.com> wrote in message news:hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl... I've got this planned for another blog entry down the line, but you'll find that hashing all of the bytes of an assembly isn't going to get you the same hash that is in the signature. There are various parts of the PE file that we skip over when creating that hash, so you'll need to do the same when calculating yours. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- From: "William Stacey [MVP]" <staceywREMOVE (AT) mvps (DOT) org References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl Subject: Re: API to access loaded assembly hash Date: Tue, 22 Feb 2005 11:07:21 -0500 Lines: 10 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.3790.224 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 Message-ID: <OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGP08.phx.gbl!TK2MSFTNGP1 2.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9198 X-Tomcat-NG: microsoft.public.dotnet.security Spoofing of the non-evidence approach would depend on how the private GetRawData method is implemented. For example, if it reads the data from Yeh, I guess we need to see how GetRawData is implemented. Cheers. -- William Stacey, MVP http://mvp.support.microsoft.com |
#16
| |||
| |||
|
|
From: "William Stacey [MVP]" <staceywREMOVE (AT) mvps (DOT) org References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl |
<emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl>
<urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl>
<#n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl>
<#ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl>
<OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl>
<hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl>
<uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl>
<JIZw84dHFHA.1140 (AT) TK2MSFTNGXA02 (DOT) phx.gbl>
<7VI26veHFHA.712 (AT) TK2MSFTNGXA02 (DOT) phx.gbl>
<socDzvfHFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl>
Quote:
|
Subject: Re: API to access loaded assembly hash Date: Tue, 1 Mar 2005 00:04:08 -0500 Lines: 252 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.3790.224 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.3790.224 Message-ID: <#ysf00hHFHA.2704 (AT) tk2msftngp13 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 Path: TK2MSFTNGXA02.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFT NGXA03.phx.gbl!TK2MSFTNGP0 |
Quote:
|
Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9281 X-Tomcat-NG: microsoft.public.dotnet.security Thanks Shawn. Read your blog. I take it Hash.SHA1 would also include any embedded resources (i.e. strings, bitmaps, etc)? -- William Stacey, MVP http://mvp.support.microsoft.com ""Shawn Farkas [MS]"" <shawnfa (AT) online (DOT) microsoft.com> wrote in message news:socDzvfHFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl... And to reply to myself 3 levels deep :-) Here's the post I promised last week: http://blogs.msdn.com/shawnfa/archiv...28/382027.aspx -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- X-Tomcat-ID: 553211297 References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl JIZw84dHFHA.1140 (AT) TK2MSFTNGXA02 (DOT) phx.gbl MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit From: shawnfa (AT) online (DOT) microsoft.com ("Shawn Farkas [MS]") Organization: Microsoft Date: Mon, 28 Feb 2005 23:19:37 GMT Subject: Re: API to access loaded assembly hash X-Tomcat-NG: microsoft.public.dotnet.security Message-ID: <7VI26veHFHA.712 (AT) TK2MSFTNGXA02 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security Lines: 159 Path: TK2MSFTNGXA02.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9278 NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 Sorry -- brain fart there .... Hash.SHA1() is going to hash over the entire assembly. It's not the same thing as a strong name hash. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- X-Tomcat-ID: 502502817 References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit From: shawnfa (AT) online (DOT) microsoft.com ("Shawn Farkas [MS]") Organization: Microsoft Date: Mon, 28 Feb 2005 21:41:15 GMT Subject: Re: API to access loaded assembly hash X-Tomcat-NG: microsoft.public.dotnet.security Message-ID: <JIZw84dHFHA.1140 (AT) TK2MSFTNGXA02 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security Lines: 114 Path: TK2MSFTNGXA02.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9276 NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 Right, Hash.SHA1() should do it for you. If you were to do it over the raw assembly, the algorighm actually involves skipping over the bytes not hashed instead of zeroing them out. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- From: "William Stacey [MVP]" <staceywREMOVE (AT) mvps (DOT) org References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl Subject: Re: API to access loaded assembly hash Date: Sat, 26 Feb 2005 10:59:45 -0500 Lines: 74 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.3790.224 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 Message-ID: <uWGFK1BHFHA.2280 (AT) TK2MSFTNGP15 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGP08.phx.gbl!TK2MSFTNGP1 5.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9264 X-Tomcat-NG: microsoft.public.dotnet.security Thanks Shawn. Using Hash.SHA1() should get you the same hash each time however - correct? Then the problem becomes storing the const byte[] of the hash you produce as a verifier. You would have to figure out how to skip those bytes in the raw data (or zero them) before calculating the hash. Sound right? -- William Stacey, MVP http://mvp.support.microsoft.com ""Shawn Farkas [MS]"" <shawnfa (AT) online (DOT) microsoft.com> wrote in message news:hWvH6Q6GFHA.400 (AT) TK2MSFTNGXA02 (DOT) phx.gbl... I've got this planned for another blog entry down the line, but you'll find that hashing all of the bytes of an assembly isn't going to get you the same hash that is in the signature. There are various parts of the PE file that we skip over when creating that hash, so you'll need to do the same when calculating yours. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- From: "William Stacey [MVP]" <staceywREMOVE (AT) mvps (DOT) org References: <#L1zzqnFFHA.1348 (AT) TK2MSFTNGP14 (DOT) phx.gbl uvrDLJtFFHA.3728 (AT) TK2MSFTNGP14 (DOT) phx.gbl uj7qaxzFFHA.3608 (AT) TK2MSFTNGP14 (DOT) phx.gbl emGLCRKGFHA.4088 (AT) TK2MSFTNGP09 (DOT) phx.gbl urbtLqNGFHA.3504 (AT) TK2MSFTNGP12 (DOT) phx.gbl #n3E1sOGFHA.2032 (AT) tk2msftngp13 (DOT) phx.gbl #ydBwBPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl Subject: Re: API to access loaded assembly hash Date: Tue, 22 Feb 2005 11:07:21 -0500 Lines: 10 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.3790.224 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.224 Message-ID: <OPZrsmPGFHA.1264 (AT) TK2MSFTNGP12 (DOT) phx.gbl Newsgroups: microsoft.public.dotnet.security NNTP-Posting-Host: 24.247.172.74.bay.mi.chartermi.net 24.247.172.74 Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGP08.phx.gbl!TK2MSFTNGP1 2.phx.gbl Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.dotnet.security:9198 X-Tomcat-NG: microsoft.public.dotnet.security Spoofing of the non-evidence approach would depend on how the private GetRawData method is implemented. For example, if it reads the data from Yeh, I guess we need to see how GetRawData is implemented. Cheers. -- William Stacey, MVP http://mvp.support.microsoft.com |
|
« Previous Thread
|
Next Thread »
| Thread Tools | Search this Thread |
| Display Modes | |
Linear Mode
| |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.