Check if DLL is authentic/correct before running application i C# / .NET

StackOverflow https://stackoverflow.com/questions/4120381

Question

Hi I am trying to figure out how to make sure that a supplied DLL is the correct one. Reason is that our distributed solution is build of many small DLL's each containing certain portions of application and sometimes we roll out a new version of some of these.

Its not a "update problem", but merly - how do we check if:

  1. its the correct binary/assemble

  2. the customer/client had tampered with the file and perhaps replaced it with one of the same name with similar functions to return bad values?

Multiple reasons

This could be used for copyprotection/licens test or other important validation issues, so I'm trying to figure out if MD5 checksum + some sort of assemble info is enough? (if so, how to gain access to assembly details or similar?)

Ofcause nothing is failsafe, when you CAN decompile .NET DLL's, but exactly therefore we want to make sure that someone doesnt just decompile our functionlist and then writes there own replacement DLL of our "oooh so important" DLL's.

Our reason is the amount of trouble debugging/supporting needed, when we get customers who have destoryed these by error or purpose (we dont care about the reason, we just try to prevent most of the possible errors).

Was it helpful?

Solution

I see two options:

  1. Digital signing. You need to buy a digital certificate, but once you make it work you can feel very confident about the origin of the file. If also has the advantage that your programs won't be marked as being from "an unknown publisher" in Windows Vista and higher.

  2. Hashing. You could use a MD5 (or better a SHA-1) hash. Very easy to implement but is possible workaround the protection (although it's not trivial doing that).

OTHER TIPS

In Visual Studio, you can point a reference to a "specific version" of a library. You just change the default 'False' to 'True' in the reference's properties. This would handle the looking up of assembly info for you. It's trivial to override that using a binding redirect, but this would prevent the program trying to run in situations where the wrong version is installed accidentally.

I do recommend digital signing to get the best protection against deliberate tampering, as @Alberto Martinez mentioned.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top