I used to think that .net assemblies that were signed and/or strong-named were verified by the CLR when loaded, meaning that it wasn't possible for someone to edit the IL and still have a valid assembly. Then I listened to this great Herding Code podcast where Jon McCoy said that doesn't really happen (approx 12:47 in the podcast) - i.e. anyone can edit the IL and mess with your assembly and the CLR will not care. I know this sounds weird, but he seems to know what he's talking about, so perhaps it's just that I don't know exactly what scenarios he's referring to.
Can someone explain if & when the CLR will actually verify the full contents of an assembly to ensure that someone hasn't tampered with the IL? If 'signing' or 'strong naming' doesn't do it, what process do you need to make the CLR check an assembly properly?
Some other references (that haven't made it entirely clear to me - probably I'm just a bit slow):
Talks about editing the IL and bypassing the strong name signing Validating .NET Framework Assemblies (I don't know if this is the same sort of attack referred to by Jon).
Says attacker can resign with his own key but can't leave your signature intact : Can strong naming an assembly be used to verify the assembly author? (i.e. not the same attack referred to by Jon)
Saying from .net 3.5 CLR doesn't verify assemblies under full trust: Why does .NET not verify the BCL/CLR? (maybe this is what Jon means?)
How to verify an assembly: How to programmatically verify an assembly is signed with a specific Certificate?
Grey Wolf (by Jon McCoy) - for copying strong name signing on assemblies !? https://www.digitalbodyguard.com/graywolf.html
This is Jon McCoy :) Yes the strong name signing can be bypassed. WHY/HOW-> The Runtime only checks the strong name signing key/cert but does not Hash the DLL/EXE to match the key. If the OS(Windows) has the .NET Framework set to turn Strong name Sign checking on then it will but this is off by default.
FIX Ideas: Link to turn the bypass off: http://msdn.microsoft.com/en-us/library/cc713694%28v=vs.110%29.aspx
Also some protection systems will have a known hash to check but this can be removed.
You could enforce it as an IT policy and in windows.
Yes: My Tool GrayWolf(free on http://www.DigitalBodyGuard.com) changes the IL and moves the Keys from the old one to the new changed copy, the keys would not match the HASH of the DLL/EXE they are on but no one checks:)
P.S. it would slow the boot time to check the Hash
来源:https://stackoverflow.com/questions/20105103/are-signed-net-assemblies-ever-fully-verified-when-loaded-to-check-they-haven