I have an executable that I would like to protect from changes to the File Version Info.
I initially thought that signing the exe with a certificate would handle this, however when you modify the File Version Info with freely available utilities, it seems that the digital signature still remains intact.
I figure the only way would be to perform some sort of checksum on the exe, however this isn't ideal as I'm concerned that this will cause problems with various post-processors (obfuscation, anti-debug, etc) that I am doing which deny access to the .exe at run-time.
Is there any other way I detect if the File Version Info has been modified in some way?
The certificate is not more valid if only 1 byte of the executable changed.
It seems you use Properties window of Windows Explorer and after changing the version number see the Digital Signature tab still there. This is very misleading about digital signature of executable files in Windows but not true.
This tab just say the file contain certificate but nothing about validation of this certificate. In this tab click on certificate and then click on Details, now on top of the opened window you can see the cert is valid or not.
By using Windows API you can check the certificate is valid or not, maybe this topic help you in C#.
Related
What I'm looking to obtain is a list of signatures on a given file that's been digitally signed ( code signing certificate ) - When you use signtool to sign with a sha1 certificate, you can also sign with a sha256 certificate for instance- Both of these signatures can be found in the file properties under Digital Signatures, under a signature list - You can also see a timestamp if you used that as well.
Is there a standard way to grab that list/details or is this diving into p/invoke territory?
var cert = X509Certificate.CreateFromSignedFile(fileName);
This almost gets me what I need, it assures me a file has a signature and can even build a certificate out of it, it seems - I can then grab the common name and such and do some basic checks from there.
I don't, however, get both signatures, and can't seem to find a way to do so.
Would prefer to do this using standard .NET if possible, but understand that may not be possible. Thanks in advance!
Got an answer for using in console, could likely adapt it for windows forms easily enough but something usable for windows forms out of the box would be great.
How Can a Web Page Display What Version a File is In Program Files Directory?
For example, if I wanted to send a user a URL that would show the user what version of our software is installed (version number and release date) on their Windows PC. I'm just talking about file properties, not actually running something.
Is there a way to do this with .Net/ASP.Net?
The answer is no.
The best you can do with HTML5 or Javascript is to let the user select a file and even then you have very limited access to properties (at most name, size and type) without having the user upload the file.
The most efficient solution right now would be to serve a very basic clickonce application which would locate the files, read the properties and send the information back to the server. From there you can choose to redirect the user back to your website with the information you collected.
Generally access to the Programm folder is limited at best. There used to be a time when we even would write data like Configuration files there. That was Windows 95/98. And it was frowned upon back then.
With the introduction of NTFS with Windows NT (and later XP in the Consumer area), enforceable rules were put in place. Rights tend to be highly limited. This is even more true of Webservers, as they tend to be prime targets for hacking. The only rights you can expected a Webserver to have is read rights to it's programm and the content directory. Maybe if the admin is really nice and it really helps with performance, it might have write rights on a Temporary subfolder of Contents.
Reading out your version from a file is propably possible with only read rights, but not the right way. Usually you just let the compiler hardcode (insert as constant) whatever Version is given in the Project file or by the Version Tracking Software.
So the first thing is that you need some approach of Version Control. And then your answer depends "however this Version control mechanism does tracking of the Compiled version". There is some limited version tracking support in Visual Studio itself. But there is also full, 3rd party Version tracking Software.
I am writing a "Robot" which will generate hundreds of PDF files, using the Acrobat Distiller virtual printer. Its first step should be to designate the folder where all the files should be "printed".
The registry key in question can easily be modified interactively:
I found the following code in Microsoft's web pages:
Running it, I discovered some interesting clues:
Yes, I am aware that by trial and error I will probably find the appropriate incantations. However, this is the infamous Register, which I have never touched programmatically and it is better to be safe than sorry.
TIA
We have developed a Outlook Add In. I wish to deploy this add in in both Single User / Multi user environment
I have managed to deploy this Add In for single user environment. I am adding a Registry Entry (HKCU) for single user and the add in gets installed under "APPDATA\ROAMING\CompanyName\AddInName." I am using standard MSI for installation
But the issue I face is even if i ran the Installer, I don't see Add In appearing under Outlook, unless, I browse to the installation path (as above) and double click on VSTO file and deploy it again.
For Terminal Server / Citrix based implementation, I am trying to change the Registry to HKLM but not 100% sure how this will work.
My question is that
1. How I can have deploy this Outlook Add in only in one attempt. I don't want to install and then deploy (double click VSTO) file?
2. How I can deploy this add in for Terminal Server / Citrix based implementation?
I have gone through various blogs but they are not very clear and cause more confusion.
Would appreciate your expert suggestions
Thanks
Unfortunately I can only answer the first part of your question - You will have to create registry entries so that when Outlook is started it automatically applies your installed add in. See the link below for a detailed explanation of the registry keys that are required. https://msdn.microsoft.com/en-us/library/bb386106.aspx
In short, You need to add a registry entry for your add in that contains a FriendlyName, Description, LoadBehavior and Manifest input. Directing to the following link will tell you exactly how to do this and exactly where to put the keys. https://msdn.microsoft.com/en-us/library/cc442767.aspx#To-create-registry-keys
Best of luck and If you have any issues with that, comment below and I will help you as soon as I can.
**As an added note, I once had problems similar to the one you are having, and in my case it was due to the LoadBehavior setting. I was using the "UK Spelling" of the word instead of the US spelling. LoadBehavior must be specified exactly as I have written it here.
I know that it is possible to pass in parameters via URL to ClickOnce apps launched online. However, most users downloads setup.exe and launch it from their machine. Is there any way that I can re-write setup.exe at download, insert a code (let's say the user's email address), and then have the app launch with knowledge of the code? Assume that we can somehow re-sign setup.exe so that it is legit.
Assume .NET 3.5.
Update The goal here is to pass on either email address and/or referrer information to setup.exe so that even when the user runs the installer from a different machine and a different ip we can figure out who did the referral.
Update 2 Assume .NET 3.5 SP1, does it help? Apparently one can now pass parameters to .application while offline. Is it possible to embed parameters into the setup.exe so that it calls .application?ref=someone right when setup.exe is run?
Well, if your goal is to embed a customer id (email, code, etc) into the exe, the easiest way I can think of is using the IPropertyStorage and IPropertySetStorage interfaces. If you are feeling brave, you could call methods directly on IPropertySetStorage via p/invoke, or you could go the easy route and use Microsoft's prepared COM wrapper, which is called dsofile.dll.
Note that while dsofile is intended for office documents, it does indeed work on any file - including .exe files - you are just stuck with the pre-defined property names. Why not throw your customer id into something like the .Comments property. Just do it in such a way that you can parse it out again.
Here's a sample:
var doc = new OleDocumentPropertiesClass();
doc.Open(pathToFile);
doc.SummaryProperties.Comments = "joe#test.com";
doc.Save();
Of course, you need to first copy it to a temp location, and some time after the user downloads it you'll want to delete it.
You can bundle dsofile.dll with your application and register it as a dependancy and use it in your installer to read the property back out. Or if you can p/invoke the IPropertyStorage without it, then you won't have the dependancy.
The other thing to look into would be using the extended file properties that are read by the Shell32.dll. I just haven't been able to find a clean way to write them easily. If you go this route, please share how you wrote the properties to your .exe.
Have a look whether InPlaceHostingManager class can help you in this case. It won't probably do exactly what you have asked for. But may be able to help...
Any ClickOnce application based on an .exe file can be silently
installed and updated by a custom installer. A custom installer can
implement custom user experience during installation, including custom
dialog boxes for security and maintenance operations. To perform
installation operations, the custom installer uses the
InPlaceHostingManager class.
Walkthrough: Creating a Custom Installer for a ClickOnce Application
EDIT
I am not sure whether you could achieve what you want exactly in the way that you have described in the question. Check whether these threads help you.
Accessing Local and Remote Data in ClickOnce Applications
How to include custom data files in ClickOnce deployment?
How to: Retrieve Query String Information in an Online ClickOnce Application
How would you imagine to "rewrite" setup.exe at download? if instead of opening your application with the provided link (url) users are downloading the file locally directly from the network share, you can't intercept this.
I would try to play with permissions and have the users to execute it from the link provided to them, but unable to connect directly to the share or web address and download it. Not sure this is possible anyway.
You can try embedding that information as a resource into the exe.
Here's a c++ example of updating a resource of an exe. http://msdn.microsoft.com/en-us/library/ms648008(v=vs.85).aspx#_win32_Updating_Resources
You should combine approach by Charith and Josh - essentially, configure your web server so that you can generate a new setup based on URL parameters. Use custom installer to read from the referral information from resource for setup.exe. Check this link for how to manipulate resources for a native application in C# - you have to write to resource file while generating setup and need to read it from your custom installer.
Yet another way of generating custom setup would be to build your executable or helper assemblt from command line embedding the necessary information. And then build the setup from command line tools (see http://msdn.microsoft.com/en-us/library/xc3tc5xx.aspx). It appears to be quite cumbersome and will take long time to generate the custom setup as opposed to modifying the resource of already built setup.
A completely different approach would be to email the unique referral code (registration code) whenever user downloads the application. In the setup (or application), use custom installer to prompt user for this code. If the setup is invoked via URL then the code will be available from there and in such case Custom Installer need not ask for the code. The email that you send when user download the setup should inform user to preseve the code into some text file along with the setup file.