Prevent external assembly injection via PublicKeyToken

Question

I\'m using the following code:

AppDomain.CurrentDomain.AssemblyLoad += (sender, args) =>
{
    var token = args.LoadedAssembly.GetName().GetPublicKeyToken         


        

Answer 1

It would also be safer if you generated the full keys at runtime (perhaps from multiple partial keys). This works around statically examining your binary for keys.

Answer 2

Just from first glance, I'm going to say "no, this won't be enough".

Reasons:

• CreateRemoteThread attacks are straight win32 calls, no managed code traces that would trip a detector like this

• I think it would be possible to create another AppDomain in the injected dll, thus bypassing this check altogether. Then one could execute code from that AppDomain, potentially (I'd have to think that through) calling back into the "main" AppDomain via AppDomain.DoCallback

• Process.Kill is a horrible way to drop your application, although it is a non-trappable way of doing so - that is, anyone attached wouldn't be able to prevent it (it uses Win32 TerminateProcess under the hood)

I'd have to bust out my "Injecterator" harness to test these statements, tho - if I can remember where the heck I put that code...

Regardless of any of these - you will absolutely want to obfuscate the hell out of this assembly, especially if you plan on storing sensitive bits inside (in fact, I'd argue against storing ANY sensitive information inside an assembly if you can help it) - your prevention method will absolutely NOT stop any disassemblers like Reflector, ILSpy, dotPeek, etc.