Post Build Assembly Modification Or: Why Won't SN -Vr Work on Tampered Assemblies

A while back I wrote about delay signing an assembly, and using SN -Vr to register that assembly to have its signature verification skipped.  However, some people have noticed that SN -Vr doesn't work if you fully sign an assembly and then tamper with it.

Usually this occurs when someone wants to set a file version, flip a bit in the PE header, or modify a resource post-compile time.  The first solution many people try is to find a tool that suitably hacks the PE file, modify the compiled (and fully signed) image, and then register it on the skip verification list.

This won't work, since skip verification was never intended as a general purpose mechanism to allow assemblies with invalid signatures to load.  Instead, it was intended for the very specific purpose of enabling the delay-sign scenario.

In order to enable post-build modifications, you need to either:

1.  Delay sign your assembly, hack the PE image, and then perform the final signing; or
2. Sign your assembly, hack the PE image, and the use SN -R to resign the assembly