Selectively disallowing PInvoke

Nandakumar Sankaran · Nov 14, 2003

Hi, I'm wondering if there is a way in a Windows CE.Net environment to
selectively permit managed applications to call into native DLLs (through
PInvoke). In other words, I want to allow certain applications to be able to
call into native DLLs and disallow other apps from doing the same.

Thanks for any suggestions.
Nandakumar

Geoff Schwab [MSFT] · Nov 17, 2003

Hi Nandakumar,

I assume you want this control from the managed side of the code. Can you
get enough control by using namespaces combined with internal? I do
something similar in a graphics engine by doing the following...

namespace GXGraphicsLibrary
{
// This is only available internal to GXGraphicsLibrary
internal class GAPI
{
[DllImport("gx.dll", EntryPoint="#1")]
extern public static IntPtr GxBeginDraw();
}

// This is visible to anyone accessing GXGraphicsLibrary
public class Windows
{
[DllImport("coredll.dll")]
extern public static IntPtr GetCapture();
}
}

You should also be able to control each P/Invoke individually using internal
where I have the declarations as public, though I have not tried this...

namespace GXGraphicsLibrary
{
public class Imports
{
// This is only available internal to GXGraphicsLibrary
[DllImport("gx.dll", EntryPoint="#1")]
extern internal static IntPtr GxBeginDraw();

// This is visible to anyone accessing GXGraphicsLibrary
[DllImport("coredll.dll")]
extern public static IntPtr GetCapture();
}
}

--
Geoff Schwab
Program Manager
Excell Data Corporation
http://msdn.com/mobility
http://msdn.microsoft.com/mobility/prodtechinfo/devtools/netcf/FAQ/default.aspx

This posting is provided "AS IS" with no warranties, and confers no rights.

Nandakumar Sankaran · Nov 17, 2003

Hi Geoff,

Thanks for your response. My intention is different. Let us say I want to
protect the CreateProcess() API. I want to permit certain managed
applications to succeed in calling this native API and disallow other
managed applications from calling this API (ie) the call will fail when
called through these applications. Is there a way to achieve this effect
either through the compact framework or through some platform-level
configuration? My platform is based on CE.Net 4.2.

Thanks for any further ideas.
Nandakumar

Geoff Schwab said:
Hi Nandakumar,

I assume you want this control from the managed side of the code. Can you
get enough control by using namespaces combined with internal? I do
something similar in a graphics engine by doing the following...

namespace GXGraphicsLibrary
{
// This is only available internal to GXGraphicsLibrary
internal class GAPI
{
[DllImport("gx.dll", EntryPoint="#1")]
extern public static IntPtr GxBeginDraw();
}

// This is visible to anyone accessing GXGraphicsLibrary
public class Windows
{
[DllImport("coredll.dll")]
extern public static IntPtr GetCapture();
}
}

You should also be able to control each P/Invoke individually using internal
where I have the declarations as public, though I have not tried this...

namespace GXGraphicsLibrary
{
public class Imports
{
// This is only available internal to GXGraphicsLibrary
[DllImport("gx.dll", EntryPoint="#1")]
extern internal static IntPtr GxBeginDraw();

// This is visible to anyone accessing GXGraphicsLibrary
[DllImport("coredll.dll")]
extern public static IntPtr GetCapture();
}
}

--
Geoff Schwab
Program Manager
Excell Data Corporation
http://msdn.com/mobility
http://msdn.microsoft.com/mobility/prodtechinfo/devtools/netcf/FAQ/default.aspx

This posting is provided "AS IS" with no warranties, and confers no rights.

Nandakumar Sankaran said:

Hi, I'm wondering if there is a way in a Windows CE.Net environment to
selectively permit managed applications to call into native DLLs (through
PInvoke). In other words, I want to allow certain applications to be

Click to expand...

able

to
call into native DLLs and disallow other apps from doing the same.

Thanks for any suggestions.
Nandakumar

Click to expand...

Geoff Schwab [MSFT] · Nov 17, 2003

Hi Nandakumar,

There is no way to do it that is inherent within the .NET Compact Framework.
I cannot think of anything to suggest that would allow this.

--
Geoff Schwab
Program Manager
Excell Data Corporation
http://msdn.com/mobility
http://msdn.microsoft.com/mobility/prodtechinfo/devtools/netcf/FAQ/default.aspx

This posting is provided "AS IS" with no warranties, and confers no rights.

Nandakumar Sankaran said:
Hi Geoff,

Thanks for your response. My intention is different. Let us say I want to
protect the CreateProcess() API. I want to permit certain managed
applications to succeed in calling this native API and disallow other
managed applications from calling this API (ie) the call will fail when
called through these applications. Is there a way to achieve this effect
either through the compact framework or through some platform-level
configuration? My platform is based on CE.Net 4.2.

Thanks for any further ideas.
Nandakumar

Geoff Schwab said:

Hi Nandakumar,

I assume you want this control from the managed side of the code. Can you
get enough control by using namespaces combined with internal? I do
something similar in a graphics engine by doing the following...

namespace GXGraphicsLibrary
{
// This is only available internal to GXGraphicsLibrary
internal class GAPI
{
[DllImport("gx.dll", EntryPoint="#1")]
extern public static IntPtr GxBeginDraw();
}

// This is visible to anyone accessing GXGraphicsLibrary
public class Windows
{
[DllImport("coredll.dll")]
extern public static IntPtr GetCapture();
}
}

You should also be able to control each P/Invoke individually using internal
where I have the declarations as public, though I have not tried this...

namespace GXGraphicsLibrary
{
public class Imports
{
// This is only available internal to GXGraphicsLibrary
[DllImport("gx.dll", EntryPoint="#1")]
extern internal static IntPtr GxBeginDraw();

// This is visible to anyone accessing GXGraphicsLibrary
[DllImport("coredll.dll")]
extern public static IntPtr GetCapture();
}
}

--
Geoff Schwab
Program Manager
Excell Data Corporation
http://msdn.com/mobility

Click to expand...

http://msdn.microsoft.com/mobility/prodtechinfo/devtools/netcf/FAQ/default.aspx

This posting is provided "AS IS" with no warranties, and confers no rights.

able

Click to expand...

Nandakumar Sankaran · Nov 24, 2003

I was hoping to disallow PInvoke through a code access security policy but
it appears that the first version of the .NET CF does not implement any
security policies. Code is always trusted in the managed environment.
Anybody knows when the next version of .NET CF with security policies will
be available?

Nandakumar

Geoff Schwab said:
Hi Nandakumar,

There is no way to do it that is inherent within the .NET Compact Framework.
I cannot think of anything to suggest that would allow this.

--
Geoff Schwab
Program Manager
Excell Data Corporation
http://msdn.com/mobility
http://msdn.microsoft.com/mobility/prodtechinfo/devtools/netcf/FAQ/default.aspx

This posting is provided "AS IS" with no warranties, and confers no rights.

Nandakumar Sankaran said:

Hi Geoff,

Thanks for your response. My intention is different. Let us say I want to
protect the CreateProcess() API. I want to permit certain managed
applications to succeed in calling this native API and disallow other
managed applications from calling this API (ie) the call will fail when
called through these applications. Is there a way to achieve this effect
either through the compact framework or through some platform-level
configuration? My platform is based on CE.Net 4.2.

Thanks for any further ideas.
Nandakumar

Geoff Schwab said:

Hi Nandakumar,

I assume you want this control from the managed side of the code. Can you
get enough control by using namespaces combined with internal? I do
something similar in a graphics engine by doing the following...

namespace GXGraphicsLibrary
{
// This is only available internal to GXGraphicsLibrary
internal class GAPI
{
[DllImport("gx.dll", EntryPoint="#1")]
extern public static IntPtr GxBeginDraw();
}

// This is visible to anyone accessing GXGraphicsLibrary
public class Windows
{
[DllImport("coredll.dll")]
extern public static IntPtr GetCapture();
}
}

You should also be able to control each P/Invoke individually using internal
where I have the declarations as public, though I have not tried this...

namespace GXGraphicsLibrary
{
public class Imports
{
// This is only available internal to GXGraphicsLibrary
[DllImport("gx.dll", EntryPoint="#1")]
extern internal static IntPtr GxBeginDraw();

// This is visible to anyone accessing GXGraphicsLibrary
[DllImport("coredll.dll")]
extern public static IntPtr GetCapture();
}
}

--
Geoff Schwab
Program Manager
Excell Data Corporation
http://msdn.com/mobility

Click to expand...

Click to expand...

http://msdn.microsoft.com/mobility/prodtechinfo/devtools/netcf/FAQ/default.aspx

Roman Batoukov [MS] · Nov 25, 2003

We plan to enable code access security feature in the next release of
NetCF.

- Roman
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Nandakumar Sankaran" <[email protected]>
| References: <[email protected]>
<#[email protected]>
<[email protected]>
<#[email protected]>
| Subject: Re: Selectively disallowing PInvoke
| Date: Mon, 24 Nov 2003 13:59:37 -0800
| Lines: 125
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.0
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Message-ID: <[email protected]>
| Newsgroups:
microsoft.public.dotnet.framework.compactframework,microsoft.public.dotnet.s
ecurity
| NNTP-Posting-Host: firewall.bsquare.com 63.76.82.66
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.
phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.security:3903
microsoft.public.dotnet.framework.compactframework:39238
| X-Tomcat-NG: microsoft.public.dotnet.framework.compactframework
|
| I was hoping to disallow PInvoke through a code access security policy but
| it appears that the first version of the .NET CF does not implement any
| security policies. Code is always trusted in the managed environment.
| Anybody knows when the next version of .NET CF with security policies will
| be available?
|
| Nandakumar
|
|
| | > Hi Nandakumar,
| >
| > There is no way to do it that is inherent within the .NET Compact
| Framework.
| > I cannot think of anything to suggest that would allow this.
| >
| > --
| > Geoff Schwab
| > Program Manager
| > Excell Data Corporation
| > http://msdn.com/mobility
| >
|
http://msdn.microsoft.com/mobility/prodtechinfo/devtools/netcf/FAQ/default.a
spx
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| > | > > Hi Geoff,
| > >
| > > Thanks for your response. My intention is different. Let us say I want
| to
| > > protect the CreateProcess() API. I want to permit certain managed
| > > applications to succeed in calling this native API and disallow other
| > > managed applications from calling this API (ie) the call will fail
when
| > > called through these applications. Is there a way to achieve this
effect
| > > either through the compact framework or through some platform-level
| > > configuration? My platform is based on CE.Net 4.2.
| > >
| > > Thanks for any further ideas.
| > > Nandakumar
| > >
| > >
| > > | > > > Hi Nandakumar,
| > > >
| > > > I assume you want this control from the managed side of the code.
Can
| > you
| > > > get enough control by using namespaces combined with internal? I do
| > > > something similar in a graphics engine by doing the following...
| > > >
| > > > namespace GXGraphicsLibrary
| > > > {
| > > > // This is only available internal to GXGraphicsLibrary
| > > > internal class GAPI
| > > > {
| > > > [DllImport("gx.dll", EntryPoint="#1")]
| > > > extern public static IntPtr GxBeginDraw();
| > > > }
| > > >
| > > > // This is visible to anyone accessing GXGraphicsLibrary
| > > > public class Windows
| > > > {
| > > > [DllImport("coredll.dll")]
| > > > extern public static IntPtr GetCapture();
| > > > }
| > > > }
| > > >
| > > > You should also be able to control each P/Invoke individually using
| > > internal
| > > > where I have the declarations as public, though I have not tried
| this...
| > > >
| > > > namespace GXGraphicsLibrary
| > > > {
| > > > public class Imports
| > > > {
| > > > // This is only available internal to GXGraphicsLibrary
| > > > [DllImport("gx.dll", EntryPoint="#1")]
| > > > extern internal static IntPtr GxBeginDraw();
| > > >
| > > > // This is visible to anyone accessing GXGraphicsLibrary
| > > > [DllImport("coredll.dll")]
| > > > extern public static IntPtr GetCapture();
| > > > }
| > > > }
| > > >
| > > > --
| > > > Geoff Schwab
| > > > Program Manager
| > > > Excell Data Corporation
| > > > http://msdn.com/mobility
| > > >
| > >
| >
|
http://msdn.microsoft.com/mobility/prodtechinfo/devtools/netcf/FAQ/default.a
spx
| > > >
| > > > This posting is provided "AS IS" with no warranties, and confers no
| > > rights.
| > > >
| > > > | > > > > Hi, I'm wondering if there is a way in a Windows CE.Net
environment
| to
| > > > > selectively permit managed applications to call into native DLLs
| > > (through
| > > > > PInvoke). In other words, I want to allow certain applications to
be
| > > able
| > > > to
| > > > > call into native DLLs and disallow other apps from doing the same.
| > > > >
| > > > > Thanks for any suggestions.
| > > > > Nandakumar
| > > > >
| > > > >
| > > >
| > > >
| > >
| > >
| >
| >
|
|
|

This posting is provided "AS IS" with no warranties, and confers no rights.

Selectively disallowing PInvoke

Nandakumar Sankaran

Geoff Schwab [MSFT]

Nandakumar Sankaran

Geoff Schwab [MSFT]

Nandakumar Sankaran

Roman Batoukov [MS]