Anti-Tamper Enterprise

Without integrity verification, an attacker can patch the obfuscated binary and bypass all static protection. Anti-tamper injects a module initializer that verifies the assembly file has not been modified after the build. If the file has been patched, the process terminates immediately.

Usage

CLIMSBuildDefault
(enabled by default at Enterprise)(enabled by default at Enterprise)On
--no-anti-tamper<ObfuscateNoAntiTamper>true</ObfuscateNoAntiTamper>Disable

How It Works

  1. Build time: Demeanor injects a verification method and hooks it into the module initializer (runs before any of your code). The method body contains placeholder values.
  2. Post-write: After the PE file is serialized, Demeanor reads it back, computes a 128-bit hash over the entire file (with the hash region, PE checksum, and strong-name signature zeroed), and patches the placeholders with the actual hash and file offsets.
  3. Runtime: On first load, the module initializer reads the assembly file from disk, zeros the same regions, recomputes the hash, and compares. A mismatch means the file was modified — the process terminates via Environment.FailFast.

What Makes It Effective

  • License-keyed hash: The hash seed is derived from your license key. Without the correct key, a patched build produces different hash values — the verifier detects the mismatch even if the attacker knows the algorithm.
  • Renamed and encrypted: The injected verification type is renamed, its constants are encrypted, and its control flow is obfuscated — making it hard to locate and remove.
  • Interlock with license integrity: The post-obfuscation integrity check (VerifyLicenseIntegrity) detects if anti-tamper was bypassed at the tier gate level.
  • Compatible with strong-name signing: The hash excludes the strong-name signature region, so signing after hash computation doesn't break verification.

NativeAOT Compatibility

All injected code uses NativeAOT-safe APIs only:

  • Environment.ProcessPath for executables
  • AppContext.BaseDirectory + filename for DLLs
  • File.ReadAllBytes, Array.Clear, Environment.FailFast

No System.Reflection, no Assembly.GetExecutingAssembly(), no dynamic loading. In AOT deployments where the assembly file doesn't exist on disk, the check silently passes.

When to Disable

  • Post-build tooling: If another tool modifies the PE after Demeanor (other than strong-name signing), anti-tamper will detect the modification. Run such tools before obfuscation, or disable anti-tamper.
  • NativeAOT-only deployment: If your application is published exclusively as NativeAOT (no IL assemblies at runtime), anti-tamper has no effect. You can disable it to avoid the injected code.

Ready to protect your .NET code?

View Pricing All Options

[email protected] · wiseowlsoftware.com