Compiling Multiple Projects Without a Solution

I've posted a new article on Code Project. It is titled Compiling Multiple Projects Without a Solution. The article shows how to compile a multi-project application without using solution files (yes, it includes source code).

The code creates a MSBuild project file that will allow MSBuild to compile a list of VB.Net or C# projects in the correct order. The list can be loaded based on a root directory that contains .vbproj and/or .csproj files or a text file that can contain a combination of directories, project files, and/or other text files.

Securing Text Data

Perhaps it's just me, but trying to figure out how to secure text data is confusing. Based on all of the articles available, if you are creating an application that uses passwords or other sensitive information, you should use a SecureString, that much is clear. However, a SecureString isn't very useful since it is encrypted (you can't compare a SecureString against a database value, pass it to your credit card processing, etc).

After many hours of research, I was able to find a single example of how to secure text in an MSDN article (of course, it's only mentioned in passing). How to encrypt and decrypt a file by using Visual Basic .NET or Visual Basic 2005 contains a reference to the ZeroMemory API that allows you to clear a string from memory and GCHandle to make sure you don't end up with a bunch of copies of the string.

The following code will create a string, pin it in memory using GCHandle (to make sure it doesn't get moved or have multiple copies made), then destroy the contents of the string so that it can't be held in memory.

    Sub Main()
        Dim str As String = "HI"
        Dim gh As GCHandle = GCHandle.Alloc(str)
        Console.WriteLine(str)
        ZeroMemory(str, str.Length * 2)
        gh.Free()
        Console.WriteLine(str)
    End Sub

    Private Declare Sub ZeroMemory Lib "kernel32.dll" _
            Alias "RtlZeroMemory" _
            (ByVal Destination As String, _
             ByVal Length As Integer)

The idea behind this is to leave the text in memory for a very short period of time to make it very difficult for a hacker to get. The sensitive text can be stored in a SecureString until you are ready to use it.

Before I found the ZeroMemory solution, I had written another one that I'm going to post here just because it seems interesting. Basically, I use reflection to call a method on System.String that is intended to be used by StringBuilder that will replace a char without making a copy of the string (typically Strings are immutable, any changes to it result in a copy of the string).

    Public Shared Sub DestroyString(ByVal str As String)
        Dim mi As MethodInfo
        mi = GetType(String).GetMethod( _
                "ReplaceCharInPlace", _
                BindingFlags.NonPublic _
                    Or BindingFlags.Instance)

        For i As Integer = 0 To str.Length - 1
            Dim ch As Char = str(i)
            Dim args() As Object
            args = New Object() {ch, ChrW(0), i, 1, 0}
            mi.Invoke(str, args)
        Next
    End Sub

I am currently working on another article for Code Project on securing text data, complete with a PasswordBox WinForm control, SecurePassword class, and more. Once it is available, I will post a link to it here.

Event-Based Asynchronous WebRequest

I've created my first Code Project article! I was looking for a place to upload some code so I could share it from my blog, but the only place that I could find was Code Project, of course that meant that I had to write an article too.

If you are interested in reading about using the WebRequest/WebResponse classes (including processing of the response stream) or implementing the Event-Based Asynchronous Pattern (the pattern used by the BackgroundWorker component), you can read my article at Event-Based Asynchronous WebRequest.

The article includes a project that contains a BackgroundWebRequest component that can be used to perform asynchronous web requests from a WinForm application.