The latest version of Hawkeye (1.2.0) has a new extension that allows you to see SecureStrings inside .Net applications.

Wherever that SecureString is a password, CreditCard account or some other piece of data, you can not consider it secure anymore.

This is a cool functionality for people that develop secure software and want a simple way to see the contents of the SecureString without having to tamper with the code.

Another cool functionality that comes with Hawkeye 1.2.0 is the injection of new IPrincipal objects into a thread making all Role based security using the  SecurityRoleAttribute useless. So if you application is using this type of attributes to check for the roles of the current user, you can rest assured that this can now be bypassed without tampering of the code.

However all these new functionality are not free anymore.

Hawkeye is and will be still free and will run with no restrictions allowing you to do all the cool things you used to do before. However the SecureString module and the Thread Principal injection will require a licence to be enabled.

The price of a Hawkeye licence that enables the SecureString display and the thread principal injection is $80. For a limited time licenses will be 50%, that’s only $40.

ALL the money resulted from purchases of Hawkeye licenses will be donated at the end of each month to a charity organization, non profit organization or other causes worth the money.

For this month (November 2006) all the money will be donated to Movember: http://www.movember.com.au/au/whatismov/ .

I don’t plan to earn a living, nor lunch money, but I want to think that asking for a small fee will keep the script-kiddies away while also supporting a good clause with the money paid by you. Thank you for your support.

If you want to buy a Hawkeye Professional licence please click on the BuyNow button to pay via PayPal.

I will try to write a post at the end of each month with the names (or maybe just the initials) of the people who donated the money and the destination of the money for the active and the next month.

As always, you can download Hawkeye 1.2.0 - Professional (I can see your SecureString) from Darren Niemke’s ProjectDistributor.net.

If you buy a licence, as soon as PayPal notifies me I will send you a license file by email that you have so save in the same folder as Hawkeye to enable the SecureString and Thread Principal injection functionality.

The non-licenced version of Hawkeye will also show you the values inside SecureStrings but only if the name or the property/field starts with “demosecure”. To see this in action run the demo application attached and play with it.