简体繁体 English

如何保护我的 .net 应用程序免受反编译器的攻击？

[英]How can i protect my .net application from decompilers?

原文 2016-04-28 08:33:40 0 4 c#/ .net/ decompiling

Okay so i have this C# application that connects to a database has the login and all that stuff but what if some guy just downloaded a decompiler saw my code got the connection string from my DB and did whatever he felt like?好的，所以我有这个连接到数据库的 C# 应用程序有登录名和所有这些东西，但是如果有人刚刚下载了一个反编译器，看到我的代码从我的数据库中获取了连接字符串，然后做任何他想做的事情怎么办？ How can i protect myself from that?我该如何保护自己免受这种伤害？ And even if i could protect my connection string how could i protect my acctual code?即使我可以保护我的连接字符串，我怎么能保护我的实际代码？

4 个解决方案

You should never store critical information in your assemblies, exactly for this reason.正是出于这个原因，您永远不应该在程序集中存储关键信息。 There are numerous ways to obfuscate the information but they only delay the inevitable.有很多方法可以混淆信息，但它们只会延迟不可避免的事情。

Remember: Security by obscurity is not safe记住：默默无闻的安全并不安全

Access the data on a server-side application and pass it to an authenticated client instead.访问服务器端应用程序上的数据并将其传递给经过身份验证的客户端。
Restrict the Database User Account to the minimal required rights (if you only need to read information - make sure it doesn't have write access, etc.)将数据库用户帐户限制为所需的最低权限（如果您只需要读取信息 - 确保它没有写入权限等）

but what if some guy just downloaded a decompiler saw my code got the connection string from my DB and did whatever he felt like?但是如果有人刚刚下载了一个反编译器，看到我的代码从我的数据库中获取了连接字符串，然后做任何他想做的事情怎么办？ How can i protect myself from that?我该如何保护自己免受这种伤害？

That's a shame, isn't it ?这是一种耻辱，不是吗？ There are only a few things you can do for that :您只能为此做几件事：

Use a VPS ($$) and store the login part of your code online.使用 VPS ($$) 并在线存储代码的登录部分。 You can, for that secificly, use LiteCode , and here is a tutorial : https://github.com/debug-hf/LiteCode-Example/为此，您可以使用LiteCode ，这是一个教程： https : //github.com/debug-hf/LiteCode-Example/
Use an obfuscator to avoid decompilers and hackers to look at your code.使用混淆器来避免反编译器和黑客查看您的代码。 The best so far is http://netguard.io .迄今为止最好的是http://netguard.io 。 It includes free plans and all the premium plans are fully secured.它包括免费计划，并且所有高级计划都是完全安全的。 All your strings are scrambled, melted, stored secretly in the file.您所有的字符串都被打乱、融化、秘密存储在文件中。 Famous deobfuscator, such a De4Dot cannot handle it even if it handles more or less every obfuscators on the market !大名鼎鼎的deobfuscator ，这样的De4Dot即使处理市场上几乎所有的混淆器也处理不了！

Hope it helps :) Cheers希望它有帮助:) 干杯

Connection strings can be encrypted in the config file连接字符串可以在配置文件中加密

Connection Strings and Configuration Files 连接字符串和配置文件

However, you cannot truly protect your code from people wishing to view what it does, you can only make it harder by obfuscation.但是，您无法真正保护您的代码免受希望查看其功能的人的影响，您只能通过混淆来使其更难。

I would add that a proper security model could restrict access to both the physical files, and the database 'data', but that does depend on your deployment model.我想补充一点，适当的安全模型可以限制对物理文件和数据库“数据”的访问，但这取决于您的部署模型。

您应该将连接字符串存储在 app.config 或 web.config 文件中。