有关保护DLL代码的任何提示?
[英]Any tips about securing DLL code?
问题描述
I would like to know some tips how to secure DLL (Win32, dynamic) file from injecting and how to increase security of compiled code. 
我想知道如何从注入中保护DLL(Win32,动态)文件以及如何提高编译代码的安全性的一些技巧。
- There's a SQL password in DDL source code which is used to connect to MySQL. DDL源代码中有一个SQL密码,用于连接MySQL。 Is it secure enough to leave it? 是否足够安全离开它?
- Is there any way how to prevent 'users' modifying HEX code? 有没有办法阻止'用户'修改HEX代码? I mean to secure more from source code. 我的意思是从源代码中获得更多。
- Which options in project properties would be optimal for optimizing and maybe securing DLL? 项目属性中的哪些选项最适合优化并可能保护DLL?
Im using MVSC++ 2010 Express and source code to users won't be available. 我使用MVSC ++ 2010 Express并向用户提供源代码将无法使用。
2 个解决方案
解决方案1
3 已采纳 2012-08-25 08:01:48
In order for the DLL to be usable it needs to be readable. 为了使DLL可用,它需要是可读的。 That means that if you encrypt your file you also need do decrypt it before using it. 这意味着如果您加密文件,您还需要在使用之前对其进行解密。 Also, you can sign your DLL so that you know it has not been modified, but still that doesn't hide the symbols in the file itself. 此外,您可以对您的DLL进行签名,以便您知道它尚未被修改,但仍然不会隐藏文件本身中的符号。 Another approach would be to obfuscate the code so that it is harder for users to understand but the OS can still easily execute it - think of that as a weak form of encryption. 另一种方法是对代码进行模糊处理,以便用户更难理解,但操作系统仍然可以轻松地执行它 - 将其视为一种弱形式的加密。
Specific answers: 具体答案:
If you have a password in any binary file then it is not secure.
如果您在任何二进制文件中有密码,那么它就不安全。 It is a simple matter of looking through the strings of the binary file to find it. 通过查看二进制文件的字符串来查找它是一件简单的事情。 Users can always modify the file, but the file can be signed using some cryptographic scheme which ensures that you will know if it has been tampered with.
用户可以随时修改文件,但可以使用某种加密方案对文件进行签名,以确保您知道文件是否已被篡改。 I don't use that particular tool but I'm sure that it will not provide you with any real security.
我不使用该特定工具,但我确信它不会为您提供任何真正的安全性。
Tip : Instead of having an SQL DB password in your source code you could instead make it send commands to a server which would authenticate and process them. 提示 :您可以将源代码发送到服务器进行身份验证和处理,而不是在源代码中使用SQL DB密码。 That way you don't need an explicit password in your file. 这样,您的文件中就不需要显式密码。
解决方案2
1 2012-08-25 08:13:17
Any and every literal string in your DLL is readable unless you encrypt the entire file. 除非加密整个文件,否则DLL中的任何文字字符串都是可读的。 Do NOT store passwords as literal strings in your dll. 不要将密码存储为dll中的文字字符串。 Period. 期。 Also, you have to remember that assembly code is just data, and if the file is writable, anyone with an Intel reference sheet and a hex editor, or a disassembler and a an assembler can change it if they have access to the file. 此外,您必须记住汇编代码只是数据,如果文件是可写的,任何拥有英特尔参考表和十六进制编辑器,反汇编程序和汇编程序的人都可以在有权访问该文件时进行更改。 You can always obfuscate your source, which will make the assembly slightly less readable, but still completely modifiable. 您可以随时对源进行模糊处理,这会使程序集的可读性略低,但仍可完全修改。
In short, nothing you do will completly secure your DLL. 简而言之,您所做的任何事情都不会完全保护您的DLL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.