stackoom
  简体   繁体   中英

Should I worry about my software being decompiled?

 原文  2015-10-17 05:20:39       c#/ c++/ command-line-interface/ decompiler

Question

I'm trying to create a piece of software that allows the user to login and stream a byte[] of a dll to be used for injection. For example

public static byte[] getDLL()
{
    using (WebClient wc = new WebClient())
    {
        Uri url = new Uri("http://mysite/dll.dll");
        return wc.DownloadData(url);
    }
}

I successfully managed to make this in C# using visual studio. However you can easily decompile the program and make it create the dll at a specific location on your computer therefore leaking it. And there's pretty much no way that I can prevent this.

Would I be better of using a language that's harder to decompile like say C++ or C for example or am I just going to run into the same problem what ever language I use? And is it really worth the effort.

2 answers

solution1
 2  2015-10-17 06:14:12

You can't prevent decompiling anything, neither C# nor C++ or anything else.
Languages like C++ require more manual work compared to eg. C#, and obfuscators can make it harder to understand the code, but everything just slows down the one doing it, instead of preventing it.
(And stuff like DLLs and encryption won't help at all for securing the code)

If it is a problem that some user of the program can see the full code, you're doing something wrong. Any secret like passwords etc. don't belong in files the user gets, but on some server controlled by you and only reachable for the user through network connections etc.

solution2
 -2 ACCPTED  2015-10-17 05:43:55

I'm not very clear about the first paragraph of your question.But here is some idea for you.

Simply De-compiling is not an issue, if outsiders cant use generated code to hijack your assembly.

As my understanding there are plenty of tools to "reasonable de-compile" or browse the .NET assemblies content. If you use C++ or C, there are de-compilers, The source code are generated by them are not accurate and need lot of manual works.

Secondly if you used native language such as C or C++ those has plenty of vulnerabilities. you have to use all the good practices to avoid injecting kind of issues. https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637

There are tools for avoid de-compilation. you can google Obfuscator . some famous are Dotfuscator, Secure Team.

And also you can think about the project architecture changes. such as including DLL code in to the main EXE etc...

Also you can use key generation mechanism to verify the DLL. Just after loading the DLL exe call common function in the DLL and get the one time key and verify.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Should I worry about bit order? What does x:FieldModifier=“Private” do and should I worry about it? Should I worry about losing precision with this DateTime math? Should I worry about reigning in namespace number/length/scope? Should I worry about opening and closing too many connections in asp.net using ado.net? log4net: Creating a logger dynamically, should I worry about anything? Do I need to worry about an object being thread safe if it has no static fields? Memory management - should I worry about resizing a temporary array of long-lived objects within a state machine? Is there anything I should worry about when using nullable types in .Net 2.0? Should I worry about "This async method lacks 'await' operators and will run synchronously" warning
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM