disable reflection thru .NET reflector

On Jun 8, 5:09 pm, m_gell <m_g...@discussions.microsoft.comwrote:

Hi, anyone know how to disable reflection on sensitive code?

Here is specifically what I'm trying to do. I have one method in a class
within an assembly I'm trying to prevent using reflection to see the code.
The code contains a hardcoded key word that I do not want to be seen in any
way.

I've tried using ReflectionPermissionAttribute but don't know if this will
do what I want.

Well, there are two things here:
1) Reflection in code
2) Decompilation in tools like Reflector

You can't really prevent either of them. Obfuscation will make it
harder to find stuff, but that's about it.

If you've got any hard coded sensitive data in your application,
that's a security flaw, basically.

See http://pobox.com/~skeet/csharp/obfuscation.html for more info.

Jon

Even if your assembly is obfuscated, anyone who is so inclined can run ILDASM
on it and get all the CIL sourcecode and find your "thing" with no difficulty.
If you need to keep a secret key, keep it out of the code.
Peter

--
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net


"m_gell" wrote:

Hi, anyone know how to disable reflection on sensitive code?

Here is specifically what I'm trying to do. I have one method in a class
within an assembly I'm trying to prevent using reflection to see the code.
The code contains a hardcoded key word that I do not want to be seen in any
way.

I've tried using ReflectionPermissionAttribute but don't know if this will
do what I want.

Any advice/answer greatly appreciated.

Thanks

Where do you recommend keeping the secret key?

"Peter Bromberg [C# MVP]" wrote:

Even if your assembly is obfuscated, anyone who is so inclined can run ILDASM
on it and get all the CIL sourcecode and find your "thing" with no difficulty.
If you need to keep a secret key, keep it out of the code.
Peter

--
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net


"m_gell" wrote:

Hi, anyone know how to disable reflection on sensitive code?

Here is specifically what I'm trying to do. I have one method in a class
within an assembly I'm trying to prevent using reflection to see the code.
The code contains a hardcoded key word that I do not want to be seen in any
way.

I've tried using ReflectionPermissionAttribute but don't know if this will
do what I want.

Any advice/answer greatly appreciated.

Thanks

When using CE of dotfuscator when I reference the obfuscated dll I can not
build my project as it does not recognize the former classes in the
namespace. Anyone know what I'm missing?

"Jon Skeet [C# MVP]" wrote:

On Jun 8, 5:09 pm, m_gell <m_g...@discussions.microsoft.comwrote:

Hi, anyone know how to disable reflection on sensitive code?

Here is specifically what I'm trying to do. I have one method in a class
within an assembly I'm trying to prevent using reflection to see the code.
The code contains a hardcoded key word that I do not want to be seen in any
way.

I've tried using ReflectionPermissionAttribute but don't know if this will
do what I want.

Well, there are two things here:
1) Reflection in code
2) Decompilation in tools like Reflector

You can't really prevent either of them. Obfuscation will make it
harder to find stuff, but that's about it.

If you've got any hard coded sensitive data in your application,
that's a security flaw, basically.

See http://pobox.com/~skeet/csharp/obfuscation.html for more info.

Jon

m_gell <mg***@discussions.microsoft.comwrote:

When using CE of dotfuscator when I reference the obfuscated dll I can not
build my project as it does not recognize the former classes in the
namespace. Anyone know what I'm missing?

Have you got it set to obfuscate public classes? Or are you referencing
internal classes with InternalsVisibleTo?

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too

I have the disable renaming property set to No which then I cannot reference
the classes in the namespace. When set to yes I can. I'm not referencing
any classes w/ InternalsVisibleTo and I'm not sure if I have it set to
obfuscate public classes. ??? Thoughts

"Jon Skeet [C# MVP]" wrote:

m_gell <mg***@discussions.microsoft.comwrote:

When using CE of dotfuscator when I reference the obfuscated dll I can not
build my project as it does not recognize the former classes in the
namespace. Anyone know what I'm missing?

Have you got it set to obfuscate public classes? Or are you referencing
internal classes with InternalsVisibleTo?

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too

m_gell <mg***@discussions.microsoft.comwrote:

I have the disable renaming property set to No which then I cannot reference
the classes in the namespace. When set to yes I can. I'm not referencing
any classes w/ InternalsVisibleTo and I'm not sure if I have it set to
obfuscate public classes. ??? Thoughts

Well, there are a few double negatives in there so I'm not sure what
you're doing, but if you've got something that works, why not just use
that?

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too

It does not fulfill what I want.

I can reference classes in the obfuscated dll with disable renaming=Yes
(which means enable renaming=no)but then the method names are not obfuscated
and the hardcoded key is visible in the constructor method when viewed thru
reflector.

As disable renaming = no (which means enable renaming=yes), then finding the
keyword is near impossible...doesn't show up w/ reflector, but then I cannot
reference any classes from the obfuscated dll in another assembly which is
what I need.

Bottomline, if I enable renaming to obfuscate the dll w/ the keyword, I
cannot use the dll. So do you know how to obfuscate w/ renaming yet still
reference the dll, or certain classes within the dll.

"Jon Skeet [C# MVP]" wrote:

m_gell <mg***@discussions.microsoft.comwrote:

I have the disable renaming property set to No which then I cannot reference
the classes in the namespace. When set to yes I can. I'm not referencing
any classes w/ InternalsVisibleTo and I'm not sure if I have it set to
obfuscate public classes. ??? Thoughts

Well, there are a few double negatives in there so I'm not sure what
you're doing, but if you've got something that works, why not just use
that?

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too

m_gell <mg***@discussions.microsoft.comwrote:

It does not fulfill what I want.

I can reference classes in the obfuscated dll with disable renaming=Yes
(which means enable renaming=no)but then the method names are not obfuscated
and the hardcoded key is visible in the constructor method when viewed thru
reflector.

As disable renaming = no (which means enable renaming=yes), then finding the
keyword is near impossible...doesn't show up w/ reflector, but then I cannot
reference any classes from the obfuscated dll in another assembly which is
what I need.

Bottomline, if I enable renaming to obfuscate the dll w/ the keyword, I
cannot use the dll. So do you know how to obfuscate w/ renaming yet still
reference the dll, or certain classes within the dll.

The bottom line is going to be that however you rename methods and
types, that hardcoded string is still going to be in there. The
solution is not to have the hard coded string in there in the first
place.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too

I did find the string in the obfuscated dll.

// Methods
public m(IProcessDto A_0) : this(A_0, new DestinationHistoryPersister(),
new DestinationDeterminerRepository(), new l())
{
if (Assembly.GetCallingAssembly().FullName != "mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
{
throw new Exception("Must instantiate on server!");
}
}

The obfuscated dll would still be sufficient for my purposes as security is
not of paramount concern. I would however like to know how to reference an
obfuscated dll w/ rename enabled or a different way to do this. Anyone have
any ideas? Any one ever referenced an obfuscated dll within VS and gotten it
to work? If so how. I notice if you obfuscate a specific exe that you can
still execute the exe fine. But you can not obfuscate a dll that the exe
uses or it will error. Again, you also cannot reference a obfuscated dll
from Visual Studio and see the obfuscated dll's types. Anyone know a
workaround?

"Jon Skeet [C# MVP]" wrote:

m_gell <mg***@discussions.microsoft.comwrote:

It does not fulfill what I want.

I can reference classes in the obfuscated dll with disable renaming=Yes
(which means enable renaming=no)but then the method names are not obfuscated
and the hardcoded key is visible in the constructor method when viewed thru
reflector.

As disable renaming = no (which means enable renaming=yes), then finding the
keyword is near impossible...doesn't show up w/ reflector, but then I cannot
reference any classes from the obfuscated dll in another assembly which is
what I need.

Bottomline, if I enable renaming to obfuscate the dll w/ the keyword, I
cannot use the dll. So do you know how to obfuscate w/ renaming yet still
reference the dll, or certain classes within the dll.

The bottom line is going to be that however you rename methods and
types, that hardcoded string is still going to be in there. The
solution is not to have the hard coded string in there in the first
place.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too

m_gell wrote:

Here is specifically what I'm trying to do. I have one method in a class
within an assembly I'm trying to prevent using reflection to see the code.
The code contains a hardcoded key word that I do not want to be seen in any
way.

I've tried using ReflectionPermissionAttribute but don't know if this will
do what I want.

Obfuscating will not work for this.

http://www.remotesoft.com/salamander/protector.html

claims to be more efficient.

But I would see if there were different approaches that could
remove the requirement for protecting against decompiling.

Arne

It depends on what the business logic is, you really haven't provided
sufficient information other than that you want to store some "secret" key in
your assembly.
There are all kinds of encryption methods, you have symmetric and
asymmetric. Once we have a better idea of what the business logic scenario
and the programmatic goal are, you can get some excellent recommendations.

Peter
--
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net


"m_gell" wrote:

Where do you recommend keeping the secret key?

"Peter Bromberg [C# MVP]" wrote:

Even if your assembly is obfuscated, anyone who is so inclined can run ILDASM
on it and get all the CIL sourcecode and find your "thing" with no difficulty.
If you need to keep a secret key, keep it out of the code.
Peter

--
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net


"m_gell" wrote:

Hi, anyone know how to disable reflection on sensitive code?
>
Here is specifically what I'm trying to do. I have one method in a class
within an assembly I'm trying to prevent using reflection to see the code.
The code contains a hardcoded key word that I do not want to be seen in any
way.
>
I've tried using ReflectionPermissionAttribute but don't know if this will
do what I want.
>
Any advice/answer greatly appreciated.
>
Thanks