It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
If so, how can i protect my code from being decompiled?
Or from being reflected? If actually the two are very different from each other.
Tools like Dotfuscator for the .Net framework, do they help your code from being decompiled? Does that mean that i can still reflect on it and see it's contents??
You can't ever stop either. You can make it so that decompiling the program returns incomprehensible and confusing code, but it still will be valid code that results in a program that functions identically to yours. Making subtle changes will be harder, but not impossible. Doing that is called obfuscation, which is what those tools are.
Obfuscators go around doing things like changing all variable names to meaningless alphanumeric values, performing all sorts of code refactors that don't change how the code works, but just are things that do the same thing in a different way (and is somehow harder for humans to understand, but not computers). They can also add in code that doesn't do anything, just to confuse people, etc. Different obfuscators will do all sorts of different things, and they can have some differences such as, whether or not they accidentally introduce bugs, what their effect is on the size of the compiled program, and how close the compiled program is from the original source (which, granted, is somewhat subjective).
It has the same effect on reflection, although reflecting and decompiling are completely different.
First, let's go over the difference between the two terms.
Reflection provides the ability to discover type information within an assembly at runtime. This is part of the framework, and makes possible features such as code completion in the IDE, references between assemblies, etc. It's also used in frameworks, such as ASP.NET (you can basically refer to classes, or web controls, in markup and instances will be dynamically created at runtime using reflection). This is also used in serialization, which is the core of web services, WCF, the web part framework, session state, AJAX, and more.
Decompiling is a term for converting machine code to a higher-level, human readable code. The .NET framework uses an intermediary language (IL) which is a machine-agnostic low level language somewhat similar to assembly, minus CPU specific things like registers. The runtime itself is what actually takes this IL and compiles it to the code that's actually specific to the local machine through a process called JIT'ing. Obviously, your code has to be in IL for the runtime to understand it (though there are processes to pre-compile or pre-JIT IL code).
There is no overlap between the two. Reflection only uses the metadata stored in the assembly's manifest, it does not look at the actual IL code the compiler generated. You'd never be able to use reflection to infer how a method was actually implemented
With that said, there are various tools to obfuscate IL code, making it harder to understand. One popular one tool Dotfuscator.
Related
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I have been advised to refrain usage of Reflection. I really wanted to know, is it because Reflection is expensive? If not what is the reason to avoid using it?
My current and future projects might as well need to access any given class - members information. As I some times need to list fields & Properties - values or declaration name.
So What I would like to know, is:
How does Reflection work? How does it get to the information? (a short explanation will do)
And why it's not so recommended to use the reflection in application? If you do need to get required information being a field or properties values OR names, could you do it not by using System.Reflection?
Some background.
The usage in my current project(for example), is to list out a specific sql server table-columns names, or SQL - tables names .
I could think of other ways to have it returned as a List<strings>.
If I really knew why or how "bad" it is, to use reflection,
..I could then make a decision, if I really want to avoid it, as I might find an alternative approach (in this specific scenario).
Either by accessing database (not preferable) any time I need (say) list of tables names or I could do it once (access the data ), then store it in a text file or xml, if I really must avoid reflection.
I know of some even more elegant one, too. That's not the issue though. (again this is only an example as there could be many other use cases, you probably know that. )
update
this Question was closed please help reopen it , and vote 'reopen' below
thanks .
A CLR assembly (executable or dynamic link library) typically contains metadata about its structure, which means information about the types, the structures, the methods, the fields, their names and a bunch of other information that, in "traditional" languages, were usually lost and replaced by offsets and size information only.
Reflection is a powerful tool and some (usually advanced) things can only be achieved using reflection. However, it also raises concerns about security and encapsulation, because you start relying on the implementations of the parts of your program (or other programs), while you should generally avoid those and just trust the interface those parts give. Another concern is performance, because to access all this kind of (ultimately textual) information, the program is slowed down, in contrast to using the non-reflective approaches (which usually still use offset and size information). For instance, you could re-implement polymorphism using reflection and bypass the virtual method table. But the latter is many times faster than the former.
Use reflection if you have to, but don't use it if you don't have to. It's one of those tools that are very powerful and people advise against using them, but you may use them if you really know what you're doing. That being said, please keep in mind that using reflection techniques in a wrong manner does not only raise the above issues, but tends to make your code significantly harder to maintain as well.
If it were as simple as "never use reflection", we wouldn't have reflection at all.
Reflection is slow, and as such, you have to be judicious in its use. Often times there are better solutions (both in terms of design and performance) that use interfaces, delegates, etc to accomplish your goals (dependency injection and dynamic types come to mind).
Try to figure out how to solve your problem using object oriented design without reflection. If you truly need to use reflection, consider how its performance will impact your application, and design accordingly.
Reflection works by parsing class type information. Use it sparingly as its computationally expensive.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I cant even begin to understand how they work, its a very broad question i guess. How is it possible that one could take a language such as C# which is compiled to IL for the CLR, then further JIT compiled into machine code at run time, and write an Interpreter or REPL for it as implemented in the mono project. How did they get that right?
What is the issue? Machine code is just some data (laying in virtual memory pages which are executable). You can produce that data, then, since it is also code, run it.
You can produce machine code in memory in various ways. For example, you could use LLVM or libjit or many other libraries (or even make your own).
Some implementations of some langauges (I was thinking of the SBCL implementation of Common Lisp) are even able to translate to machine code every line you are interactively typing. And this is not new, some 1957 computers did it (e.g. the French CAB500 for PAF).
You can even generate some source code (e.g. in C), fork a compilation process, then dynamically load that code, e.g. with dlopen(3). Current compilers and processors are fast enough to make that compatible with delays for user-friendly interaction. My MELT domain specific language (to extend GCC) does that successfully.
AS commented by millimoose, Mono is free software, so you can study its code.
The equivalence of code and data is a fundamental property of computers. Likewise the equivalence of numbers and demonstrations in a fundamental insight of Gödel and Turing (and when you hear your favorite MP3 music, you use that too).
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
I have intellectual-property coded into .net 2.0 fully-trusted assemblies (.exe + DLLs) on an end-user machine, which I would like to protect from being hacked / reverse-engineered (WebService / Cloud-Computing solutions are not an option). Below is a list of techniques I gathered in order to reach this goal.
My questions are:
Are my assumptions correct, or am I doing something wrong in one or more of the techniques?
Will this list be sufficient in order to prevent a malicious attack, or are there other protections I should add?
Thanks in advance.
--
Suggested Techniques
Sign all assemblies with the same strong-name key.This has two benefits:
A. Make sure any modification to an assembly will render it useless,
B. All assemblies will have the same public key, by which they can identify each other.
Digitally sign the assemblies: Both let the users know that the executed code came from the correct source, and – add another identification component by which assemblies could identify each other.
Enforce the above by crawling up the call-stack and verifying that all callers are inside the “community”.Possible leads:
Hallgrim’s idea in this S.O. thread.
Daniel Brückner‘s addition in this S.O. thread.
This .Net Security Blog Post, which combines both solutions.
Use AOP (e.g. Spring.NET) to inject the call-stack crawling code into some/all methods.
This is mainly done because there’s no single entry point (like DllMain() for Win32 DLLs) in a .net assembly.
Obfuscate all assemblies in order to hamper reverse-engineering and reflection-execution attempts (strong name signing will be performed after obfuscation, of course).
Integrate a System.ComponentModel.LicenseProvider mechanism.
Make use of the “InternalsVisibleTo” assembly-level attribute in order to expose internals among a pre-defined set of assemblies.
Possibly use NGEN in order to convert the solution to native code.
Points to Consider
Implementing part or all of the above will most-likely introduce a performance penalty, so time-critical processing, for example, should be handled with care.
CAS seems to be irrelevant for this type of fully-trusted assemblies.
I'm afraid you won't get all the security you want. You see, this is a problem with these languages/platforms that use an itermediate language. It must be in a format that all of the runtimes implementations can consume and then produce the native code.
I've seen some blog posts about tampering signed assemblies. I haven't tried yet, but I think it works. Besides that, the obfuscation tools will just make it harder, but not impossible to extract code (altough there are some pretty good tools that make it very hard). And NGEN is not for that. You still have do distribute the original assemblies.
I think that the most efective and secure way of protect your code, is to move it to a technology that you can't decompile, for example, move your sensitive code to unmanaged C++ and use DLLImport on your C# code.
It doesn't mean that you shouldn't try to protect your code, but you should have in mind that you won't be 100% protected. If you can't afford to rewrite your sensitive code in another language, go with obfuscation and signing. You can't get much more secure than that.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
I know this project.The question is that "Can we create a real OS with Managed Code or the os that will create with this project is a hello world os?"
Operating Systems need to have full control on hardware.Can we do it with this one?
If there are any another project please tell me
Cosmos Project
Yes it can be done - see Singularity which is (was) a Microsoft research project to create an entirely managed operating system in "Sing#" (an extended version of "Spec#" which is itself an extension of C#). Its worth stressing that this was just a research project into the concept, and was never intended as a "full" operating system of the likes of Windows or Max OSX.
The source code is available on CodePlex - you can download the code, build it and run it yourself in an emulator (I've done it myself, its well documented and relativley easy although I can't remember the exact steps myself).
Parts of the system were written in assembly / C, specifically the bootloader and the lowest level x86 interupt dispatch code however this is essentially all but unavoidable (it is by its very nature very platform dependant - something needs to write the x86 instructions to control and respond to basic hardware). The low level interrupts are also not particularly interesting in terms of how the operating system actually functions, so I personally don't consider this as cheating the "entirely managed" definition.
Looking on the Wikipedia page for Singularity there are also 5-6 similar projects, including Cosmos and a couple of similar attempts that use Java instead of C#.
The focus of Singularity OS was on security and dependency, however whats also impressive is that according to some basic benchmarks in An Overview of the Singularity Project1 (PDF) the performance of their archetecture was actually comparable to that of other "more conventional" operating systems:
... these numbers demonstrate that architecture that we
proposed not only does not incur a performance penalty, but is often as fast as or faster than more
conventional architecture. In other words, it is a practical basis on which to build a system.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
I want to implement another debugger (language) for .NET (it's just for academic reason, so that it can implement just a part of a language). I myself like to implement NS2 (network Simlator 2) script for .NET in which anybody can write ns2 script and debug it with .NET
I read this article in stackoverflow and it is far from what I'm looking for.
Here is the requirement
have some predefined keywords (e.g: for, while, if ...)
check the correct form of the statements (e.g: for(start;end;counter){commands} ...)
diffferent colour for different types of statements
ability to add to any IDE (e.g: implementatin like add-in or as a dll or ...(I have no idea))
many other thing that is not necessary for now
How can I do this?
Update : I'm not sure that you got my point, take a look at this, it is very close to what I am looking for.
It will not be an easy task. However: The Dragon Book is probably a good place to start (assuming you've got sufficient computer science background for a compiler theory book to make much sense to you). Compiler Construction: Principles and Practice is also a good text.
You'll want to compile to CIL (common intermediary language). This handy wiki article outlines the CIL instruction set. Debugging your intermediate code against the CLR... well, that's where the StackOverflow article you've linked will come in handy =)
That'll cover your first two bullets (and consume a big chunk of your life).
The next two are different issues, but the easiest way to 'make it go' would probably be to define a syntax for an existing text editor, and set up a macro in the program to call your compiler. I'd recommend TextPad, though I'm sure opinions on a configurable general-purpose text editor will vary among the community ;)
Designing a full IDE with all of the features you've come to know and love in your environment could be quite a task ... or you could try to build an eclipse plugin. Personally (assuming you can design your language and learn something from it), I'd just stick with syntax highlighting in TextPad.
There is more and more interest in this area and in fact there is an active project by Microsoft Research that is looking at this on building a common infrastructure to build compiler (and debugger) for custom languages targetting .NET
http://cciast.codeplex.com/
I have used the infrastructure myself but not an expert in compiler technology. Hope this gives you a good starting point and you may find the discussion forum useful to share idea with like minded people.