I want to secure some applications for some people without teaching them how to add an encryption or authentication, so I thought about mocking up a simple application that launches another application if some password or authentication function returns true. How would I wrap the application so that only the launcher would be able to access the file?
+2
A:
If the wrapped (protected) application is managed, you can embed it as an encrypted byte array, then call Assembly.Load(rawBytes) and use reflection to start the application.
(The application should agree to expose some static method or attribute that launches itself, which you can call using reflection)
Note that you'll still be vulnerable to Reflector, unless you get the decryption key from a web service. (In which case you'll be vulnerable to a combination of Reflector, Fiddler, and a valid password)
SLaks
2010-04-14 02:44:36
The applications are usually written in AutoIt or VB.NET. I'm using C#. I just don't know if AutoIt is managed.
Gio Borje
2010-04-14 03:09:42
Got it to work, thanks bro.
Gio Borje
2010-04-14 04:58:19
I forgot to mention that you should obfuscate it.
SLaks
2010-04-14 11:16:06
I always obfuscate my applications.
Gio Borje
2010-04-14 22:37:31
A:
You could do a variant of what SLaks suggested that would work for any EXE (.Net or native), and include the EXE as an embedded resource within your application. In your application they could click a button, and your code would then extract the EXE from itself, save it out to a temporary location, and start it with the Process class. Your app would then wait for the Process to finish and delete the temporary file.
This would be as secure as anything else you might do (without a massive amount of effort). A savvy user could locate the EXE file while it's running and make a copy of it, but a savvy user could just extract it from your program easily anyway.
MusiGenesis
2010-04-14 03:15:38
Note that the EXE file could be copied by end-users once it's extracted. That may or may not be a concern.
SLaks
2010-04-14 03:16:53
You could do some rudimentary obfuscation: give the EXE file a different, random, meaningless name each time you extract it (Uej324p3.exe for example) so it will be less obvious in Task Manager. With file access restrictions in the newer versions of windows it's harder to hide temp files like this in weird places, but your master app should be able to find an obscure location somewhere and extract the file there.
MusiGenesis
2010-04-14 03:28:16
Ultimately, a .Net assembly is open - a savvy user can always get into it and find out what it's doing. Ultimately your choice is about how much effort you want to put into blocking or slowing down any particular level of hacker. I think your best bet is to put a small amount of effort into hiding things from the casual user, and not get too far beyond that.
MusiGenesis
2010-04-14 03:32:56