C＃编译代码中的清除密码字符串 [英] Clear Password String in C# Compiled Code

问题描述

你好，


我刚刚发现编译后的代码不会隐藏字符串变量所以

我可以通过打开它看到它们可以使用记事本执行。我有几个已经密码硬编码的应用程序，我一直在想

字符串varialbes隐藏在已编译的代码中。我知道

VS.NET没有将源代码编译成机器代码。但是我没有知道它会在编译的代码中公开字符串变量。这是

我的代码：


静态私有字符串Hello1 =Hello my world;


private void button1_Click（object sender，EventArgs e）

{


string filePath = @" C：\ Windows\Notepad.exe";

string userName =" Username";

string password1 =" MyPassword";

// ProcessStartInfo psi = new ProcessStartInfo（args [0] ）;

ProcessStartInfo psi = new ProcessStartInfo（filePath）;

psi.UserName = userName;


psi.Password = ConvertStringToSecureString （password1）;

psi.Domain ="" ;;

psi.UseShellExecute = false;

psi.CreateNoWindow = true;

psi.WindowStyle = ProcessWindowStyle.Hidden;


Process.Start（psi）;

}

私有静态SecureString ConvertStringToSecureString（字符串

密码）

{

SecureString tempSecureString = new SecureString（）;


foreach（密码中的字符）

{

tempSecureString.AppendChar（c）; < br $>
}


返回tempSecureString;

}



当我使用记事本打开编译版本，我在

文本中间看到这个：


- 代码段 -

ControlCollection get_Controls添加ResumeLayout

WindowsApplication1.Properties.Resources.resources

WindowsApplication1.Form1.resources QW indows A pplicat

ion 1。 P r o r e t e s。记录-C：\ W i n d o w s

\ N o t e d a d。 e x e？U s e r n a m e？M y P a s s w？r？ ？b u

t t 1 1？F o r m 1？H e l l o m y w o r l dAsì* ???? ^ ???

？í？§\V？4 ?? ?????????? ?? ??? ??? ?????? ???? ??????? ???? ??????

?????? ???????！？ ??????％？

- 代码段 -


显然，我可以看到hello1，文件路径，用户名和密码值。 />
我使用VS.NET 2005和Framework v2.0。我从网站上找到了RunAs代码

样本。许多网站都有这些例子。


我必须以安全的方式在我的应用程序中对密码进行硬编码。可以

有人给我一个例子或提示吗？感谢您的帮助。

Hello there,

I just found that the compiled code won''t hide the string variables so
that I can see them by opening the execuable using Notepad. I have
couple applications that have password hardcoded and I''ve been thinking
that the string varialbes are hidden in compiled code. I knew that the
VS.NET doesn''t compile the source code into machine code. But I didn''t
know that it will expose string variables in the compiled code. Here is
my code:

static private string Hello1 = "Hello my world";

private void button1_Click(object sender, EventArgs e)
{

string filePath = @"C:\Windows\Notepad.exe";
string userName = "Username";
string password1 = "MyPassword";
// ProcessStartInfo psi = new ProcessStartInfo(args[0]);
ProcessStartInfo psi = new ProcessStartInfo(filePath);
psi.UserName = userName;

psi.Password = ConvertStringToSecureString(password1);
psi.Domain = "";
psi.UseShellExecute = false;
psi.CreateNoWindow = true;
psi.WindowStyle = ProcessWindowStyle.Hidden;

Process.Start(psi);
}

private static SecureString ConvertStringToSecureString(string
password)
{
SecureString tempSecureString = new SecureString();

foreach (char c in password)
{
tempSecureString.AppendChar(c);
}

return tempSecureString;
}


When I opened the compiled version using the notepad, I see this in the
middle of text:

-- snippet --
ControlCollection get_Controls Add ResumeLayout
WindowsApplication1.Properties.Resources.resources
WindowsApplication1.Form1.resources QW i n d o w s A p p l i c a t
i o n 1 . P r o p e r t i e s . R e s o u r c e s -C : \ W i n d o w s
\ N o t e p a d . e x e U s e r n a m e M y P a s s w o r d
b u
t t o n 1 F o r m 1 H e l l o m y w o r l d Asì*????^ì???
í?§\V4?

  

    


!

%
-- snippet --

Clearly, I can see the hello1, filepath, username, password values.
I am using VS.NET 2005 with Framework v2.0. And I found the RunAs code
sample from Web sites. Many sites have the examples.

I have to hardcode the password in my application in SECURE way. Could
someone give me an example or tips? I appreciate your help.

推荐答案

您可以使用加密应用程序块，并放置加密的

应用程序配置文件中的密码。通常情况下，我总是试图阻止硬编码的字符串文字。


Gabriel Lozano-Morán


" cooltoriz" < yp ***** @ gmail.com写信息

news：11 ********************** @ l12g2000cwl。 googlegr oups.com ...

你好，


我刚发现编译后的代码不会隐藏字符串变量所以

我可以通过使用记事本打开可执行文件来查看它们。我有几个已经密码硬编码的应用程序，我一直在想

字符串varialbes隐藏在已编译的代码中。我知道

VS.NET没有将源代码编译成机器代码。但是我没有知道它会在编译的代码中公开字符串变量。这是

我的代码：


静态私有字符串Hello1 =Hello my world;


private void button1_Click（object sender，EventArgs e）

{


string filePath = @" C：\ Windows \Notepad.exe";

string userName =" Username";

string password1 =" MyPassword";

// ProcessStartInfo psi = new ProcessStartInfo（args [0] ）;

ProcessStartInfo psi = new ProcessStartInfo（filePath）;

psi.UserName = userName;


psi.Password = ConvertStringToSecureString （password1）;

psi.Domain ="" ;;

psi.UseShellExecute = false;

psi.CreateNoWindow = true;

psi.WindowStyle = ProcessWindowStyle.Hidden;


Process.Start（psi）;

}

私有静态SecureString ConvertStringToSecureString（字符串

密码）

{

SecureString tempSecureString = new SecureString（）;


foreach（密码中的字符）

{

tempSecureString.AppendChar（c）; < br $>
}


返回tempSecureString;

}



当我使用记事本打开编译版本，我在

文本中间看到这个：


- 代码段 -

ControlCollection get_Controls添加ResumeLayout

WindowsApplication1.Properties.Resources.resources

WindowsApplication1.Form1.resources QW indows A pplicat

ion 1。 P r o r e t e s。记录-C：\ W i n d o w s

\ N o t e d a d。 e x e？U s e r n a m e？M y P a s s w？r？ ？b u

t t 1 1 F o r m 1？H e l l o m y w o r l d As ???? ^ ??

?? \ V？4 ?? ?????????? ?? ??? ??? ?????? ???? ??????? ???? ??????

?????? ???????！？ ??????％？

- 代码段 -


显然，我可以看到hello1，文件路径，用户名和密码值。 />
我使用VS.NET 2005和Framework v2.0。我从网站上找到了RunAs代码

样本。许多网站都有这些例子。


我必须以安全的方式在我的应用程序中对密码进行硬编码。可以

有人给我一个例子或提示吗？感谢您的帮助。

You could use the Cryptography Application Block, and place the encrypted
password in the application''s configuration file. Normally I would always
try to prevent hard coded string literals.

Gabriel Lozano-Morán

"cooltoriz" <yp*****@gmail.comwrote in message
news:11**********************@l12g2000cwl.googlegr oups.com...
Hello there,

I just found that the compiled code won''t hide the string variables so
that I can see them by opening the execuable using Notepad. I have
couple applications that have password hardcoded and I''ve been thinking
that the string varialbes are hidden in compiled code. I knew that the
VS.NET doesn''t compile the source code into machine code. But I didn''t
know that it will expose string variables in the compiled code. Here is
my code:

static private string Hello1 = "Hello my world";

private void button1_Click(object sender, EventArgs e)
{

string filePath = @"C:\Windows\Notepad.exe";
string userName = "Username";
string password1 = "MyPassword";
// ProcessStartInfo psi = new ProcessStartInfo(args[0]);
ProcessStartInfo psi = new ProcessStartInfo(filePath);
psi.UserName = userName;

psi.Password = ConvertStringToSecureString(password1);
psi.Domain = "";
psi.UseShellExecute = false;
psi.CreateNoWindow = true;
psi.WindowStyle = ProcessWindowStyle.Hidden;

Process.Start(psi);
}

private static SecureString ConvertStringToSecureString(string
password)
{
SecureString tempSecureString = new SecureString();

foreach (char c in password)
{
tempSecureString.AppendChar(c);
}

return tempSecureString;
}


When I opened the compiled version using the notepad, I see this in the
middle of text:

-- snippet --
ControlCollection get_Controls Add ResumeLayout
WindowsApplication1.Properties.Resources.resources
WindowsApplication1.Form1.resources QW i n d o w s A p p l i c a t
i o n 1 . P r o p e r t i e s . R e s o u r c e s -C : \ W i n d o w s
\ N o t e p a d . e x e U s e r n a m e M y P a s s w o r d
b u
t t o n 1 F o r m 1 H e l l o m y w o r l d As????^??
?\V4?

  

    


!

%
-- snippet --

Clearly, I can see the hello1, filepath, username, password values.
I am using VS.NET 2005 with Framework v2.0. And I found the RunAs code
sample from Web sites. Many sites have the examples.

I have to hardcode the password in my application in SECURE way. Could
someone give me an example or tips? I appreciate your help.

2006年12月6日11:29:52 -0800，cooltoriz写道：

On 6 Dec 2006 11:29:52 -0800, cooltoriz wrote:

我必须以安全的方式在我的应用程序中对密码进行硬编码。可以

有人给我一个例子或提示吗？我感谢您的帮助。

I have to hardcode the password in my application in SECURE way. Could
someone give me an example or tips? I appreciate your help.

大多数优秀的混淆器为此目的提供字符串加密。

查看Dotfuscator和Xenocode

-

Bits.Bytes
http://bytes.thinkersroom.com

2006年12月6日11:29:52 -0800，cooltoriz < yp ***** @ gmail.comwrote：

On 6 Dec 2006 11:29:52 -0800, "cooltoriz" <yp*****@gmail.comwrote:

>你好，

我刚发现编译的代码赢了不要隐藏字符串变量，以便我可以通过使用记事本打开可执行文件来查看它们。我有几个硬编码密码的应用程序，我一直在想，字符串varialbes隐藏在编译代码中。我知道VS.NET没有将源代码编译成机器代码。但我并不知道它会在编译的代码中公开字符串变量。

>Hello there,

I just found that the compiled code won''t hide the string variables so
that I can see them by opening the execuable using Notepad. I have
couple applications that have password hardcoded and I''ve been thinking
that the string varialbes are hidden in compiled code. I knew that the
VS.NET doesn''t compile the source code into machine code. But I didn''t
know that it will expose string variables in the compiled code.

[snip]


一种方法是进行自己的加密。它不会完全安全，因为任何可以反汇编代码的人都可以反汇编

解密功能，但它会阻止随意的读者或简单的

搜索能够输出密码的ASCII字符串。

static string codedPassword =" elephant";


静态字符串DecodePassword（string cyphertext） {

byte [] key = {0x16,0x1D，0x10,0x19,0x1A，0x13,0x0B，0x18};

StringBuilder sb = new StringBuilder（cyphertext）;

for（int i = 0; i< sb.Length; ++ i）{

sb [i] =（char）（key [i] ^ sb [ i]）;

}

返回sb.ToString（）;

}


静态void Main（）{

Console.WriteLine（"密码是：{0}"，

DecodePassword（codedPassword））;

}


此示例使用简单的XOR加密。我故意将

编码的密码看作是一个真正的单词，作为

misdirection的附加级别。真实密码不会出现在

程序文件中的任何地方。


另一种缺少实际加密的方法是输入密码

进入源文件中的Base64并根据需要对其进行解码。对于

例子，elephant =ZWxlcGhhbnQ =在Base64。缺点是

很容易识别为Base64。


另一种选择是在你的源代码中输入明文密码，

但要在程序中使用Base64作为实际密码。

有elephant在源中，但使用ZWxlcGhhbnQ =作为实际的

密码。


这些方面的其他想法是可能的。


rossum

[snip]

One way is to do your own encryption. It will not be completely
secure since anyone who can disassemble your code can disassemble the
decryption function, but it will stop casual readers or a simple
search for ASCII strings being able to pick out the password.
static string codedPassword = "elephant";

static string DecodePassword(string cyphertext) {
byte[] key = { 0x16, 0x1D, 0x10, 0x19, 0x1A, 0x13, 0x0B, 0x18 };
StringBuilder sb = new StringBuilder(cyphertext);
for (int i = 0; i < sb.Length; ++i) {
sb[i] = (char)(key[i] ^ sb[i]);
}
return sb.ToString();
}

static void Main() {
Console.WriteLine("The secret password is: {0}",
DecodePassword(codedPassword));
}

This example uses a simple XOR encryption. I deliberately made the
coded password look like a real word as an added level of
misdirection. The real password does not appear anywhere in the
program file.

An alternative, short of actual encryption, is to put the password
into Base64 in your source file and to decode it as needed. For
example, "elephant" = "ZWxlcGhhbnQ=" in Base64. The disadvantage is
that it is easily recognisable as Base64.

Another alternative is to have a plaintext password in your source,
but to use the Base64 as the actual password within your program.
Have "elephant" in the source, but use "ZWxlcGhhbnQ=" as the actual
password.

Other ideas along these lines are possible.

rossum

这篇关于C＃编译代码中的清除密码字符串的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！