prevent外部组件，通过注射公钥 [英] Prevent external assembly injection via PublicKeyToken

问题描述

我用下面的code：

AppDomain.CurrentDomain.AssemblyLoad += (sender, args) =>
{
    var token = args.LoadedAssembly.GetName().GetPublicKeyToken();

    if (!IsValidToken(token))
    {
        Process.GetCurrentProcess().Kill();
    }
};

其中， IsValidToken（）比较程序集的公钥标记加载对授权的公共密钥令牌硬codeD在我的应用程序作为字节数组列表。

Where IsValidToken() compares the public key token of the assembly being loaded against a list of authorized public key tokens hardcoded in my application as byte arrays.

这是一个很好的安全措施，以prevent code注入攻击？此外，这是必要鉴于使用NetReactor我将在稍后进行模糊处理我的申请？我试图prevent任何窥探到我的应用程序，从窥探工具，不仅来了，而且从任何外部不需要的来源也是如此。

Is this a good security measure to prevent code injection attacks? Also, is this necessary given the fact that I will later obfuscate my application using NetReactor? I'm trying to prevent any "snooping" into my application, not only coming from the Snoop tool, but from any external undesired sources as well.

推荐答案

刚刚从第一眼，我会说：不，这是不够的。

Just from first glance, I'm going to say "no, this won't be enough".

原因：

• 远程线程攻击是直的Win32调用，没有管理$​​ C $ C痕迹会跳这样的探测器

• CreateRemoteThread attacks are straight win32 calls, no managed code traces that would trip a detector like this

我认为这将有可能在注入DLL创建另一个的AppDomain ，从而完全绕过这个检查。然后，人们可以从执行code 的AppDomain ，可能（我不得不认为通过）叫回主的AppDomain 通过 AppDomain.DoCallback

I think it would be possible to create another AppDomain in the injected dll, thus bypassing this check altogether. Then one could execute code from that AppDomain, potentially (I'd have to think that through) calling back into the "main" AppDomain via AppDomain.DoCallback

Process.Kill 是一个可怕的方式减少您的应用程序，虽然它是这样做的非捕获的方式 - 那就是，任何人都附着止跌无法逐一prevent（它使用Win32的 TerminateProcess 引擎盖下）

Process.Kill is a horrible way to drop your application, although it is a non-trappable way of doing so - that is, anyone attached wouldn't be able to prevent it (it uses Win32 TerminateProcess under the hood)

我不得不出局我的Injecterator线束测试这些报表，寿 - 如果我能记得我把那code的挫折感......

I'd have to bust out my "Injecterator" harness to test these statements, tho - if I can remember where the heck I put that code...

无论任何这些 - 你绝对会想混淆地狱出本届大会，特别是如果你打算存储敏感位内（事实上，我反对存储的任何敏感一个组件内的信息，如果你能帮助它） - 你的prevention方法绝对不会停止一样反射，ILSpy，dotPeek等任何反汇编程序

Regardless of any of these - you will absolutely want to obfuscate the hell out of this assembly, especially if you plan on storing sensitive bits inside (in fact, I'd argue against storing ANY sensitive information inside an assembly if you can help it) - your prevention method will absolutely NOT stop any disassemblers like Reflector, ILSpy, dotPeek, etc.

这篇关于prevent外部组件，通过注射公钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！