Geek Answers Handbook

How secure are resources in .NET?

How difficult would it be to get embedded resources from a .NET application, outside the application itself? Even if resources are compressed and trivially encrypted, how difficult is it to extract them with the tool? (I do not care about data protection as such, just the methods of extracting the resource itself)

EDIT:

I think that my question was misunderstood, it was less about encryption and more about search, except for the reflector, what else can I use?

+6
resources
source share
5 answers

It is trivial to extract resources from a compiled .NET DLL using tools such as .NET Reflector or .NET Resourcer .

+8
source share

If you encrypt resources using a key built into the application, then it will be easy to extract the key and, therefore, resources with a small amount of reverse engineering.

If you encrypt them using a secure algorithm and ask the user to enter a password, then without a password it will be impossible to extract resources. But I think this is not what you want. I think you want the user not to use your resources outside the application?

If so, the short answer is: resources in .NET are not protected.

+6
source share

Here is some quick code to get resources from assemblies. You decide how easy and safe it is ...

class Program { static void Main(string[] args) { var assemblies = from file in args let assembly = TryLoad(file) where assembly != null from rName in assembly.GetManifestResourceNames() select new { assembly, rName }; foreach (var item in assemblies) using (var rs = item.assembly .GetManifestResourceStream(item.rName)) SaveTo(rs, item.rName); } static void SaveTo(Stream stream, string name) { var buffer = new byte[32*1024]; var bufferLen = 1; using (var fs = new FileStream(name, FileMode.Create)) while (bufferLen > 0) if ((bufferLen = stream.Read(buffer, 0, buffer.Length)) > 0) fs.Write(buffer, 0, bufferLen); } static Assembly TryLoad(string filename) { if (string.IsNullOrEmpty(filename) || !File.Exists(filename)) return null; try { var fullName = Path.GetFullPath(filename); return Assembly.LoadFile(fullName); } catch (Exception ex) { Debug.WriteLine(ex); return null; } } }
+3
source share

If I show you a safe with a million dollars in it, then leave, you will end up in this safe. There is no technology that protects this money; your only real barrier is time.

The same goes for software. The only way to protect resources is not to place them where someone can, given enough time, get to them. The most efficient option that I know is storing critical resources on a server that you control.

Of course, many people are wrong. One way or another, they allow temporary copying of a protected resource to a user computer. At this point, the game is playing. This means that you can truly protect resources that have a temporary clone. For example, a security token that expires, or calculation results that do not show how the calculation was performed.

+2
source share

The problem is not so much with .NET resources and security in general. You can rephrase the question: "My client application keeps secrets that I do not want to create with reverse processing," and do not change the intention.

What is in your resource files and why do you need to protect it? Have you considered a design in which you don’t store these secrets on the client at all? If you take on client-side privacy protection, I think you'll be disappointed.

+2
source share

More articles:


All Articles