MSIL Not Coding String Variables

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

See This Code
=======================================================
..method private specialname rtspecialname static
void .cctor() cil managed
{
// Code size 52 (0x34)
.maxstack 8
IL_0000:
ldstr "Provider=Microsoft.Jet.OLEDB.4.0;Data Source="
IL_0005: call string [System.Windows.Forms]
System.Windows.Forms.Application::get_StartupPath()
IL_000a: ldstr "/sel.mdb;Jet OLEDB:Database
Password=sba "
IL_000f: call string [mscorlib]
System.String::Concat(string,

string,

string)
IL_0014: stsfld string sel.Module1::sConStr
IL_0019: ldsfld string sel.Module1::sConStr
IL_001e: newobj instance void [System.Data]
System.Data.OleDb.OleDbConnection::.ctor(string)
IL_0023: stsfld class [System.Data]
System.Data.OleDb.OleDbConnection sel.Module1::oCnn
IL_0028: ldstr "C:\\windows\\pas"
IL_002d: stsfld string sel.Module1::ahmed
IL_0032: nop
IL_0033: ret
} // end of method Module1::.cctor
=======================================================

Notice That ConnectionString Is Readable
And I Can Get PassWord Very Easy
So We can any Secured Database From MSIL Language
Realy It's Big Problem
Please Advice Me To Protect My Programs
Thanks
 
If you open a regular PE program in a hex editor, you can see all literal
string values just as plainly. Compile a C++ or VB6 program with a
connection string, open it in a hex editor, and you'll see what I mean.

There are several ways to protect the data from casual inspection. Check out
the encryption classes for starters (System.Security.Cryptography
namespace).

-Rob Teixeira [MVP]
 
Notice That ConnectionString Is Readable
And I Can Get PassWord Very Easy
So We can any Secured Database From MSIL Language
Realy It's Big Problem
Click to expand...


Welcome to the world of security! Head on over to the MS patterns &
practices ( http://msdn.microsoft.com/patterns/ ) and check out the data
access patterns, there is one that extensivly discusses data access,
encrypting & storing connection strings etc...

( FYI, this problem is present in PE EXEs as well, its not new )

HTH,
Jeremy
 
Back
Top