Reflection on obfuscated assemblies??

  • Thread starter Thread starter Icarus
  • Start date Start date
I

Icarus

Hi, this is my scenario.
I have a win forms application (EXE), this app uses an assembly that I also
build (DLL). That assembly encapsulate several classes, for example,
cTeachers, cStudents, cSchedules, etc.

Some classes in the assemble have a custom attribute named IsThisAnApp that
holds a boolean value. This value indicates if the assemble will expose
properties like AplicationName, LevelOfProvilegesRequired, etc.

A third application (EXE) is a generix security application that should,
using reflection, scan a compiled assembly (DLL) looking for IsThisAnApp tag
for every Assembly.GetExportedTypes.

Once the security app detects a valid class, extract app info and insert it
in a SQL Server Database.
The Security app reads that info and allow users to custom security
privileges for that app.

Everithing works fine.

My problem starts when, for the production environment, I deploy an
obfuscated assembly and then everything crashes. For security reasons, when
I obfuscate the assembly using a 3rd part software, I add wrong metadata
information for the assembly.

Is there a way that reflection works equal in obfuscated environments?

TIA
Sergio
 
Is there a way that reflection works equal in obfuscated environments?


Strictly speaking, reflection should work the same on obfuscated code as it
does on normal code. That is, you can use reflection to find out about the
types and metadata contained in your code. But, once you've run the code
through an obfuscator, the type names are changed and much of the metadata
is stripped out, so you are unlikely to find what you're looking for. If
something is "crashing", it's probably your software choking on the
unexpected results it's getting back from the reflection calls.

Your obfuscation software should allow you to specify, with reasonable
granularity, what stuff you want obfuscated and what stuff you want it to
leave alone. Obviously, you need to tell it to leave your magic custom
attributes alone. You may need to also tell it to not obfuscate the names
of the classes to which the attribute is applied (depending on whether or
not your software cares that the class names it discovers have been renamed
from their original names).

Good luck.

Bob
 
Back
Top