Protecting .NET applications - yet, in what to wrap herring?
Protecting .NET applications - yet, in what to wrap herring?
In peak here this review . I decided to write my own review of obfuscators, because I consider the above not only superficial, but also misleading.
One question is relevant - does it protect well this or that product from removing protection? Given that manufacturers obfuscators honestly warn - the assembly remains disassembled. And this is the cornerstone of protecting .Net applications. Total protection leads to the inconvenience of running the assembly in different environments, obfuscation - to the conditional openness of the code. It remains to solve the problem of complicating the receipt of the code, its readability and the removal of protection.
So, what we have:
There are 2 classes of programs to protect .Net applications:
- Protectors (native processor wrapper)
Similar machines are also supplied in combination with an obfuscator, which is rather weak (we usually assume that we can rename assembly members, no more). The wrapper can be of various kinds, it is most elegantly represented in the Salamander Protector (here the obfuscator is of good quality), an exception in the sense of obfuscator weakness is Salamander, but there can be problems with both debugging and launching.
')
Representatives: CodeVeil, Salamander Protector, .Net Reactor.
Advantages: so-called. “Unavailability” for decompilers and ILDASM. But the fact is that this inaccessibility is apparent. .Net restricts the rights of assemblies that are in RAM (in memory), assemblies must be saved somewhere on disk before launch - and here they become available.
Disadvantages: a lot of problems with the launch of the assembly in environments with more stringent policies, inadequate response of antiviruses, lead to the fact that the user begins to be afraid of products protected in this way, the inability to debug a protected assembly. Plus - the inability to create a protected assembly to work in both 32-bit and 64-bit environments. Either one or the other, although the developer can compile the program in the configuration AnyCPU for work in both 32-bit and 64-bit environments. Well, actually - the apparent benefits. Protector manufacturers usually recommend obfuscating assemblies before protecting them with a protector, thereby recognizing the vulnerability of protection. - Obfuscators
They represent more natural for the .Net environment protection methods, after which the assembly does not require additional add-ons and shamanism to run and debug.
a. Stand-alone obfuscators that do not use MS services and interfaces for accessing metadata and for generating obfuscated assemblies, that is, having their own access machine, parsers, generators and other tools for working with .Net assemblies.
Representatives: Spices.Net Obfuscator, Dotfuscator, {SmartAssembly}
Advantages: independence from external services in the choice of means of protection, a wide range and non-standard approaches to protection.
Disadvantages: as the responsible manufacturers warn honestly - the code remains disassembled (if not ILDASM, then some kind of handicraft disassembler, source codes can be taken in SSCLI or Mono).
b. Dependent on MS services (there is a big list here - from the operation of ILASM / ILDASM, access via COM, and the use of services from .Net 2.0). The functionality of such is deliberately limited, because services e provide the ability to screw something non-standard.
Representatives: Salamander Obfuscator, Skater.Net, Demeanor from WiseOwl (this is almost now an unknown obfuscator, although of good quality, one of the pioneers).
Advantages: I do not know, but in any case, Salamander offers a good obfuscator.
Disadvantages: instability, dependence on services, and therefore limited means (Salamander cannot work with projects containing assemblies from different platforms, for example .Net 2.0 and .Net 1.1). Plus - the same disadvantages of paragraph a).
Recommendations to developers
There are few of them: at the start of development, remember that the project will be obfuscated. This means that the visibility of certain assembly members should be regulated, which means that what should be obfuscated and what should not. The main problem for obfuscator is the use of reflection / serialization. .Net provides a lot of opportunities to call methods, referring to them by name, using classes for structured storage and reading of data. Obfuscator cannot recognize such things, therefore it is worthwhile to use some rules in the coding process for comparatively easy exclusion of such cases from obfuscation:
- Classes that work in serialization-reflection are placed in a separate assembly. This is not difficult, for these classes and their members should already have a public appearance. Members and so should have a public appearance.
- Classes that work in serialization-reflection to declare under a certain namespace and in this case it will be easy to exclude them from obfuscation, and all this in a crowd.
- If we have to use serialization-reflection in the code, then it is better to mark similar methods with special attributes. Do not put the safe lock on the plywood door. Moderate your paranoia. It is better to study the resulting assemblies after obfuscation, check the classes and their members - if you have hidden everything from an inquiring eye, optimize the settings so that everything you need is obfuscated, hidden and hidden. Try to open ILDASM, reflector, as seen from these products. Try to dump ILDASM (if it works) - see the generated file. It is necessary to understand how difficult it will be to make something else out of your assembly, to blind the code, or to take a piece of code with a decompiler.
Now about the balance. Well, take Reflector, take Spices.Net - they are protected by a regular obfuscator, not a protector, and as the previous browser wrote - it is easy to see everything in winDbg. And what's the point? Someone learned some Reflector secrets (and the Pro version is not free now), did anyone find out the secrets of Spices.Net? But these applications are written in pure IL without a native processor code (unlike Salamander). - I would also like to say some things about testing obfuscators - if you tried a certain product, after which you got broken assemblies, it makes sense to contact the manufacturer of the product, firstly it’s bread for the manufacturer - to sort out these problems, secondly - a real chance to get a discount (if the manufacturer thinks about customers), if at all the product is free of charge - cooperation is always paid for. Give the manufacturer a chance to solve your problem, it is mutually beneficial.
Now - comparisons
I can immediately say that many representatives of obfuscators were not included in the table, only in order not to waste your time. Yes, and Dotfuscator is included in this list as it is simply a product promoted by Microsoft, although not all of what it claims can do. The future of SmartAssembly also cannot be called clear after the purchase by Red-Gate for $ 1M - (IMHO, the deal was not worth it). Reflector is now rarely updated (which is good except for a generous set of plug-ins), which will be observed with SmartAssembly most likely. Why should the company involved in SQL get into the obfuscator-decompiler market (although the Obfuscator-Decompiler package is a productive approach, it is in Salamander, it is in Spices.Net) - I don’t mind it, the market is quite specific and many promising projects have already died on it such as Decompiler.Net (even Salamander’s positions staggered, for example, they didn’t release V-Spot Elimination technology, although the author writes in this review that they are proud of it (the only question is what they didn’t let out, or like “released”? Implemented something and a patent application made 9Rays.Net, actually).
So:
| Opportunities | Dotfuscator | Spices.Net Obfuscator | Salamander obfuscator | {SmartAssembly} |
|---|---|---|---|---|
| In trial version | Actually Community Edition with a minimalist set. | Gives a complete view, is not limited by functionality (only marks obfuscated assemblies with a special watermark - “Obfuscated by Spices.Obfuscator. Not for commercial use”) and comes complete with GUI, VS Integration, MSBuild integration, console and SDK. Can be used for free to protect non-profit programs. | Restrictions - the console version is provided. | Functional limitations. |
| Interface, Automation, Integration | The interface is not very. Briefly - ugly (well, here on vksyu and color ...). The console version is present. There is a possibility of applying the rules, but rather confusing. application of the rules, but rather confusing. No automation. Integration into MSBuild, integration with VS as an Add-In, which is not integrated into the build-process of the current project. | It is delivered both in the GUI version of Spices.Net, and in the console. The GUI version provides many additional tools for researching assemblies. There is automation - a C # example is provided on how to write your own obfuscator using a Spices.Net Obfuscator machine. In addition, ObfuscationEvents (similar to VS Build Events) are supported, allowing you to insert custom stocks between the steps of the obfuscation process. Integration into MSBuild and VS is present - you can configure obfuscation options directly in the project properties, enable or disable any project of the solution, and disable obfuscation altogether. | Delivered to GUI. The console is there. No automation. There is no integration. | Nice wizard-style simple interface. The console is present. No automation. Integration either. |
| Tamper-resistance | The module "snitch" comes in Enterprise, is designed for intra-corporate theft. For the usual software - just disable access to the Internet to this program, or simply simply remove the protection for it is quite easy. | There is. A hacked, renamed, or forged assembly stops working. Protection from both ILASM / ILDASM roundtrip, and from simple renaming of the assembly (that is, changing identity - this includes both its name and the full name in the case of the strong name of the assembly, as well as the version number). And what's interesting is that after the introduction of this technology, hacked versions of Spices.Net can no longer be found, and Salamander and SmartAssembly (oh yeah, offering control flow!) - please lie on the varezniki. | Not. | Not. |
| String encryption | there is | There is. Advanced - resource protection (without encryption and compression, but it works with tamper resistant)) | There is. | There is. Advanced - compression and encryption of resources. |
| AntiILDASM, decompilation counteraction | AntiILDASM is, there is no counter-decompilation. | AntiILDASM is, there is anti-decompilation (Reflector does not take, but Salamander Decompiler partially can. Automatically protects against Spices.Net Decompiler). | ANTILDASM is, automatically protects against Salamander Decompiler. | ANTILDASM is |
| Delete unused code and declarations (pruning) | Can | Maybe flexible | Can | Can. |
| Software watermarking | Can | Maybe (with anti-counterfeit protection - i.e., TamperProof technology is used) | Not | Not |
| Control flow obfuscation | Yes, partially recognizable by decompilers. | Instead, CodeAnonymizer technology is proposed as a more effective means of dealing with decompilers. | Yes, but recognizable by decompilers. V-Spot Elimination is mentioned - unrealized technology similar to that implemented in Spices.Net CodeAnonmizer | Yes, but recognizable by decompilers |
| Working with mixed-code assemblies | Not very good, without optimization in size | Maybe with size optimization | Yes, but it is unstable | Maybe limited (error reporting is not inserted into this code) |
| 64-bit support | there is | there is | Not | Not |
| StackTrace Deobfuscation | Not in the community edition, but in the enterprise, but not very convenient, map-based obfuscation | There is a Spices.Net tool and a more detailed free solution is offered. | Not | There is an implemented Error Reporting module. Unique feature. |
| Benefits | Comes in every delivery with VS. Unlike other obfuscators - for each new version of .Net it turns out to be the very first - an insider after all. | Large selection of remedies. Two technologies that other obfuscators do not offer. Having your own decent decompiler allows you to understand that the obfuscator knows what needs to be protected. That obfuscator knows what needs to be protected. Of the advantages, I can also name operational support in Russian and constructiveness in solving problems. | The oldest representative, a good quality of protection. | Simple, meets the basic needs of small developers and is tailored to them, but because of this, it is a little inflexible, although it has a good arsenal of protection tools. |
| disadvantages | Unreasonably expensive. The list of features and workmanship does not match the price. Support is not free. | The abundance of settings and tools sometimes stops. Clearance for professional use, and not for the needs of small developers. Although for them just everything is in the console version. | Inflexibility of settings, lack of temper. With the release of .Net 2.0, the guys have already thrown this project, but then they came out with the Obfuscator + Protector combination. Cannot work with projects of different .Net versions. On the latest versions of .Net - unstable. It is difficult and long to contact support. | It is not clear the future of this good product. Lack of integration, tamper-resistance impairs performance. But the first thing they could offer - protection from the reflector - This would be a very powerful feature. There used to be very friendly support, now I don’t know. |
About prices
Specially did not compare prices. At Dotfuskator prices are high and prices for support are such that they serve as a barrier, apparently, they are guided by a large corporate business. For other manufacturers, I can say that there is a place for the principle “price is what suits both the seller and the buyer.” It has long been practiced to negotiate, for example, the Indians have mastered it perfectly and have not been bothered for a long time about how to buy a $ 400 product for 150 bucks. There are undeclared discounts for students (academic discounts), for all MVP and MCP, for members of user groups and communities, for non-profit organizations, regional and national, for mentioning in a blog and posting a product for a certain period of time. About this course, the manufacturer does not write on the site. In the end, you can provide a problem file or vice versa - report a security hole, any cooperation with the manufacturer leading to an improvement in the quality of the product will be appreciated.
Try to ask for a discount, you will find it. Successes!
PS There is a desire to invite an experienced and good person who actively participated in the creation of this article - please contact me.
Source: https://habr.com/ru/post/106262/
All Articles