Menu
I'm using the following code:
AppDomain.CurrentDomain.AssemblyLoad += (sender, args) =>
{
var token = args.LoadedAssembly.GetName().GetPublicKeyToken();
if (!IsValidToken(token))
{
Process.GetCurrentProcess().Kill();
}
};
Where IsValidToken() compares the public key token of the assembly being loaded against a list of authorized public key tokens hardcoded in my application as byte arrays.
Is this a good security measure to prevent code injection attacks? Also, is this necessary given the fact that I will later obfuscate my application using NetReactor? I'm trying to prevent any "snooping" into my application, not only coming from the Snoop tool, but from any external undesired sources as well.
474
Just from first glance, I'm going to say "no, this won't be enough".
Reasons:
CreateRemoteThread attacks are straight win32 calls, no managed code traces that would trip a detector like this
I think it would be possible to create another AppDomain in the injected dll, thus bypassing this check altogether. Then one could execute code from that AppDomain, potentially (I'd have to think that through) calling back into the "main" AppDomain via AppDomain.DoCallback
Process.Kill is a horrible way to drop your application, although it is a non-trappable way of doing so - that is, anyone attached wouldn't be able to prevent it (it uses Win32 TerminateProcess under the hood)
I'd have to bust out my "Injecterator" harness to test these statements, tho - if I can remember where the heck I put that code...
Regardless of any of these - you will absolutely want to obfuscate the hell out of this assembly, especially if you plan on storing sensitive bits inside (in fact, I'd argue against storing ANY sensitive information inside an assembly if you can help it) - your prevention method will absolutely NOT stop any disassemblers like Reflector, ILSpy, dotPeek, etc.
182
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
