1

I would like to know some tips how to secure DLL (Win32, dynamic) file from injecting and how to increase security of compiled code.

  1. There's a SQL password in DDL source code which is used to connect to MySQL. Is it secure enough to leave it?
  2. Is there any way how to prevent 'users' modifying HEX code? I mean to secure more from source code.
  3. Which options in project properties would be optimal for optimizing and maybe securing DLL?

Im using MVSC++ 2010 Express and source code to users won't be available.

durron597
  • 31,968
  • 17
  • 99
  • 158
  • *Is there any way how to prevent 'users' modifying HEX code?* No, but you can sign an application so that users will know that it's been modified. – ta.speot.is Aug 25 '12 at 08:19

2 Answers2

3

In order for the DLL to be usable it needs to be readable. That means that if you encrypt your file you also need do decrypt it before using it. Also, you can sign your DLL so that you know it has not been modified, but still that doesn't hide the symbols in the file itself. Another approach would be to obfuscate the code so that it is harder for users to understand but the OS can still easily execute it - think of that as a weak form of encryption.

Specific answers:

  1. If you have a password in any binary file then it is not secure. It is a simple matter of looking through the strings of the binary file to find it.

  2. Users can always modify the file, but the file can be signed using some cryptographic scheme which ensures that you will know if it has been tampered with.

  3. I don't use that particular tool but I'm sure that it will not provide you with any real security.

Tip: Instead of having an SQL DB password in your source code you could instead make it send commands to a server which would authenticate and process them. That way you don't need an explicit password in your file.

Morten Kristensen
  • 7,412
  • 4
  • 32
  • 52
1

Any and every literal string in your DLL is readable unless you encrypt the entire file. Do NOT store passwords as literal strings in your dll. Period. Also, you have to remember that assembly code is just data, and if the file is writable, anyone with an Intel reference sheet and a hex editor, or a disassembler and a an assembler can change it if they have access to the file. You can always obfuscate your source, which will make the assembly slightly less readable, but still completely modifiable.

In short, nothing you do will completly secure your DLL.

Linuxios
  • 34,849
  • 13
  • 91
  • 116