I'm using the following code:
AppDomain.CurrentDomain.AssemblyLoad += (sender, args) =>
{
var token = args.LoadedAssembly.GetName().GetPublicKeyToken();
if (!IsValidToken(token))
{
Process.GetCurrentProcess().Kill();
}
};
Where IsValidToken() compares the public key token of the assembly being loaded against a list of authorized public key tokens hardcoded in my application as byte arrays.
Is this a good security measure to prevent code injection attacks? Also, is this necessary given the fact that I will later obfuscate my application using NetReactor? I'm trying to prevent any "snooping" into my application, not only coming from the Snoop tool, but from any external undesired sources as well.
Just from first glance, I'm going to say "no, this won't be enough".
Reasons:
CreateRemoteThreadattacks are straight win32 calls, no managed code traces that would trip a detector like thisI think it would be possible to create another
AppDomainin the injected dll, thus bypassing this check altogether. Then one could execute code from thatAppDomain, potentially (I'd have to think that through) calling back into the "main"AppDomainviaAppDomain.DoCallbackProcess.Killis a horrible way to drop your application, although it is a non-trappable way of doing so - that is, anyone attached wouldn't be able to prevent it (it uses Win32TerminateProcessunder the hood)
I'd have to bust out my "Injecterator" harness to test these statements, tho - if I can remember where the heck I put that code...
Regardless of any of these - you will absolutely want to obfuscate the hell out of this assembly, especially if you plan on storing sensitive bits inside (in fact, I'd argue against storing ANY sensitive information inside an assembly if you can help it) - your prevention method will absolutely NOT stop any disassemblers like Reflector, ILSpy, dotPeek, etc.
It would also be safer if you generated the full keys at runtime (perhaps from multiple partial keys). This works around statically examining your binary for keys.
来源:https://stackoverflow.com/questions/13372057/prevent-external-assembly-injection-via-publickeytoken