Just how safe is your source code? It s a topic few developers consider until it s too late, but it s most certainly worth considering, especially when working with vulnerable Windows applications.
When you build your assembly, your project is compiled down to Microsoft Intermediate Language (MSIL) code. You can view this code and extra metadata information by using a tool such as ILDASM.exe (found within the depths of the VS .NET directory) to open a regular assembly.
True, it isn t especially easy to read nor follow, but it also isn t that difficult to get the gist of what s happening in your program. You ll also note that important strings, such as database passwords, are easily exposed for the world to see.
And that s not all: a new wave of .NET decompilers has swept onto the market that can take an assembly and turn it back into the original source code within seconds.
How can you protect your application? The only real route is to use an obfuscator, an application that jumbles up your source code, making the logic extremely difficult to follow. More sophisticated obfuscators also encrypt strings, lay decompiler tricks, create difficult-to-follow program flows, and remove excess data, thereby reducing the size of the final assembly.
One such obfuscator is the cheesy-named Dotfuscator, available in both Community and Professional editions. Users of Visual Studio .NET 2003 ( Everett ) will find they already have the Community edition installed on their machine in Programs Microsoft Visual Studio .NET 2003 Visual Studio .NET Tools Dotfuscator Community Edition, whereas VS .NET 2002 users can download this free version from www.preemptive.com/dotfuscator/dotcomdld.html.
Produced by the software group PreEmptive, this lite version performs basic obfuscation on any assembly. It ships with only a noncommercial license, however, which means that you ll need to upgrade if you re using it professionally.
How do you use it? Unfortunately, like the interface, you ll find the help file relatively unhelpful. However, for basic obfuscation, simply launch the application, create a new project, add your file via the Trigger tab, select the destination directory via the Build tab, and then select File Build.
For more information, check out the official FAQ at www.preemptive.com/ dotfuscator/DotfuscatorFAQ.html or look up Dotfuscator in the help index (ensure that the filter is set to No Filter ).
Chat with any modern developer about a new system you require and they ll instantly start talking about Web-based applications. Why? There s a very simple reason: because fat Windows programs are just too difficult to maintain.
Who has which version? How can you ensure that all your employees start using the new system at the same time? There are workarounds but why bother, when you can simply create a Web application?
The problem is that thin Web applications are inflexible . They don t give you full control. Your typical Web page can t send something to the user s printer, nor save files to a special area on the hard drive. They re also often slow or unavailable.
In brief, Windows programs are much better in terms of control, but worse in terms of maintainability. Web applications are great in terms of maintainability, but terrible in terms of control.
But what if you could solve this problem, by automatically updating your Windows applications? You can, with just a few lines of extra code. And, over the next couple of pages, I m going to share my two favorite techniques for doing just that.
This first technique works best for smaller applications, or programs that have portions of them that update frequently. It s based on something called reflection , a new .NET method of allowing your code to see other code, a sort of more-advanced late binding.
Here s how it works: you begin by creating the portion of your application that requires updating. (It may even be an entire program in its own right.) Then you make your assembly available on a Web server, typically via your intranet.
Next, you create your nonupdating application: this could simply be a small loader application, or a regular program with a link to the updating portion that you created earlier. This application loads your assembly from the intranet and perhaps displays a form from inside that assembly, or creates an instance of a class and runs a function (this is the .NET reflection feature coming into play).
It may sound complicated, but there are really just a couple of lines of code you ll need to use. And here they are.
' Load assembly Dim MyAssembly As System.Reflection.Assembly = _ System.Reflection.Assembly.LoadFrom("http://address/app.exe") ' Create instance of the form and show it Dim MyForm As Form = _ MyAssembly.CreateInstance("YourAssemblyNamespace.Form1") MyForm.Show()
Here, the code loads the assembly from a Web address, creates a new instance of the Form1 class within the assembly, and then shows that form. You could add this sort of code to the Sub Main method of your loader application, or behind one of your menu items ”and, hey presto, you ve got a live application. When you need to update, simply replace your assembly on the Web server.
Also, .NET is pretty clever. If the assembly you ve loaded references another assembly, it will go back to your Web server to check for it. That means, http://address/ to check for it. That means, if you re feeling exceptionally smart, you might just want to split your live application out into multiple parts . For example, in this newly downloaded assembly, you may include a regular reference to another assembly and display a form from within that too. When the local machine spots this code, .NET will go back to the Web server, attempt to load that assembly, and then continue with your code. This way, you can split your application up into portions and access on demand . The method also stops any large delays in downloading assemblies, as the application is now split into many smaller parts, all of which can work together without problem.
But, as ever, there s something you need to watch out for. It s security. By default, the .NET Framework only partially trusts applications downloaded from the Internet and hence restricts exactly what they can do on your machine.
To sort this situation, from the control panel, choose Administrative Tools Microsoft .NET Framework Wizards. Double-click on the Trust an Assembly option, specify your assembly Internet address and grant it full permissions. (On larger networks, a system administrator should be able to automate this for you.) Other workarounds include adding the site your assembly is hosted on to the list of Internet Explorer trusted sites, and then using the Adjust .NET Security wizard to grant all trusted sites with full permissions ”but that s all for another day. Look up code access security in the help index for more information.
Download supporting files at www.apress.com .
The files for this tip are in the Ch2 ” Updater Component folder.
However, it s more than possible that first solution won t suit you. Perhaps you ve created a commercial application that won t be used inside a corporation with a speedy intranet. Rather than downloading a fresh assembly every time a portion of your program is accessed, you simply want it to check for updates over the Web and download the latest version of the whole program, if available.
That s absolutely possible, but slightly more complicated.
But why do more work than you have to? Microsoft has already written its own free .NET application updater component, which has just been released online at www.gotdotnet.com/team/windowsforms/appupdater.aspx. (You ll also find a copy with the downloadable source code for this book.)
The component comes with full source, samples, and a walkthrough. It can easily check for an update, prompt your user to download the upgrade, replace your core assembly, and it even has support for on-demand installation. And hundreds of lines of code to handle all this processing have already been written for you. It s one of my personal favorites and definitely worth checking out.
Well, that s how to automatically update your Windows programs and have the best of both worlds: complete control and no maintenance worries.
Enter stage left: return of the fat client. Hurrah and hujjah!