Protecting your .NET applications

Posted by: Suprotim Agarwal , on 5/11/2010, in Category .NET Framework
Views: 66521
Abstract: This article demonstrates how to use Dotfuscator which is shipped freely with Visual Studio 2010 to protect .NET assemblies and making the process of reverse engineering difficult.
I have often been asked questions from my readers - How do I obfuscate my application? Or how do I protect my assemblies from being disassembled? Or how do I stop my code from being reverse engineered?..and so on.
The answer to all these questions is Obfuscation. One thing to remember is that Obfuscation does not guarantee that your code cannot be reverse engineered. It makes the process of reverse engineering harder.
Note: There are a couple of free and paid obfuscator tools in the market. How efficient an Obfuscator tool is, also depends on the complexity of your code. Before investing money in such a tool, make sure you invest time in trying out these products and test their efficiency.
The Dotfuscator is a third-party tool from Preemptive Solutions shipped freely with Visual Studio 2010 which obfuscates .NET applications. To use this tool, launch Visual Studio 2010. Go to Tools > Dotfuscator Software Services
If you are using this tool for the first time, you will be presented with a License agreement. After accepting the license agreement, you can also register this product to get access to free updates and online support.
On the Dotfuscator UI, right click on the project and click ‘Add Assemblies’ and add an assembly of the project you have created
Dotfuscator
Note: If you observe, options like Control Flow, String Encryption, Removal, Linking and PreMark are grayed out. That is because they are available in the Professional edition. The Instrumentation option is available but you have to manually enable it.
Once the assembly is selected, hit ‘Ctrl + B’ or go to Build > Build Project
Click on the Results tab and expand the root tree and the sub-trees. The blue diamond shaped icons indicates that they are renamed methods and fields.
Methods_fields
Once the obfuscation process is completed, you can examine the obfuscated assembly using ILDASM. ILDASM is a disassembler utility which comes with the .NET Framework SDK and allows you to decompile .NET assemblies into IL Assembly Language statements. To start ILDASM, go to Visual Studio Command Prompt and type ildasm. Then select the assembly to browse. Here’s a comparison of the same assembly, before obfuscation and after obfuscation
Before_Obfuscation_After
Note: The obfuscated assembly got created in the Dofuscated folder.
Observe how the method and property names are obfuscated. The obfuscated version makes it difficult to understand what a method or property is doing. You can even open a method to view the IL code. Here’s a comparison of the IL before and after the obfuscation:
Obfuscation_Comparision
As you can observe, Dotfuscator renamed the methods and properties and made it difficult to find out the purpose of each method using a disassembler. You can also explore the different Configuration Options to control the renaming of members or to exclude members you do not want to obfuscate. 
I hope this article was useful and I thank you for viewing it.
Give me a +1 if you think it was a good article. Thanks!
Recommended Articles
Suprotim Agarwal, ASP.NET Architecture MVP, MCSD, MCAD, MCDBA, MCSE, is the CEO of A2Z Knowledge Visuals Pvt. He primarily works as an Architect Consultant and provides consultancy on how to design and develop .NET centric database solutions.

Suprotim is the founder and primary contributor to DotNetCurry, SQLServerCurry and DevCurry. He has also written an EBook 51 Recipes using jQuery with ASP.NET Controls.

Follow him on twitter @suprotimagarwal


Page copy protected against web site content infringement by Copyscape


User Feedback
Comment posted by sebastian on Tuesday, May 11, 2010 1:23 PM
This is a good intro to obfuscation in vs2010 - but the really ground-breaking aspect of the Community Edition (CE) in VS2010 is the instrumentation, tamper, and shelf life functionality (this is all new in vs2010 versus vs2003-vs2008 where CE can also be found). For a MSFT video tutorial on the new functionality, visit http://msdn.microsoft.com/en-us/vbasic/ff608195.aspx
Comment posted by Martin Mararikulam on Friday, May 14, 2010 3:57 AM
How can I protect my asp.net website project?(not web application) Could you please provide a detailed answer?
Comment posted by roei bar on Saturday, May 15, 2010 10:56 AM
this is a ince article, only problem with obduscation is that its ment to be broken.
once u try to protect something, you will just make somebody angry enough to build the deobfuscation tool.
sometimes the best defence is a week defence, one such that wont be belived to protect a good app.
about ASP.Net website, there are many ways to defend it, you can read this amazing article on how to

http://en.csharp-online.net/ASP.NET_Security_Hacks

you can use antiXSS library to secure client calls to your server.
and many more.
Comment posted by Brandon Zandec on Tuesday, May 18, 2010 12:19 PM
Nice article! I completely agree when you say "How efficient an Obfuscator tool is, also depends on the complexity of your code. Before investing money in such a tool, make sure you invest time in trying out these products and test their efficiency". I will try Dotfuscator this weekend and share my thoughts here.
Comment posted by Amy Nai on Thursday, May 20, 2010 10:34 PM
i had no idea such a product exists thanks for the intro.
Comment posted by Pushkar on Wednesday, February 2, 2011 3:32 AM
Hello Big-Brother !!
Thanks for posting nice articles and double thanks for ASP.Net security article.

I completely agree with you for third party <paid> tool "Dotfuscator" but can you assist us for <free> "Eazfuscator.NET" [http://www.foss.kharkov.ua/g1/projects/eazfuscator/dotnet/Default.aspx] tool ?
Comment posted by Swapna on Friday, September 9, 2011 6:58 AM
Hi.... Can anybody tell me, "How to write our own obfuscation module?". I am interested to write my own obfuscation logic, but, no idea where to start.
Comment posted by dmitriy on Saturday, March 17, 2012 5:12 AM
You can try ILProtector. In this case level of code protection increases manyfold compared to obfuscation.
http://www.vgrsoft.com/en/products/ilp
Comment posted by LogicNP on Tuesday, July 31, 2012 3:06 AM
Good info. Another product which does this (and lots more) is Crypto Obfuscator ( http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm )- it has advanced obfuscations like Method Encryption (hides MSIL code in your methods), string/constant encryption, etc

Post your comment
Name:  
E-mail: (Will not be displayed)
Comment:
Insert Cancel