Home > Back-end >  Avoid leaking internal function information: How to correctly detect and strip symbols in Windows dl
Avoid leaking internal function information: How to correctly detect and strip symbols in Windows dl

Time:03-10

I have a .dll file containing some algorithms and I do not want to leak the implementations about that algorithm. Originally I thought was safe, since in Windows the debug info is in .pdb. However, I tried to use dumpbin.exe /ALL myfile.dll, and see tons of my internal function names there, making the attacker's life much easier since he can know the name of each function. It is like:

Function Table (24926)

           Begin    End      Info      Function Name
...

  00001158 000xxxx0 0xxxx277 008AD830  _ZN4core3ptr102drop_in_place$LT$alloc..vec..Vec$LT$vision_utils_rs..algo..rep..row_detect..core_algo..TextRow$GT$$GT$17h0axxxfa922f149aE.llvm.176520069xxxxxx41370
    Unwind version: 1
    Unwind flags: None
    Size of prologue: 0x0E
    Count of codes: 7
    Unwind codes:
      0E: SAVE_XMM128, register=xmm6 offset=0x20
      09: ALLOC_SMALL, size=0x38
      05: PUSH_NONVOL, register=rbx
      04: PUSH_NONVOL, register=rdi
      03: PUSH_NONVOL, register=rsi
      02: PUSH_NONVOL, register=r14

which is a function in the core algorithm (core_algo folder of my code).

Therefore, I wonder:

  1. How can I remove this function name? The programs using this .dll never call such a _ZN4core3ptr102drop_in_place$LT$alloc..vec..Vec$LT$vision_utils_rs..algo..rep..row_detect..core_algo..TextRow$GT$$GT$17h0axxxfa922f149aE.llvm.176520069xxxxxx41370 function, so removing this function name should be safe.
  2. What else should I do? If I look at dumpbin.exe /ALL myfile.dll and do not see any text containing core_algo (the core algorithm folder of my code), am I safe? Or am I still missing something?

P.S. If you are interested, the DLL is compiled from Rust code; but C code should have similar effects. The Cargo.toml is:

[profile.release]
debug = true

In other words, I do a release build (cargo build --release) but keep the debug information (since I want to upload debug info to Sentry for symbolication). But I want a further stripping to remove before giving to end user.

CodePudding user response:

If someone is determined to reverse engineer your program, they will, and there is nothing you can do to stop them. If you take all the symbols out they will still analyze the machine code. If you obfuscate the machine code they will reverse engineer that.

The vast majority of people, on the other hand, do not care how your program works, and will not even notice whether the binary has symbols.

Therefore, any effort put into hardening your program against reverse engineering is wasted effort. Don't worry about it. Concentrate on making the program better at what it actually does, so that people want to give you money for it.

CodePudding user response:

I have found the answer: The DLL is indeed without such information. It is because of a PDB that is hidden somewhere else and I did not realize. Please see https://stackoverflow.com/a/71422958/4619958 for the full details.

Page link:https//www.codepudding.com/Backend/330332.html

Prev:What is "Function Table" provided by dumpbin, and how to manipulate it?
Next:How to convert multiple parameters URLs into single parameter URLs in bash
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding