Anti Dump
Protection ID: anti_dump
This protection avoids the possibility of performing a memory dump on your application.
This protection is available in the editions:
Team Scale Enterprise
How It Works
Anti-dump protection prevents attackers from using memory dumping tools to extract your application's code and data from memory. When an application is running, its compiled code and data reside in memory in a more accessible format than when stored on disk. Memory dumping tools can capture this information, potentially exposing your intellectual property.
This protection employs various techniques to prevent memory dumps, including encrypting parts of the code in memory, overriding certain Windows APIs related to dumping processes, and implementing runtime checks to detect dumping attempts. By applying these techniques, your application becomes significantly more resistant to memory dumping attacks.
Parameters
This protection has no parameters or settings.
Rules configuration
shield.config.json
{
"protections": {
"anti_dump": {}
}
}
Modes
- Default: It prevents confidential data from being downloaded from memory and is responsible for sealing parts of the code in memory in encrypted form.
Code Example
This protection operates at the assembly level and doesn't require specific code changes. The protection works behind the scenes to prevent memory dumps.
- Protection behavior when a dump is attempted:
When a memory dumping tool tries to capture your application's memory, depending on the protection mode:
- The dumping attempt may fail
- The dumped memory may contain encrypted/corrupted data
- The application may detect the dump attempt and terminate
Exclusions
- Exclude with attribute
Include this attribute in your source code:
[Obfuscation(Exclude = false, Feature = "-anti_dump")]
- Exclude from the interface
You can exclude this protection from methods or classes you want using the Shield configuration interface.
When to Use
Anti-dump protection is most effective when:
- Windows applications: This protection is primarily designed for applications running on Windows where memory dumping tools are commonly available
- License validation: Applications with licensing mechanisms that need to be protected from memory analysis
- Sensitive algorithms: Applications containing proprietary algorithms that should not be extracted
- Secret key storage: Applications that temporarily store encryption keys or other secrets in memory
Use caution or avoid anti-dump protection when:
- Cross-platform applications: The protection is most effective on Windows and may have limited benefits on other platforms
- Mobile applications: Mobile platforms typically have different security models where this protection might be less relevant
- Web applications: Server-side code running in a controlled environment may not need this protection
- Diagnostic scenarios: During development or when diagnosing issues, you may need to disable this protection temporarily
Anti-dump protection is particularly useful for desktop applications running on Windows that contain sensitive intellectual property. While it provides good protection against common memory dumping tools, be aware that it's most effective on Windows platforms.
Compatibility
| Framework | Compatibility | Comments |
|---|---|---|
| .NET Core | ✔ | Automatic adaptations of compatibility according to operating system |
| .NET Framework | ✔ | |
| .NET (up to 8 version) | ✔ | Automatic adaptations of compatibility according to operating system |
| .NET Standard | ✔ | Automatic adaptations of compatibility according to operating system |
| Xamarin IOS | ❌ | Not usually necessary |
| Xamarin Android | ❌ | Not usually necessary |
| Xamarin MacOs | ❌ | Not usually necessary |
| WPF | ✔ | |
| Blazor | ✔ | |
| .NET Maui | ✔ | |
| Unity | ✔ | |
| ASP | ✔ | |
| Silverlight | ✔ | |
| VBa (Visual Basic) or C# (CSharp) | ✔ | |
| WinRT | ✔ |
Shield is compatible with all versions of .NET. It automatically adapts to your specific framework, whether you're using .NET 2.0, .NET 4.7, .NET Core 2.1, or Xamarin.Forms 5.0.