Custom Protection Configuration
The content of this article is also available as a video tutorial.
Custom protections with msbuild (3 min)Advanced Protection Configuration
While Shield's predefined presets (maximum, balance, optimization) work well for most scenarios, you may want to customize exactly which protections are applied to your application. This guide explains how to configure custom protections in your shield.config.json file.
Setting Up Custom Protections
To use custom protections:
- Set the
Presetproperty to"custom" - Add a
Protectionsobject that defines which protections to apply
{
"Name": "My Custom Protection",
"Preset": "custom",
"ProjectToken": "<your-project-token-here>",
"Protections": {
// Your protection configurations will go here
}
}
Adding Protections
Each protection is identified by its unique ID (not its display name). To enable a protection, add it to the Protections object:
"Protections": {
"anti_debug": {},
"rename": {},
"control_flow_advance": {}
}
You can enable a protection with an empty object {} or null to use its default settings:
"Protections": {
"anti_debug": {}, // Using empty object
"anti_dump": null // Using null - both approaches work the same
}
Configuring Protection Parameters
Many protections have additional parameters that can be configured. For example, the rename protection has options for which elements to rename and how:
"Protections": {
"rename": {
"rename_public": true,
"rename_arguments": false,
"mode": "letters"
},
"control_flow_advance": {
"invalid_code": false
}
}
Finding Protection IDs and Parameters
You can find all available protections, their IDs, and configurable parameters in the Shield Protections documentation.
Here are some typically used protections:
| Protection ID | Description | Key Parameters |
|---|---|---|
anti_ildasm | Blocks IL disassemblers | None |
anti_debug | Prevents debuggers from attaching | None |
rename | Obfuscates names of types and members | rename_public, mode |
control_flow_advance | Obscures execution flow | invalid_code |
constants_protection | Encrypts string constants | None |
constants_mutation | Disintegrates constants into operations | operations |
Complete Example
Here's a complete example of a custom protection configuration:
{
"Name": "Production Security Configuration",
"Preset": "custom",
"ProjectToken": "<your-project-token-here>",
"ProtectionSecret": "my-secret-key",
"Enabled": true,
"RunConfiguration": "Release",
"Protections": {
"anti_debug": {},
"anti_dump": {},
"anti_ildasm": {},
"rename": {
"rename_public": true,
"rename_arguments": true,
"rename_xaml": false,
"mode": "letters"
},
"control_flow_advance": {
"invalid_code": false
},
"constants_protection": {},
"resources": {
"compress": true,
"encrypt": true
}
}
}
Protection Combinations
For optimal security, we recommend using combinations of protections that address different attack vectors:
- Core Security:
anti_debug,anti_dump,anti_ildasm - Code Obfuscation:
rename,control_flow_advance,constants_protection - Resource Protection:
resources,invalid_metadata
Start with fewer protections and test your application thoroughly. Some protections may require specific adjustments for certain applications.
Next Steps
Now that you've configured your custom protections, you can:
- Test your application to ensure it works correctly with the applied protections
- Configure exclusion rules to exclude specific parts of your code from protection
- Set up signed assemblies if your application uses strong-name signing
Protection Details
Complete list of protections and their parameters
Exclusion Rules
How to exclude parts of your code from protection
Configuration Files
Advanced configuration options