Source language: Translate to:

Alter Embeded File

Questions about using NeoBook's scripting language

Moderator: Neosoft Support

Alter Embeded File

Postby omid020 » Mon Sep 07, 2009 7:51 am

Is it possible for an application to alter the content of an embeded file at run time? And have that change span application close.

Using NeoBookDB v2.3d plug in; I've created an app with two encrypted db files.

One contains user data, the other contains multiple passwords that unlock the application.

Instead of hard coding an encryption number for the databases, i'm using a hpwUtilities '.ini' file to hold it. The .ini file is embedded in the app at compilation.

When the app runs, it extracts the .ini file and uses the encryption code. The app removes the .ini file at close.

I want that embeded .ini file to be changed by the application at run time so It can create a new code if it detects that it has to create new db files.

And if some one does some file swapping it will fail due to incorrect encryption code.

Is this possible?
User avatar
omid020
 
Posts: 9
Joined: Wed Feb 13, 2008 7:16 am

Postby Neosoft Support » Mon Sep 07, 2009 10:38 am

Unfortunately, Windows will not allow a running exe file to be modified, so it's not possible to do what you are proposing.
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5603
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Postby HPW » Mon Sep 07, 2009 10:40 am

Is it possible for an application to alter the content of an embeded file at run time?


No. I think not.
Hans-Peter
User avatar
HPW
 
Posts: 2520
Joined: Fri Apr 01, 2005 11:24 pm
Location: Germany

Postby omid020 » Mon Sep 07, 2009 3:19 pm

No. I think not.


This app is intended to run from a flash drive.

Is there a way that I can have the program create a new .ini file and place a new encryption code in the file and then set the file to be hidden? To remain in the same directory as the app.

This would not be as secure as the previous suggestion, but it would do almost as good.
User avatar
omid020
 
Posts: 9
Joined: Wed Feb 13, 2008 7:16 am

Postby Neosoft Support » Tue Sep 08, 2009 10:20 am

The rtFileSystemMgt plug-in includes actions for reading and writing ini files and string encryption. You could encrypt your encryption code and store it in the ini file, which would be more secure than attempting to hide the file. You can download a trial version of rtFileSystemMgt below:

http://www.neosoftware.com/neobook/modu ... =16&lid=43
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5603
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Postby Gaev » Tue Sep 08, 2009 11:04 am

You can use NeoBookDBPro ... to store both the dbf/dbt files and the ini file ... in an encrypted Access Database ... each file stored as a Picture field.

At run time, you can extract all the files ... and after you make changes, you store them back inside the encrypted Access Database.

You might even be able to avoid using the ini file if you elected to store the current ini file keys/values as fields in a Table inside the encrypted Access Database ... reading fields directly from a Table inside an encrypted Access Database would be more secure than exposing the ini file contents.
User avatar
Gaev
 
Posts: 3733
Joined: Fri Apr 01, 2005 7:48 am
Location: Toronto, Canada

Postby omid020 » Tue Sep 08, 2009 7:20 pm

Gaev:
You can use NeoBookDBPro ... to store both the dbf/dbt files and the ini file ... in an encrypted Access Database ... each file stored as a Picture field.

At run time, you can extract all the files ... and after you make changes, you store them back inside the encrypted Access Database.

You might even be able to avoid using the ini file if you elected to store the current ini file keys/values as fields in a Table inside the encrypted Access Database ... reading fields directly from a Table inside an encrypted Access Database would be more secure than exposing the ini file contents.


I came to almost the exact same solution. What this application does is a password / log in vault. It is intended to reside on and launch from a thumb drive. Similar to "Iron Drive".

What i've done is store the encryption string in the name field of the first record of the vault db. This is written just before application close. The code for encryption for this record is hard coded in the app.

When the app launches, it uses the hard code to read this first record. That record is then deleted and the db packed. The encryption string is then parsed and the encryption code is used for the rest of the db. The encryption string is usually about 50 to 80 digits long with the ten or less digits of the real code embedded within.

When launched, the app looks for the two db files. If it finds them, it asks for a password to unlock the vault.

If it finds miss-matched files it deletes both files and creates new ones.

If it finds no files it creats new db files, generates a new random encryption key, and asks for a new password. It also asks if you want to extract an autorun.inf file so that any time the thumb drive is inserted in to a USB port, the application either auto-runs or auto-plays with run the app as default selection.

The intended user is not for high security environments, they likely will ban the use of thumb drives and might object to the level of security.

It is for lesser secure users who have a lot of different log in / password combinations and have resorted to writing them down and hiding the list.

I'd be happy to see comments on the realitive security my solution affords.

Thanks to all who have taken the time to read and comment.

Paul Gourley
User avatar
omid020
 
Posts: 9
Joined: Wed Feb 13, 2008 7:16 am

Postby dpayer » Wed Sep 09, 2009 11:03 am

Paul, I'm curious, are you by chance using this to automate access to a TrueCrypt volume?

http://neosoftware.com/forum/viewtopic.php?t=16822

David Payer
User avatar
dpayer
 
Posts: 1383
Joined: Mon Apr 11, 2005 5:55 am
Location: Iowa - USA

Postby omid020 » Wed Sep 09, 2009 2:58 pm

dpayer:
Paul, I'm curious, are you by chance using this to automate access to a TrueCrypt volume?


Untill your post, I wasn't aware of TrueCrypt.

No, I saw a comercial for IronKey http://www.ironkey.com/ and thought that I could do something like that, perhaps not as secure, perhaps not as fancy, but also not costing $80 bucks.

All it is is two flat databases using the 'lite' db plugin. One contains records comprised of three fields. Name: User: Password. The other is records of one field. Password.

The password db stores valid passwords to unlock the rest of the app.

The databases are encrypted. I create a kind of hash string and embed the encryption code and the means for the app to decript the hash string. This string is stored in the name field of the first record of the log in db by doing an insert just before shut down. This first record is encrypted using a static encryption number hard coded in the app. The rest of the the db and the password db are encrypted using a generated encryption number.

And I've just added that the hash string is re-generated each time the app opens so that the same string is not used twice.
User avatar
omid020
 
Posts: 9
Joined: Wed Feb 13, 2008 7:16 am

Postby dpayer » Wed Sep 09, 2009 8:00 pm

PaulGourley wrote:No, I saw a comercial for IronKey http://www.ironkey.com/ and thought that I could do something like that, perhaps not as secure, perhaps not as fancy, but also not costing $80 bucks.
.


Interesting. I was given an IronKey at work. They cost $175 for an 8 gig USB device!

But the process of the IronKey is similar to that of TrueCrypt. When you plug in the device, you see two drives but one is not accessible. This is because you have not "mounted" the drive which is essentially an encrypted file that is then turned into a drive through the software app.

So, it is not simply encrypting a few files, it is storing an entire drive in the form of a single file. The entire drive is not viewable or accessible until you enter your password and it decrypts the file used as a store.

Take a look at TrueCrypt, it will help you understand the mechanisms behind the IronKey.

David P
User avatar
dpayer
 
Posts: 1383
Joined: Mon Apr 11, 2005 5:55 am
Location: Iowa - USA

Postby omid020 » Wed Sep 09, 2009 8:19 pm

Yep, my app only secures the data contained within the database files not the whole drive.

I'm not sure how secure my methods are; but then again, my target end user is not an IT professional.

I don't expect that a casual computer user will be able to crack it. I'm sure that a pro could. The encryption uses only a 10 digit string to encrypt and I'm sure that there are programs out there that can crack that fairly easily.
User avatar
omid020
 
Posts: 9
Joined: Wed Feb 13, 2008 7:16 am

Postby omid020 » Wed Sep 09, 2009 9:02 pm

If anyone was interested, I'd send them just the .exe and let them tell me how they crack it. I'd love to find out the how to improve it. But, you have to ask my permission if you actualy want to use it! :D
User avatar
omid020
 
Posts: 9
Joined: Wed Feb 13, 2008 7:16 am

Postby dpayer » Thu Sep 10, 2009 7:40 am

PaulGourley wrote:I'm not sure how secure my methods are; but then again, my target end user is not an IT professional.


Sounds like an interesting project. Hope it goes well for you. A couple things to keep in mind is how to make the data accessible if the program somehow goes south with a new update of windows.

If you haven't done this already, you may want to include a way to backup files to the computer with a means to access the decrypt key so in case the thumb drive dies, they have the data somewhere safe.

I am impressed with IronKey (but not with the extreme cost). Each USB drive owner has an online account with security protections like that of a bank. If you forget your password, it can be retrieved online. The ironkey will help you download and install updates for the unlocker program. The latest one does a its own antivirus scan (independent of your system's scanner) each time you put in the drive.

If you put in the wrong password multiple times, at first it will require you to remove the drive, reinsert and try again. After 10 errors, the entire drive and data are destroyed!!!!!!!! It cannot be reclaimed.

You can drive a tank over these drives and they still work. (see youtube).

So if you can emulate some of this functionality and help people, great. I think it would be an interesting project to put an ironkey type face on top of truecrypt. I think Alberto Meyer's TMStorage is based on something like truecrypt.

Good luck!

David P
User avatar
dpayer
 
Posts: 1383
Joined: Mon Apr 11, 2005 5:55 am
Location: Iowa - USA

Postby omid020 » Thu Sep 10, 2009 5:32 pm

dpayer:
If you haven't done this already, you may want to include a way to backup files to the computer with a means to access the decrypt key so in case the thumb drive dies, they have the data somewhere safe.


Since both database files are encrypted with the same code, back up would be a simple matter of copying both files to another location. Easy feature to add there. Then just place the two files on the same directory with the .exe.

As long as you keep the two files together, they will decrypt because the decrypt code is stored within the vault file.

It is only if you try to thwart the encryptcion by say; substituting one vault file and keeping a different password file for which you know the password(s), will the application detect this deception and take appropriate steps.

I have thought of more stringent security measures. However, in light of my intended target user, I feel that they may not be appropriate.

I work in the IT department of a rural hospital. It does have a network, and that network obviously requires a log in.

But, the nurses, doctors and techs that I work with have many more log ins to keep track of. Almost every application that they use has a log in due to patient confidentiality issues. The problem is that each application has a different idea about what a secure log in is made of. They can't use one single log in that will work for every application they use. So, their solution is 1) write down their list of user name and passwords and then hope they don't forget or lose the list. 2) When they do lose it, they either call me to reset or they use some one elses' log in. I don't mind reseting passowrds, there isn't a huge demand on my time. But the security at this facility leaves much to be desired. I have no illusion that I can create a truely secure application. If one person can think it up, another can crack it.

But, as I've said. I don't think that my average end user will have the expertise to do it. And, atleast this way, if they lose the thumb drive, the chances are good that who ever finds it won't be able to crack it either.

Better than a hand written list.
User avatar
omid020
 
Posts: 9
Joined: Wed Feb 13, 2008 7:16 am


Return to NeoBook Action Commands

Who is online

Users browsing this forum: No registered users and 1 guest

cron