Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
How to make external prg look for DBF inside calling exe
Message
From
07/10/2015 13:37:12
Walter Meester
HoogkarspelNetherlands
 
 
To
07/10/2015 13:29:07
Lutz Scheffler
Lutz Scheffler Software Ingenieurbüro
Dresden, Germany
General information
Forum:
Visual FoxPro
Category:
Coding, syntax & commands
Title:
Re: How to make external prg look for DBF inside calling exe
Environment versions
Visual FoxPro:
VFP 9 SP2
OS:
Windows 10
Network:
Windows 2008 Server
Database:
MS SQL Server
Application:
Web
Miscellaneous
Thread ID:
01625594
Message ID:
01625649
Views:
68
>>>>>In several places in our application executable we have hooks that call custom, external, encrypted programs whose names are stored in a table.
>>>>>
>>>>>Recently, a new custom program needed to USE a confidential free table that is included in the executable, and VFP couldn't find it.
>>>>>
>>>>>Is there any way that we can force the external program to look for the table inside the exe file?
>>>>>
>>>>>TIA,
>>>>>
>>>>>Alex
>>>>
>>>>Yes, create a function like DoCmd in your exe, preferably in the main procedure file which is startup at runtime..
>>>>
>>>>
>>>>FUNCTION DoCmd(cCommand)
>>>>
>>>>&cCommand
>>>>ENDFUNC
>>>>
>>>>Then you can call the following from an outside PRG
>>>>
>>>>
>>>>DoCmd("USE MyInternalTable")
>>>>
>>>
>>>In terms of security, this approach is a problem. You can do almost anything from that point.
>>>
>>>DoCmd("DO my.prg") 
>>>
>>>will work too. Instantiate classes? Open forms? Mimic existing stuff into something new? You have full control from that point. See what you can do in terms of compiling and creating at run time. That's huge.
>>>
>>>Never ever do that.
>>>And don't argue nobody knows your structure. This is named security through obscurity.
>>
>>Ehh, Sorry but from a security POV I fail to see what would be the difference in having the possibility to do whatever you like in an outside PRG and exploiting functionality from within the executable. There really is not difference between the two.
>
>If I can access the runing program I can adress objects? Move the program running into something I'm normally not allowed to? Use the interfaces of the running program?
>My programs have an admin mode. A simple flag somewhere. Turn it on and the program allows things normal user should not do. The macro could do it.
>I'm not realy intersted what one can do. I simply dislike somebody doing it. Maybe somebody has more fantasy?
>
>BTW one don't even need a special function for this.
>Some folks open MODI REPO to there customers. A neatly placed sequence of EXECSCRIPT() and _VFP.SETVAR() in a field, calculation, name it can do the same. Runs perfectly in exes context.

Sorry Lutz, but I do not think you do understand how VFP works in this respect. EXECSCRIPT() does not hide public variables or loaded objects or forms. You still can access and use them. Classes that are already loaded into memory can be instantiated with CREATEOJECT(), you can dump memory and analyze what variables have been set and used.

Just an execscript() or a calling a PRG from outside does not give you any protection on accessing resources from inside the executable. There are many, many ways to get at everything in the executable itself.


Walter,
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform