Concerns about the use of DLL injection about blender-drag-and-drop HOT 5 OPEN

Thank you for your feedback.
Reply to some comments.
First of all, keep in mind that some code is not mine (that is, it is generally provided as a C++ library).
For example, assembly.hpp, byte_pattern.cpp, byte_pattern.h, injector.hpp are library code and have not been modified. Therefore, I will refrain from mentioning that part.

A lot of reinterpret_cast (which many consider bad practice to use)

I didn't know it was bad practice because I'm not a C++ professional. I would like to fix this if possible.
You can also submit patches yourself, if possible.

Use of unions (even though the code is seemingly in C++17)

I will not mention this because it is an external library as mentioned above.
However, I am personally working to stop relying on these libraries.

Heaps upon heaps of raw assembly

I also believe that raw assembly should be avoided from a maintainability standpoint, and I am gradually reducing it.

Someone could replace the DLL with a tainted one, and infect user's systems.

This seems like a word that can be taken in several ways.
For example, regarding the use of DLLs in the context of Blender Add-ons, I've seen it in some other add-ons as well, so I don't think it's a problem (as for DLL Hijacking, I'm loading it from an absolute path, so Unintended DLLs should not be loaded, and assuming the DLL is replaceable, an attacker would be more efficient to replace the addon's entry point itself than to replace the DLL.)
Next, the same thing can be said about loading code that the user does not know. Some well-known add-ons can be seen calling external processes internally or installing additional libraries. Since they contain implicit code, they are a security risk.
Finally, I agree with you about using C++ code to replace the in-memory code. However, this is also a context that is not a Blender addon, for example, it is a common context in the mod culture in games (for example, Minecraft and Beat Saber add some modifications to the game itself, and the original localization addon is added to the game. in-memory patch).

Try to integrate this in Blender itself (i.e. add drag and drop to Blender itself without an addon).

This has been done by many developers and users over the years, and has been rejected by the Blender team, so this approach is hopeless. That's why this addon exists.

Clarify why such malware-like practice is needed, and give warnings to the risks of using this addon

I think this is a good idea.
If you do this, I think it will be the following process, but if you have any opinions, I would be happy if you could add them.

1. Install the add-on normally
2. Added the following settings to the add-on settings screen
   1. A detailed description of what this addon is doing
      1. This addon uses C++ DLL code. Please check DLL publisher and DO NOT replace it.
      2. The C++ DLL hooks calls to certain functions in Blender.exe in order to receive events on drop. This is the desired behavior as Blender itself does not provide any events for drops.
      3. If you disable the add-on, these behaviors are restored.
   2. Read the explanation and agree
3. Where consent has been obtained, further processing in question

from blender-drag-and-drop.

Hey, @StandingPadAnimations.
Do you have any opinions?

from blender-drag-and-drop.

Looks fine to me, although I think a warning should be added about sources. Maybe something along the lines of "This addon officially can be downloaded from GitHub"

from blender-drag-and-drop.

Thank you for your reply! Surely I should do that too.
Additionally, I would like to provide it for those who can handle SHA256 checksum files to detect tampering.
I'll try to include the corresponding text in the GitHub page (README.md), the documentation site (https://docs.natsuneko.cat), BOOTH (https://natsuneko-vrc.booth.pm/; Japanese marketplace), and the add-on description.

from blender-drag-and-drop.

Supported in 8deef1c

from blender-drag-and-drop.