If you publish your code on the internet then first They will use Google CodeSearch. For example, try looking for "initial catalog":
If They are lucky and They have your binaries then Reflector might help looking for juicy hard coded strings but I believe They will chose to get all the strings using simple tool that ships with Windows, FindStr, in conjunction with ILDASM that ships with .Net SDK or Visual Studio
IL_000c: ldstr "RegisterUser"
IL_0027: ldstr "@userName"
IL_0046: ldstr "@passwordHash"
IL_003e: ldstr "Logon successful: User is authenticated"
IL_0050: ldstr "Invalid username or password"
IL_0001: ldstr "Server=AppServer;database=users; username='sa'; password=password"
How to get protected?
- Do not hard code sensitive information.
- Use windows authentication whenever possible thus avoiding managing credentials.
- Use platform features to protect sensitive information.
Full how-to index here: http://msdn.microsoft.com/library/en-us/dnpag2/html/SecurityHowTosIndex.asp?frame=true