Protection Against VBA Hacking: Unviewable+

I recently got a call asking me about protecting intellectual property.

Their requirements were simple:

  • They wanted to prevent end-users from viewing or modifying the source code
  • They wanted to distribute their product to as many end-users without risk
  • They’re using VBA and they didn’t want to create a COM add-in in VB6 or .NET

The Recommendations

To do this kind of thing, I suggested that they use the following:

The wonderful thing? Some of these tools are really easy to use and affordable, so there’s very little work you have to do to protect your product.

With an increasing number of new unlocker tools available on the market, how do you keep your source code secure?

Meet the New Kid On The Block

Unviewable+ is a relatively new product, launched after a successful IndieGoGo campaign. It’s a VBA protector tool that works with Excel, Word and PowerPoint files.

Compared to other products, it offers several new methods of protection, which are explained below.

Protection Types

Unviewable+ provides three types of protection:

  • Hidden modules – Standard modules will be hidden (classes and userforms will still be visible). The VBA project won’t be locked, so any module type can be added and saved. Procedures can be called from hidden modules, but VBA code cannot be read from them, even when using the VBA Extensibility library.
  • Unviewable password protected VBA project – Unviewable password protected VBA projects are less secure than the equivalent locked projects, as recovery information has to be maintained within the file.
  • Unviewable locked VBA project – Permanent protection. Locked VBA projects cannot be made visible by the application.

PROTECTION Levels

Unviewable+ provides four levels of protection:

  • VBADiff Compatible – VbaDiff is a must-have source control and code differencing application. This least secure level is being offered to allow developers to work with VbaDiff and unviewable VBA projects.
  • Simple – Similar protection as in the previous level, but VBA projects cannot be read by the VbaDiff application.
  • Medium Strength – Ideal setting for beta VBA applications or projects with poor error-handling. Also a good option, if the Ultimate protection restrictions conflict with your setup (see below).
  • Medium Strength – Permanent protection. Locked VBA projects cannot be made visible by the application.
  • Ultimate. The most secure unviewable setting which: disables the Debug functionality, prevents public macros from being visible in the list of macros, as well as prevents running of macros via assigned shortcut keys.

The Advantages

The Unviewable+ application meets the following requirements:

  • Unviewable+ maintains the normal file extension of your workbooks, presentations, templates and add-ins.
  • Unviewable+ protected files will not trigger antivirus software to block opening your workbook, presentation, template or add-in.
  • VBA code can still be read by malware analysis scanners and antivirus tools.
  • VBA projects still behave like macro workbooks (in regards to security warnings and trusted locations).
  • The application does not travel with workbooks, presentations, templates or addins.
  • The application is not intrusive. No DLLs are loaded on target computers. The protection scheme doesn’t depend on executable code.
  • Compatible with both 32 and 64 bit versions of Office.
  • Has the ability to run from the command-line, which can be useful in automated builds.
  • Available in several languages: Danish, German, Spanish, French, Portuguese, Chinese and English.

Disadvantages

  • The disadvantage is that it may be easier to hack, as compared to compiled DLLs.

The Four Steps to Using Unviewable+ to Protect Your Code

In this example I’ll use a HelloWorld.xlsm workbook and protect it with Unviewable+.

Step One: Launch Unviewable+

When you start Unviewable+, you ‘ll see a ribbon with a few basic options:

Step Two: Open Your File

Now I’ll just browse for my macro-enabled file. I am presented with a choice that says “VBA Project is NOT clean. Do you want to clean it?”. Confirm with Yes to proceed.

The cleaning process is not a part of VBA security. If you’re interested in background information about what happens when you clean a file, here’s a link that explains it in more details.

STEP THREE: SAVE THE FILE

Once you reach this step, you’ll see a lot of different options. Choose the method of protection that’s most suited to your needs.

Once you’re ready to proceed, click on “Protect VBA Project”.

Next, a warning will appear:

Choose Yes to proceed to the next step.

Step Four: Save the File

The last step is pretty simple. You are presented with a summary of results as shown here:

Once you’ve done that, you’re good to go — you can send your file to the end-users.

Summary

The Unviewable+ VBA code protection features are just one of the reasons I strongly recommend Unviewable+. If you want more information, you can read my other product reviews, or give me a call for specific advice.

One comment