VBA project protection in MS Excel

Hello! I am a regular MS Excel user. Not a professional programmer, but has accumulated enough experience to install and bypass the protection of VBA projects.



Disclaimer:



This article describes the types of protection of VBA projects from unauthorized access. Their strengths and weaknesses are ranking.



The purpose of the article is to show the strengths and weaknesses of each type of protection for a VBA project in MS Office.



Demonstration of the developed tools, in the Macro Tools VBA add-on , for removing and installing one or another protection. 



All tools are implemented using standard VBA tools, without using additional libraries. 





Main panel Add-ins Macro Tools VBA



The first type of protection - Regular password



Time to remove: instantly



Disadvantage: quick access to the password-protected VBA module



Standard tool (In VBE: Tools panel -> VBAProject Properties -> Protection ). 



The most easily removable protection. It is easy to find a code on the Internet to remove this protection. 



This protection can be removed with the following tool:





The second type of protection - Project is Unviewable



Time to remove: 10 to 15 minutes (manually)



Disadvantage: access to the source code of the VBA module



One of the most common types of protection. Found in 95% of files with VBA module protection. When you try to open a project, a dialog box opens with the message:  Project is Unviewable.





Most Excel users cannot remove this protection, since it has many variations and nuances; to remove it, you need to have an idea of ​​the internal structure of the Excel file.



This type of protection is based on changing keys:



CMG=«4A488FCC54D054D054D054D0»

DPB=«0B09CE0F8E108E108E»

GC=«CCCE09520B120C120CED»




in the file vbaProject.bin





Briefly how this protection is created



To create this protection, you need to unzip the Excel file. Go to the xl folder in the archive , open the vbaProject.bin file , at the end of the file are our keys, edit the key values ​​to empty, save the file. We translate our archive back into an Excel file. Done! 



This is the simplest version of this protection, but there are many modifications.



Algorithm for removing protection Project is Unviewable.



1) Unzip the experimental file, go to the file  ... \ xl \ _rels \ workbook.xml.rels









2) In the file workbook.xml.rels   we are looking for a line containing the word  vbaProject , usually it looks like this:  /> . In this line, we are interested in the Target key , and its value. The value is the name of the file that contains the VBA project. Sometimes the protector changes the key values ​​to printerSettings.bin. It turns out that the file with the VBA project is disguised as another file.



3) Open the file specified in the Target key for editing , look for the CMG, DPB, GC keys in the file  . And we change any letter in their names to any other, for example: CMC, DPC, CC... When searching, you need to be careful, since the defender can put into the project a form with a signature repeating one of the keys, for example: DPB = "0B09CE0F8E108E108E" . When you change it, the VBA project will be removed from the Excel workbook. We save and close the file.



4) We transfer the archive back to the Excel file.



5) Launch the Excel application, do the following: in the Trust Center -> Macro Options -> Disable all macros without notification . Restart Excel. This operation is needed to block protection, which is sometimes set by the authors of macros. This protection is implemented as follows. In the VBA module " ThisBook”, Procedures are created that respond to the events of opening a book or closing a book. These events usually check for the presence of a password for a VBA project, a ban on saving, and so on.



6) Open the file. If everything is done correctly, then Excel will swear at the incorrect keys that we edited in paragraph 3. Click, yes, until these messages are over and the dialog box closes. 



      If this message does not appear then you have not edited the file that contains the VBA project.





7) Open the VBA project. After all, the VBA project should be available.



8) But sometimes the protection is not removed, then you need to save the file, check that it really was saved! And done again steps 1 to 7. Usually this happens when the file workbook.xml.rels in the key Target   set printerSettings.bin .If preservation, Excel corrects it to a value at vbaProject.bin



This protection can install and remove the tool follows:





The third type of protection - Hidden Module, hidden VBA modules



Time to remove: 15 to 20 minutes (you need an OLE object editor, Structured Storage Viewer, for example.



Disadvantage: access to the VBA module code



A less common type of protection is usually found in combination with Project protection is Unviewable. When this protection is installed, the VBA module is not displayed in the Excel workbook project. You can find out about its existence by analyzing the VBA code (which takes time!) or opening the Excel file in  OpenOffice or LibreOffice (you can also watch the code when protecting Project is Unviewable, but this method does not provide an opportunity to get a working file, without a password). 





View VBA Code in  LibreOffice



Briefly how this protection is created



To create this protection, you need to edit the file with the VBA project - vbaProject.bin  or printerSettings.bin , depending on the settings in the file ... \ xl \ _rels \ workbook.xml.rels . At the end of the file, lines like: Module1 = 32, 32, 635, 330, Z are deleted . With the desired module names.





To remove this protection, you need to restore deleted module records in the vbaProject.bin file .



This protection can be set with the following tool.





The fourth type of protection - code obfuscation



Time to withdraw: unknown, depends on the size of the code and reuse of parts of the code





Obfuscated VBA code



Disadvantage: the need to test the file after obfuscation for operability



An extremely rare type of protection based on changing the VBA source code into an unreadable form for humans. All comments, code formatting are removed, the names of all variables, procedures, functions, modules and other things are renamed. An attacker will never be able to restore the original form of the code, and it will take a lot of time to restore it to a human readable form.  



To de-obfuscate the code, you need to have time, specialized software.



This protection can be set with the following tool.





The fifth type of protection - Porting code to dll



Time to remove: unknown, depends on the programming language and qualifications



Disadvantage: the need for an additional dll file



One of the rarest types of protection. The main idea is to transfer the main code into a separate dll, written in any other programming language. This type of protection is not widespread for the following reason, the need for an Excel file to "drag" an additional file, dll.



To get access to the dll code, you need to have special knowledge.



Conclusion



In conclusion, I want to highlight the uselessness of protections:  Project is Unviewable and Hidden Module which, in essence, do not protect anything. Allows you to view VBA code without modifying the source file in programs such as OpenOffice  or   LibreOffice. So they are removed without any problems.



All Articles