The Problem
By default, VBA code in Excel (or any other MS-Office application) can be accessed by anyone who knows how to open the Visual Basic Editor. In the absence of any password protection, any such user can open and alter VBA code, potentially breaking it. Even worse, a malicious user or macro virus could add code that performs pranks or compromises the security of files and settings on a user's computer.
The Simple - But Ineffective - Solution
Lock your VBA project using a password. Your VBA code will still run, but can only be viewed by a user who knows the correct password. Unfortunately, there are plenty of fairly inexpensive software tools that could recover a lost or forgotten VBE password, no matter its length or complexity, within seconds.
In addition, Excel VBA code can be read directly (without using Excel) by many spreadsheet applications. For more info, please read our article about VBA Passwords.
The Advanced Solution
There is a solution called VBA obfuscation. Obfuscation is a set of techniques that hides the intent of your Excel VBA program without changing its runtime behavior e.g. obfuscated VBA code will run in both 32/64 bit Office 2010/2013 versions, if your original code was designed to do so.
When obfuscation is properly applied, it can increase the protection against hackers by orders of magnitude, while leaving your Excel application intact. Obfuscation is commonly used in .Net and Java environments for years and has been helping companies protect their intellectual property.
If your Excel VBA code shouldn't be exposed globally or if your entire business rests on the intellectual property embodied in your Excel software, then obfuscation of your VBA code becomes a necessity, not a luxury. Excel hackers can steal unique ideas, algorithms, sensitive information such as passwords, SQL queries, etc or crack Add-ins and change workbook functionality.
By default, VBA code in Excel (or any other MS-Office application) can be accessed by anyone who knows how to open the Visual Basic Editor. In the absence of any password protection, any such user can open and alter VBA code, potentially breaking it. Even worse, a malicious user or macro virus could add code that performs pranks or compromises the security of files and settings on a user's computer.
The Simple - But Ineffective - Solution
Lock your VBA project using a password. Your VBA code will still run, but can only be viewed by a user who knows the correct password. Unfortunately, there are plenty of fairly inexpensive software tools that could recover a lost or forgotten VBE password, no matter its length or complexity, within seconds.
In addition, Excel VBA code can be read directly (without using Excel) by many spreadsheet applications. For more info, please read our article about VBA Passwords.
The Advanced Solution
There is a solution called VBA obfuscation. Obfuscation is a set of techniques that hides the intent of your Excel VBA program without changing its runtime behavior e.g. obfuscated VBA code will run in both 32/64 bit Office 2010/2013 versions, if your original code was designed to do so.
When obfuscation is properly applied, it can increase the protection against hackers by orders of magnitude, while leaving your Excel application intact. Obfuscation is commonly used in .Net and Java environments for years and has been helping companies protect their intellectual property.
If your Excel VBA code shouldn't be exposed globally or if your entire business rests on the intellectual property embodied in your Excel software, then obfuscation of your VBA code becomes a necessity, not a luxury. Excel hackers can steal unique ideas, algorithms, sensitive information such as passwords, SQL queries, etc or crack Add-ins and change workbook functionality.
Native VBA code (left) is transformed into obfuscated VBA code (right) using the techniques discussed below
Notable Obfuscation Protection Techniques
Several proven methods to obfuscate VBA can be used, so that it is extremely difficult for a hacker to reverse-engineer your VBA code. Some of the techniques are described below:
1) Removal of comments & indentations
As discussed in our article about VBA Development Best Practices code layout makes not a bit of difference to the computer. A good visual layout of VBA code only helps the developer to infer a significant amount of information about the logical structure of the program. An elementary obfuscation trick is to remove all comments, blank lines, debug statements and indentations.
2) Variable name mangling
A good variable naming convention in software development should convey the type, scope and purpose of the variable with a simple visual inspection of its name. This allows the developer to concentrate on what the code is doing rather than having to figure out how the code is structured.
The VBA Obfuscator renames variables, modules, user-forms, procedure and function names to a garbled human unreadable name. There is absolutely no relation to the original names, which cannot be guessed or derived from the obfuscated names. Without any meaningful names in a VBA project, hackers must spend considerable time to determine the functionality of your code.
3) String Encryption
Plain text strings in VBA can be easily read. Hackers can use strings to understand program logic and to reverse-engineer your VBA code. For example, they could probably do searches for "License" which points them right to the code where license handling is performed with the intent to disable or remove licensing code. Searching for strings is straightforward in VBE. String encryption raises the bar, because only the encrypted (human unreadable) version is shown in your VBA code.
4) Control Flow Obfuscation
Obfuscation of program control flow is a powerful obfuscation technique. It's goal to hide the intent of a sequence of instructions without changing the program logic e.g. splitting code into multiple lines or merging several lines, etc.
5) Tamper protection
Your obfuscated code is protected against modifications. Excel code execution will stop at once, if the code is modified or the VBE password is removed.
6) Declarative obfuscation
Procedures or entire modules (e.g. open source code) can be excluded from obfuscation using custom attributes embedded in your code.
7) Obfuscation with noise injection
A popular obfuscation technique, in particular with data and service requests, is the addition of random noise. Noise can be added in VBA projects as fake comments, procedures or even entire modules in order to create a significant level of confusion for the aspiring hacker.
8) Obfuscation of UserForm controls
Using a unique and sophisticated technique, all obfuscated Excel UserForms appear identical and without controls. However at runtime, UserForms are restored to their original size and populated with controls, exactly as designed by the developer.
A hacker would have to spend considerable time trying to locate the code that corresponds to an Excel form shown only when the program is run. Populating the UserForm with controls and restoring it back to its original size would be a major task too.
1) Removal of comments & indentations
As discussed in our article about VBA Development Best Practices code layout makes not a bit of difference to the computer. A good visual layout of VBA code only helps the developer to infer a significant amount of information about the logical structure of the program. An elementary obfuscation trick is to remove all comments, blank lines, debug statements and indentations.
2) Variable name mangling
A good variable naming convention in software development should convey the type, scope and purpose of the variable with a simple visual inspection of its name. This allows the developer to concentrate on what the code is doing rather than having to figure out how the code is structured.
The VBA Obfuscator renames variables, modules, user-forms, procedure and function names to a garbled human unreadable name. There is absolutely no relation to the original names, which cannot be guessed or derived from the obfuscated names. Without any meaningful names in a VBA project, hackers must spend considerable time to determine the functionality of your code.
3) String Encryption
Plain text strings in VBA can be easily read. Hackers can use strings to understand program logic and to reverse-engineer your VBA code. For example, they could probably do searches for "License" which points them right to the code where license handling is performed with the intent to disable or remove licensing code. Searching for strings is straightforward in VBE. String encryption raises the bar, because only the encrypted (human unreadable) version is shown in your VBA code.
4) Control Flow Obfuscation
Obfuscation of program control flow is a powerful obfuscation technique. It's goal to hide the intent of a sequence of instructions without changing the program logic e.g. splitting code into multiple lines or merging several lines, etc.
5) Tamper protection
Your obfuscated code is protected against modifications. Excel code execution will stop at once, if the code is modified or the VBE password is removed.
6) Declarative obfuscation
Procedures or entire modules (e.g. open source code) can be excluded from obfuscation using custom attributes embedded in your code.
7) Obfuscation with noise injection
A popular obfuscation technique, in particular with data and service requests, is the addition of random noise. Noise can be added in VBA projects as fake comments, procedures or even entire modules in order to create a significant level of confusion for the aspiring hacker.
8) Obfuscation of UserForm controls
Using a unique and sophisticated technique, all obfuscated Excel UserForms appear identical and without controls. However at runtime, UserForms are restored to their original size and populated with controls, exactly as designed by the developer.
A hacker would have to spend considerable time trying to locate the code that corresponds to an Excel form shown only when the program is run. Populating the UserForm with controls and restoring it back to its original size would be a major task too.
All obfuscated Excel UserForms are shown empty in VBE with identical dimensions & garbled names
Conclusion
Obfuscation can be tricky on complex Excel applications. A poorly designed obfuscator can break your application, for example by obfuscating reserved keywords.
Each of the above techniques, which are already proven with .NET & Java assemblies, are on their own quite effective against hackers. When combined together for the obfuscation and code protection of Excel VBA projects, they form an impenetrable shield which is extremely difficult to break.
Until now, competitive Excel locking solutions compiled workbooks to an executable file or required additional runtime libraries to be installed on a client computer. The VBA Obfuscator just hides the intent of your Excel VBA program without changing its runtime behavior. Your obfuscated program will run in any Excel version and in both 32/64 bit Office versions, if your original code does so.
Obfuscator advantages:
Please contact us for any VBA obfuscation, Excel protection or security query.
Each of the above techniques, which are already proven with .NET & Java assemblies, are on their own quite effective against hackers. When combined together for the obfuscation and code protection of Excel VBA projects, they form an impenetrable shield which is extremely difficult to break.
Until now, competitive Excel locking solutions compiled workbooks to an executable file or required additional runtime libraries to be installed on a client computer. The VBA Obfuscator just hides the intent of your Excel VBA program without changing its runtime behavior. Your obfuscated program will run in any Excel version and in both 32/64 bit Office versions, if your original code does so.
Obfuscator advantages:
- Enables Excel VBA developers to deploy workbooks & Addins without exposing the inner workings of source VBA code.
- The complexity, cost and risk from migrating VBA to a different programming language (.NET / VSTO) is eliminated.
- No need to install software (DLLs) in the client computer.
- Temporary code protection is immediately available, when needed. For example, in order to deliver fully functional obfuscated demos to clients, before any binding contracts are signed.
- Limit the functionality of a workbook after a specified period of time. To limit the usable life of a workbook, called 'time-bombing a workbook', please this article.
Please contact us for any VBA obfuscation, Excel protection or security query.
FAQs
Can obfuscated code be reversed, if my VBA source code is lost?
Absolutely not. There is no way to recover your original source code from obfuscated VBA, as all human meaningful information is permanently deleted during the obfuscation process.
Please backup your files before obfuscating your code
Will the VBA obfuscator send output an .EXE file?
Absolutely not! Only the so called 'Excel compilers' output executable files (.exe), which trigger all kinds of virus warnings, when users try to download these files from the web.
Absolutely not. There is no way to recover your original source code from obfuscated VBA, as all human meaningful information is permanently deleted during the obfuscation process.
Please backup your files before obfuscating your code
Will the VBA obfuscator send output an .EXE file?
Absolutely not! Only the so called 'Excel compilers' output executable files (.exe), which trigger all kinds of virus warnings, when users try to download these files from the web.
Links To Our VBA Obfuscator
An elementary obfuscator is available in the:
- VBA RC Toolkit free add-in powered by Ribbon Commander
- VBA Tools add-in bundled with the Unviewable+ VBA application
How To Make VBA Programs More Secure
- Read about Unviewable+ VBA
- Read about Secure++ VBA
