VBA Code Security

[TJ Walls]

Hello All,

I have been reading the newsgroups in earnest, and there doesn't seem to
be a clear answer for this (even dating back to Office 97!).

I am writing a VBA for Excel application and would like to distribute it
openly (thus, I don't care about controling distribution, etc...). But
there is a way I do certain things that I don't want the general public to
see. I am competent in security but still new to Excel and VBA.

I know the trivial answer is the "Lock Project From Viewing" option in
VBE, but I have also read that this password (along with all Excel
internal passwords) are _trivial_ to crack (brute force under an hour on a
modern workstation is trivial to me). The code I'm trying to protect is in
a Workbook that has no purpose except to be a container for the VBA code
which will open the Workbooks that the user can interact with.

So I have two questions I can't seem to sort out from previous posts:

1) What is the best (most secure / easiest to implement) way to supply
code to users in Office Applications while protecting the "high level"
code. Again, I have no problem handing out compiled code. I understand
that anyone who can read Hex can reverse engineer my code, but this level
of security is sufficient for me to slept at night. I am mostly concenered
with keeping out relatively mature script kiddies.

2) From my reading, I think the answer to (1) is to create a DLL (or
EXE?). If so, is this possible with just the Office '97 package? Can
someone please help get me started on how to create / load a DLL from my VBA code?

Thanks,
TJ Walls
Ph.D. Candidate - Dept. of Physics, Stony Brook University

 

[Frank Kabel]

Hi
the most secure way (IMHO) would be to create a COM Addin (e.g. in C++
or any other language) for your high-level code. Not much chaqnce using
VBA for this (it's not an hour it takes about 1-2 minutes to remove the
password)

 

[Bob Phillips]

DLL is the best way to do it, but you won't achieve that with Office 97
(AFAIK). You will need a proper version of VB, or Office 2000 Developers
Edition (and above).

--

HTH

Bob Phillips
... looking out across Poole Harbour to the Purbecks
(remove nothere from the email address if mailing direct)

 

[TJ Walls]

Hi Frank,

While this would be my first solution also (C is my "native" language),
I'm almost done with the VBA stuff ... I'm also not used to Windows(tm)
programming (I was raised on Linux Tcl/Tk and gcc).

I have no idea how to even start compiling(?) this Workbook as a DLL ...

-TJ

 

[Bob Phillips]

As I said, to create DLLs, you need a full VB version, or Office 2000 or
above. Vb also suffers tyhe other difficulty in that it is not VBA, so your
code would need modifying as Excel is not the resident application.

So, I think you have more on your plate than it is worth bothering with. And
really, is your code that good? There are dozens of examples of really good,
quality code given free by the regulars here, and more on various websites,
from good one-liners, to compledx applications (MZTools, ASAP Utilities,
many of Stephen Bullen's offereings etc., etc.). Yours would need to be
very very good to make it worth the effort.

--

HTH

Bob Phillips
... looking out across Poole Harbour to the Purbecks
(remove nothere from the email address if mailing direct)

 

[TJ Walls]

Hi Bob,

So, I think you have more on your plate than it is worth bothering with. And
really, is your code that good? There are dozens of examples of really good,
quality code given free by the regulars here, and more on various websites,

Umm ... I think your misinterpreting here. Please don't take this as "My
code is sooo great I don't want anyone to see it." I'm not saying that my
_code_ is necessarily any good at all. As I said, in VBA, I'm a beginner.
So I would imagine my code is rather ugly / inefficient to a seasoned VB
coder. It's not the code I'm trying to protect at all. There are 2 things
that security will accomplish for me here.

1) I use a couple of algrorithms which are common knowledge, but a view
of my exact implementation would compromise data that I would like to
remain relatively secure.

2) Prevents changes to the code without substantial prying. Again, for
security reasons. I could care less about giving out the shell code for
what I'm doing.

I would hope trying to lock down my code is not seen as a jab to you or
anyone else who gratefully contributes their knowledge to this newsgroup.

-TJ Walls
Ph.D. Candidate - Dept. of Physics, Stony Brook University

 

[Frank Kabel]

Hi
just some comments
1. If you use a secure algorithmn just hiding your implementation would
add 'security by obscurity'. IMHO it's never a good idea to achieve
security by hiding the implementation details
2. I can understand that. But for this a simple password would do to
prevent accidentically changes

If you really need security no way without creating a DLL

 

[Bob Phillips]

TJ,

No it isn't that, even if I were considered touchy, the same could never be
said of the many other fine contributors. But it is a question of
proportionality. When there is so much free data, free information, free
training, and free products on the web, it's a rare product that warrants
locking down.

If it were me ( but I already have full VB, so I would say that wouldn't I),
I would get VB. You should be able to get a cheap(ish) copy on eBay.
Although you could also get a cheap Office 2000, VB is more flexible, more
powerful, and more fun.Your code is much more secure then, as it is a
binary, but you could also get AppSentinel, a fine product that allows you
to issue time-restricted evaluation versions of your code.

--

HTH

Bob Phillips
... looking out across Poole Harbour to the Purbecks
(remove nothere from the email address if mailing direct)

 

[TJ Walls]

Hi
just some comments
1. If you use a secure algorithmn just hiding your implementation would
add 'security by obscurity'. IMHO it's never a good idea to achieve
security by hiding the implementation details

I totally agree ... security by obscurity is aweful. I would not use
what I am doing in the "real" world. The people who will have a chance
to hack away at my program will be at best moderately experienced and
after 6 months wouldn't care about the data anymore anyway, so it should
up I think.

2. I can understand that. But for this a simple password would do to
prevent accidentically changes

Yeah, but I'm giving this to someone who is completely computer
unfriendly and its the intentional changes she wouldn't notice that I'm
worried about.

If you really need security no way without creating a DLL

Cool, a DLL it is. Thanks a lot ..... and the rabbit hole I find myself
in goes deeper.

Sincerely,
-TJ Walls
Ph.D. Candidate - Dept. of Physics, Stony Brook University

 

[Mike Walker]

Hi

VBA Security and lock down is easy to crack, you could if you are that
desperate to lock out viewers use protection within the sheet and your idea
of using a DLL is ok but just as easy, IMHO you are on a losing battle if
someone wishes to look they will do so I think an idea would be to make it
as hard as possible and give another file as a key to the solution to use
this as an unlock code if possible as this would really make it hard to view
all with out several components being in place.

Good luck

Mike Walker
(Reply via NG)

 

[Howard Kaikow]

You would need to purchase VB 6 or Visual Studio 6.
Neither is sold by Microsoft, so there are few vendors still carrying legit
copies of VB 6.
Recently, both www.atomicpark.com and www.vbxtras.com were still selling VB
B6.

You would then re-organize your code to move as much as possible into VB,
using automation from VB to do any needed VBA.
The Excel workbook would then have a minimal amount of code to:

1. Instantiate the class in the DLL.
2. Use a stub that calls into the DLL, where the rest of the code runs.
3. Have wrapper functions for any functions that need to be used in a
spreadsheet.

You would either compile the code with a reference to the earliest version
of Excel you wish to support, or you would use late binding. The latter is
both slower than the former and makes coding more difficult.

 

[Howard Kaikow]

One can always get down to, say, assembler, but using a DLL makes it
impossible to recreate the source.
The idea is to make it more expensive to crack the code. Using a DLL is the
only way.

 

[TJ Walls]

Hi Howard,

Thanks for the links ... it never even occured to me that VB6 would no
longer be sold by Microsoft. I'm almost finished created the product I
want so soon I will be looking into this. I started this whole mess as a
small learning project for me and I'm learning more about VB than I ever
bargained for ...

-TJ

 

[Howard Kaikow]

If you intend to get VB 6, better do it sooner, rather than later.
As legit copies are likely still available from certain vendors.

I would not trust buying a pre-owned copy.

 

[TJ Walls]

Hey Howard,

Just goes to show you how new I am to Windows(tm) programming. I have a
copy of Dev-Studio that I got a long time ago for the C++ compiler to run
some simulations I had written on a windows box ... come to find out that
there is a copy of VB6 in Dev-Studio ... DOH, shoulda guessed it.
My brain is slow sometimes ...

 

[Howard Kaikow]

I'd recommend installing the critter and the updates (SP 6 is the latest.).

 

[TJ Walls]

Hi Howard,

Well, it looks like I just made my plans for the weekend. Thanks a lot
for your replies.

Sinerely,
TJ Walls
Ph.D. Candidate - Dept. of Physics, Stony Brook University