Best Practice--Protect Native applications
Last updated
Last updated
The Native application means the software application which developer build for specific hardware platform and operation system, and it is independent with virtual machine or interpretor when execute. The typical native applications includes:
The PE application of windows system,
The ELF programs (suffix with .so or main program) in Linux/Android system a
The MachO programs (.dylibs or main program) in macOS/iOS system.
Windows
.exe
dll
.sys
Linux/Android(Elf)
.so
.ko
macOS/iOS(MachO)
.dylib
Usually, The native program are developed by C/C++/Objective-C/Swift/Delphi/Go language and running in the PC, Server, mobile client end and IoT or embedding devices. The fundmental to native application's execution is machine instructions based on CPU architecture, for instance, X86 instruction set in PC platform, the ARM instruction set in Android platform, Native apps work with the device's OS in ways that enable them to perform faster and more flexibly than alternative/cross platform applications. If the apps executed in various types of device, then developers need to build a separate app version to each type of device.
The security of native applications, althrough the native program doesn't contained the original functions name, variable name. which bring some of difficulty for decompiliation to native programs. but it is also possible to decompile the native application when cracker use the professional debug and reverse engineering tools without so much effort to those professional attackers. so, for those application which require highly security, it is necessary to protect native project to prevent possible leaking risk.
Here is example to decompile the binary code:
The source code (in Android ARM architecture) :
when you use the decompiler to decompile the binary code (without protection), the result is like this:
Even the vairiable name in the functions missing after decompiled, but it is possible to get the readable code to understand with additional analyzing the symbol table of ELF ( “Executable and Linkable Format), import/export functions, the critical string;
Windows
✔️
✔️
✖️
✖️
Linux
✔️
✔️
✔️
✔️
macOS
✖️
✔️
✖️
✔️
Android
✔️
✔️
✔️
✔️
iOS
N/A
N/A
✖️
✔️
Windows
✔️
✔️
.sys
Linux/Android (ELF)
✔️
✔️
.ko
macOS/iOS (MachO)
✔️
✔️
✖️
ARM linux
✔️
✔️
✖️
Compression
✔️
✔️
✖️
✔️
✖️
Memory Check
✔️
✔️
✔️
✔️
✔️
Import Table Protection
✔️
✖️
✖️
✖️
✖️
Resource section Protection
✔️
N/A
N/A
N/A
N/A
Overlay Data Encryption
✔️
✔️
✔️
✔️
✔️
Debug Detection
✔️
✔️
✔️
✔️
✔️
Virtual Machine Detection
✔️
✖️
✖️
✖️
✖️
Remove debug info
✖️
✔️
✖️
✔️
✖️
Function Option Tab
[E] Code of Encryption
✔️
✔️
✔️
✔️
✔️
[M] Code of Obfuscation
✔️
✔️
✔️
✔️
✔️
[V] Code of Virtualization
✔️
✔️
✔️
✔️
✔️
It is quite easy to use Virbox Protector GUI tool to protect the PE programs. Developer just drag the PE application into Virbox Protector GUI tools, then Virbox Protector will parse the PE application automatically. All of information to PE application will be parsed and shown in the "Basic Info" tab.
Then, Developer may set the protection feature in "Protection Option" and "Functions Option" tabs:
Developer also may use virboxprotector_con.exe
, the Virbox Protector CLI tool to protect your PE apps.
General Protection, refers to protect the project/application in overall, which accomplished by setting the configuration in "Protection Option" tab. With the general protection setting to the application, only minimize negative impact to protected application's performance and easy to set, with anti decompiling, anti tampering and anti debug functionality.
Compression
Click ✔️ to select in GUI tool; Enable this option in CLI tool by specify the argument “pack" with value "1" " --pack=1" More detail info refer the user manual: CLI tool
Compression makes it is possible to pack, compress and encrypt the application's code and related format setting and data (import table, relocation information and part of resource information etc). and then replace the application entry point with packer coding, when the protected application executed, the packer code will decrypt the encrypted code and data, and then jump to original application's entry point (OEP) to execute. With the Compression protection to the applications, it encrypt all of code section and data section (it doesn't encrypt the writable data part for ELF file), to prevent the applications being decompiling and de-assembling.
Memory Check
Click ✔️ to select in GUI tool; Enable this option in CLI tool by specify argument "mem-check" with value "1", "--mem-check=1"; More detail info refer the user manual: CLI tool
Memory Check, to check the application's integrity when load the applications, to prevent application from being tampering, when tampering has been detected, the program will quit execution. For memory check dynamically in runtime, use the "SDK label" to set and called in coding.
Import table protection
Click ✔️ to select in GUI tool; Enable this option in CLI tool by specify argument "imp-protect" with value "1" " --imp-protect=1" More detail info refer the user manual: CLI tool
Import table describes the dependence libs, functions and IAT (Import address table), Hacker may easily view the code logic from import table, With the Import table protection feature, it encrypts the import table, which to prevent the PE file being unpacked and prevent the hacker to view "API reference". See attached The comparison of Import table Protection: Before/after Protection.
Resource Section Encryption
Click ✔️ to select in GUI tool; Enable this option in CLI tool by specify argument "-res-sect-enc"with value "1" " --res-sect-enc=1" More detail info refer the user manual: CLI tool;
The PE application can be embedded with the resources, which store the GUI layout, icon, multilingual string, developer may also embedded some of sensitive data into the application with the type of "resource", The resource located at the "Resource section" of applications (.rsrc section), it is easy to be extracted and tampering. Resource Section Encryption refers the encryption of the PE resource section (.rsrc) to prevent resource data/info being cracked & extracted.
Overlay data encryption
Click ✔️ to select in GUI tool if overlay data existed Enable this option in CLI tool by specify argument "overlay-enc" with value "1" " --overlay-enc=1" More detail info refer the user manual: CLI tool;
Some of archive/Packer tool, such as Audio, video or PPT player, will generate the overlay data (audio/video or database, dbf file) attached, so it is necessary to encrypt the overlay data to prevent these resources (data, video) from extracted or leakage
Debugging detection (Anti Debug)
Select and enable the "Debugging detection" feature to one module for each process only, for example to enable debugging detection to main .exe program only) *: If the module be used to be the SDK which released to third party program to call. then please DO Not to enable this debugging detection feature. Enable debugging detection feature in CLI tool by specify argument "detect-dbg" with value "1"
To detect the debug tool (such as: x64dbg, OllyDbg, IDA Pro, Windbg etc, the protected PE program will exit execution when debugging being detected.
Remove debug information
Recommend to select and enable this feature (Remove the debug information
If developer need to keep and reserve these debug information, pls be awared use the command line option -strip
to remove the debug information before publish and formal released
For ELF file, to some cases, it may contains the debug section, static symbol table, which contains function name, function address etc, it will decrease security when version released, Use "strip" option to remove these "debug information" (remove debug section and static symbol table).
Virtual Machine Detection
Detect if application executed in the "VMware", "Virtual Box" environment
When VM environment has been detected, the protected application will quit execution.
For those developer use Virbox Protector GUI tool and only need to protect Native applications in general and no special security requirement to protect critical functions/methods, it is quite easy for developer to set and modify "Protection Option" tab (Virbox Protector GUI tool) to accomplish general protection to prevent decompiling and memory dump. and no additional complicate configuration setting required.
For Developer use The Virbox Protector CLI tool, they can specify the argument to complete general protection to native language project also. Following protection option setting can be referred and used when developer use the Virbox Protector GUI tool:
Just click to select each options.
The Features in the "Protection Option" is mainly used to prevent the attacker/cracker dynamic analysis: Memory check, Debugger Detection, VM detection etc.
First you can find CLI help in general:
and then you can find help to protect the specific type of application by specify type: "=java" or other types
Find CLI help for native application by:
you can find argument setting in below:
Resource Section:
Import Table (PE):
Original Import table:
![img](Best Practice_Protect Native.assets/imp.png)
Decompile the Import Table (Before Protection)
Decompile the Import Table (After Protection)
Note: With the protection to the Import Table, the original import table has been deleted, the calling among the modules replace with packer code.
Protect the critical Functions/method, fragment of code in fine grain level
Besides of general protection to native applications introduced above, Virbox protector supports developer to specify and protect those critical functions/method, critical code logic with multi level of obfuscation technology. which can be combined & implemented with general protection, to enhance security level of protected native project to prevent from de-assembling, decompiling.
In some cases, the developer intent to design a highly security protection scheme to native applications. such as to protect the license (key) for authentication, encrypt those critical/important algorithm, the process of protocal encapsulation, client/server authentication, those critical code logic,
Then it is recommend to set the Function Option tab to protect those functions/methods with fine-grained protection and highly security , developer will have multiple options to select and protect to those functions/algorithms:
Code of Encryption,
Code of Obfuscation,
Code of Virtualization,
or No protection etc.
Stand from the cracker point of view, the most of critical steps in the decompiling process is locating the the position of sensitive code or string from the thousands of code project. which to get critical code logic, credentials (such as "key", "password") via reverse engineering or modify the code logic to crack the whole project. For example, to analysis protocal, usually, the cracker only require to reverse engineering the communication protocal, encryption/decryption or signing algorithm, and then to crack the protocal and no need to modify the all of programs (which used to create the game cheating program, Unauthorized plugin or fake player and game mod). As to crack or piracy the program functionality, usually, it is necessary to modify/patch/tamper the authentication mechanism (logic) to original program, or edit the authentication data (key)
[E] Code of Encryption
Use "On default" setting (encrypt the entry functions only)
To Encrypt the specified functions.
[M] Code of Obfuscation
No need to select to protect the functions
To obfuscate the selectd functions/methods
[V] Code of Virtualization
No need to select to protect the functions
To virtualise the selected functions/methods
Virbox Protector GUI/CLI tool
Developer may free to use GUI/CLI tool to protect the "functions/methods or code logic", ( For CLI tool, which require developer has basic security knownledge accordingly).
Code of Encryption
Code of Encryption implemented via self-modifying code (SMC), which decrypts itself when the function is called, and then jumps to the correct function instruction for execution. It can prevent the code from being encrypted and execute the original instruction at runtime, so there is almost no performance impact, and it can prevent unpacking and static analysis and decompilation.
Functions Protected by Code of Encryption: Before Protection:
Functions Protected by Code of Encryption: After Protection:
Code of Obfuscation
Codes of Obfuscation, is the transformation process of making applications difficult or impossible to decompile and reverse. and the retrieved and reversed instruction are more difficult for humans to recognize and parse. Code Obfuscation normally be used to protect the algorithm, functions, methods, which significantly to increase the difficulty of understanding or modifying an assembly code..
Following techniques will be used:
Renaming of class/functions/method/variables, equivalent transformation, immediate encryption, dummy code insertion, instruction pattern transformation, false branch, string encryption, etc.
Code of Obfuscation may bring part of negative impact to the application's performance in execution, and most frequently be used to protect:
Critical code logic, and relate functions/method called;
Entrance and characteristic of cryptography library functions (such as AES S-box, ECC curve etc);
Protocol encapsulation process;
Critical function's boundaries;
The purpose & applied for
To prevent the protected function being decompile and readable which to increase the difficulty of parsing/reverse engineering
It can not be retrieved to original instruction, to prevent static and dynamic analysis and debugging
Functions is broken down to random instructions blocks and destroy the function boundary;
Transforms memory accesses and jump instructions, breaking cross-reference analysis by decompiler. Makes functions without instruction traits, preventing them from being targeted by traits.
Obfuscated instructions contain stubs that detect debugger Run Trace traces.
Functions Protected by Code of Obfuscation: Before Protection:
Functions Protected by Code of Obfuscation: After Protection:
Code of Virtualization
Code of Virtualization is the process to convert the instruction sets in the assembly into the random and unique instruction sets generated which only can executed into the Virtual Machine self-defined. This makes the code of a protected algorithm completely bullet-proof and hidden from others. All you need to conceal your precious logic is to apply a special attribute to your methods or classes, you only require to select those function/method and set the protection attribute as "Virtualization"
![img](Best Practice_Protect Native.assets/convert.png)
It will cause negative impact to execution performance of program, so pls do not select "Code virtualization" in large scale, only use it to protect those most of important and critical functions, methods or variable, such as:
The critical algorithm need to protect;
the vairiable/functions which probably be tampered (scuh as authentication logic, etc.)
The functions,method protected by use of "Code of Virtualization"
Before Protection
After Protection
The Security:
Virtualization>Obfuscation>Encryption
The Performance impact to application execution
Virtualization>Obfuscation>Encryption
so, beware to use the "Code of Virtualization" to protect the function/method, only select those critical and important function to protect with "Virtualization".
Virbox Protector also support developer to set and mark a label to the specific code section, which can be precisely to insert the label and protect these code of section. developer also may use the SDK Label function to protect the data or check and verify the memory integrity.
SDK Label support to be integrated and calling by C/C++ program language. you can find the SDK label sample in the <install_dir>/example/sdk
which under the installation directory of Virbox Protector.
Use SDK label to Protect Data, String, Credetial
If the project code contains sensitive string, data, credential, key, certificates, etc, it is recommend to protect these sensitive data by use of SDK label. Developer may use SDK label to set a mark to these data, string, when set the mark to these sensitive string or data, Virbox protector will automatically recognize these label, so, every time when developer use Virbox protector to start the protection process, a random encryption key will be generated which makes and guarantee the encryption result is different.
Memory Check
The "Memory Check" feature (Protection Option tab), when you click and select this feature, it will execute the check the memory when application start to execute. consider the attacker may crack the protected application with take the way to skip the detection with the way of dynamic memory patch. so it is recommend developer may also check the memory by use of the SDK lable to call VBProtectVerifyImage
. and mix the memory check with your code logic together which enhance the memory security.
Virbox protector provide plunin, DSProtector, both GUI tool and CLI tool for developer to protect/encrypt the relevant read only file, such as scripting file, audio/video, image, configuration file, database etc. to prevent these sensitive file from being cracked.
More detail please refer the DSProtector, User Manual.
For the application public released in windows system, pls exclude the symbol table files (.pdb/.map
For the application in Linux/Android environment, It's mandatory to remove the symbol table (click to select to remove the dbg information)
The on default path of CLI tool ofVirbox Protector
: virboxprotector_con
located at:
There are 2 ways to use Virbox Protector CLI tools to build your project:
With the protection configuration file or Without protection configuration file
virboxprotector_con <file_name> -global --username=<user_name> --password= -o <output_filename>
Use the Virbox Protector GUI tool to generate the configuration file first and then use the CLI tool to protect your project WITH the configuration generated previously.
For how to generate the configuration file by use of Virbox GUI, the process is similar to the process to protect the project. More details, pls refer to relate the section of Quick Start Guide to Virbox Protector GUI tool.
then, you can find the .ssp file in: \protected, the sub directory in the output path. then call the CLI tool:
virboxprotector_con.exe with following syntax:
virboxprotector_con
will automatically to search the <input_file>.ssp which to be the configuration file to start the protection.
Use Virbox Protector CLI to protect your project without configuration file (.ssp file)
Use and set the option/argument to Virbox Protector CLI tool to protect your project.
for those developer has rich experience in Virbox Protector protection process, they can use Virbox Protector CLI tool with specified option/argument to protect their project directly.
If no additional option/argument pass in the CLI tool: virboxprotector_con
then it will use the option/argument on default to protect the project. for on default option/argument setting, pls refer CLI user manual. or refer following protection option setting in below
Developer also can use a SDK label to mark those critical function/method, then protect the project.
PE
Compression
--pack=
1
Memory Check
--mem-check=
1
Protect Import Table
--imp-protect=
1
Encrypt Resource Section
--res-sect-enc=
1
Overlay data Encryption
--overlay-enc=
1
Debugging Detection
--detect-dbg=
0
VM Detection
--detect-vm=
0
ELF
Compression
--pack=
1
Memory Check
--mem-check=
1
Debugging Detection
--detect-dbg=
0
Remove symbol table
--strip-dbginfo=
1
MachO
Memo Check
--mem-check=
1
Debugging Detection
--detect-dbg=
0
Ignore the unsupported functions/methods
--ignore-unsupported=<value>
Code of Encryption
-e
Code of Obfuscation
-m
Code of Virtualization
-v
Virbox protector supports developer to specify the function/method name or use "rule" to protect native language projects, which to protect the critical functions/method with different kind of protection options: Code of Encryption, Code of obfuscation (Mutation) and Code of Virtualization.
Use the semicolon: ;
to separate functions, support to use wild card: *
Sample:
-m "function1;function2" -v "function3;function4" -e "test*" --ignore-unsupported=1
Protect the main program in Windows system:
Protect the linux programs:
Protect Linux program (remain the symbol table and generate the release version):
Protect macOS application:
Deassembling/Decompiling) tools ready and developer familiar the basic using and decompiling process. which can be used and evaluated the protection performance.
The correspondence symbol file in the source code program:
Please keep the .pdb/.map file in the source code program before compiling for windows platform;
For linux platform, when developer compile and build the project, please keep the symbol table: compiling option add: -g
No symbol file required to kept when developer use the SDK label to mark the functions (Fragment of code)need to be protected.
IDA Pro (Paid version required): latest version is 8.2 IDA Pro
https://hex-rays.com/ida-pro/
Ghidra (Free & Open source) [Releases · NationalSecurityAgency/ghidra (github.com)](