Best Practice--Protect Native applications

The Native application means the software application which developer build for specific hardware platform and operation system, and it is independent with virtual machine or interpretor when execute. The typical native applications includes:

  • The PE application of windows system,

  • The ELF programs (suffix with .so or main program) in Linux/Android system a

  • The MachO programs (.dylibs or main program) in macOS/iOS system.

Operation SystemMain programDLL/Shared LibraryDriver

Windows

.exe

dll

.sys

Linux/Android(Elf)

.so

.ko

macOS/iOS(MachO)

.dylib

Usually, The native program are developed by C/C++/Objective-C/Swift/Delphi/Go language and running in the PC, Server, mobile client end and IoT or embedding devices. The fundmental to native application's execution is machine instructions based on CPU architecture, for instance, X86 instruction set in PC platform, the ARM instruction set in Android platform, Native apps work with the device's OS in ways that enable them to perform faster and more flexibly than alternative/cross platform applications. If the apps executed in various types of device, then developers need to build a separate app version to each type of device.

The security of native applications, althrough the native program doesn't contained the original functions name, variable name. which bring some of difficulty for decompiliation to native programs. but it is also possible to decompile the native application when cracker use the professional debug and reverse engineering tools without so much effort to those professional attackers. so, for those application which require highly security, it is necessary to protect native project to prevent possible leaking risk.

Here is example to decompile the binary code:

The source code (in Android ARM architecture) :

when you use the decompiler to decompile the binary code (without protection), the result is like this:

Even the vairiable name in the functions missing after decompiled, but it is possible to get the readable code to understand with additional analyzing the symbol table of ELF ( “Executable and Linkable Format), import/export functions, the critical string;

Virbox Protector supports to protect following type of native programs

Architecture & Operation System

Operation Systemx86x64arm32arm64

Windows

✔️

✔️

✖️

✖️

Linux

✔️

✔️

✔️

✔️

macOS

✖️

✔️

✖️

✔️

Android

✔️

✔️

✔️

✔️

iOS

N/A

N/A

✖️

✔️

App/File Type

Operation SystemMain programs protectedDLL(dll,.so, .dylibs)Driver

Windows

✔️

✔️

.sys

Linux/Android (ELF)

✔️

✔️

.ko

macOS/iOS (MachO)

✔️

✔️

✖️

ARM linux

✔️

✔️

✖️

Feature Matrix

Protection Option TabWindowsLinuxmacOSAndroidiOS

Compression

✔️

✔️

✖️

✔️

✖️

Memory Check

✔️

✔️

✔️

✔️

✔️

Import Table Protection

✔️

✖️

✖️

✖️

✖️

Resource section Protection

✔️

N/A

N/A

N/A

N/A

Overlay Data Encryption

✔️

✔️

✔️

✔️

✔️

Debug Detection

✔️

✔️

✔️

✔️

✔️

Virtual Machine Detection

✔️

✖️

✖️

✖️

✖️

Remove debug info

✖️

✔️

✖️

✔️

✖️

Function Option Tab

[E] Code of Encryption

✔️

✔️

✔️

✔️

✔️

[M] Code of Obfuscation

✔️

✔️

✔️

✔️

✔️

[V] Code of Virtualization

✔️

✔️

✔️

✔️

✔️

Best Practice to protect native applications

Virbox Protector GUI tool

It is quite easy to use Virbox Protector GUI tool to protect the PE programs. Developer just drag the PE application into Virbox Protector GUI tools, then Virbox Protector will parse the PE application automatically. All of information to PE application will be parsed and shown in the "Basic Info" tab.

Then, Developer may set the protection feature in "Protection Option" and "Functions Option" tabs:

Virbox Protector CLI tool

Developer also may use virboxprotector_con.exe, the Virbox Protector CLI tool to protect your PE apps.

General protection to Native applications

Setting the configuration in "Protection Option" tab

General Protection, refers to protect the project/application in overall, which accomplished by setting the configuration in "Protection Option" tab. With the general protection setting to the application, only minimize negative impact to protected application's performance and easy to set, with anti decompiling, anti tampering and anti debug functionality.

**Protection Option **

FeatureSettingDescription

Compression

Click ✔️ to select in GUI tool; Enable this option in CLI tool by specify the argument “pack" with value "1" " --pack=1" More detail info refer the user manual: CLI tool

Compression makes it is possible to pack, compress and encrypt the application's code and related format setting and data (import table, relocation information and part of resource information etc). and then replace the application entry point with packer coding, when the protected application executed, the packer code will decrypt the encrypted code and data, and then jump to original application's entry point (OEP) to execute. With the Compression protection to the applications, it encrypt all of code section and data section (it doesn't encrypt the writable data part for ELF file), to prevent the applications being decompiling and de-assembling.

Memory Check

Click ✔️ to select in GUI tool; Enable this option in CLI tool by specify argument "mem-check" with value "1", "--mem-check=1"; More detail info refer the user manual: CLI tool

Memory Check, to check the application's integrity when load the applications, to prevent application from being tampering, when tampering has been detected, the program will quit execution. For memory check dynamically in runtime, use the "SDK label" to set and called in coding.

Import table protection

Click ✔️ to select in GUI tool; Enable this option in CLI tool by specify argument "imp-protect" with value "1" " --imp-protect=1" More detail info refer the user manual: CLI tool

Import table describes the dependence libs, functions and IAT (Import address table), Hacker may easily view the code logic from import table, With the Import table protection feature, it encrypts the import table, which to prevent the PE file being unpacked and prevent the hacker to view "API reference". See attached The comparison of Import table Protection: Before/after Protection.

Resource Section Encryption

Click ✔️ to select in GUI tool; Enable this option in CLI tool by specify argument "-res-sect-enc"with value "1" " --res-sect-enc=1" More detail info refer the user manual: CLI tool;

The PE application can be embedded with the resources, which store the GUI layout, icon, multilingual string, developer may also embedded some of sensitive data into the application with the type of "resource", The resource located at the "Resource section" of applications (.rsrc section), it is easy to be extracted and tampering. Resource Section Encryption refers the encryption of the PE resource section (.rsrc) to prevent resource data/info being cracked & extracted.

Overlay data encryption

Click ✔️ to select in GUI tool if overlay data existed Enable this option in CLI tool by specify argument "overlay-enc" with value "1" " --overlay-enc=1" More detail info refer the user manual: CLI tool;

Some of archive/Packer tool, such as Audio, video or PPT player, will generate the overlay data (audio/video or database, dbf file) attached, so it is necessary to encrypt the overlay data to prevent these resources (data, video) from extracted or leakage

Debugging detection (Anti Debug)

Select and enable the "Debugging detection" feature to one module for each process only, for example to enable debugging detection to main .exe program only) *: If the module be used to be the SDK which released to third party program to call. then please DO Not to enable this debugging detection feature. Enable debugging detection feature in CLI tool by specify argument "detect-dbg" with value "1"

To detect the debug tool (such as: x64dbg, OllyDbg, IDA Pro, Windbg etc, the protected PE program will exit execution when debugging being detected.

Remove debug information

Recommend to select and enable this feature (Remove the debug information If developer need to keep and reserve these debug information, pls be awared use the command line option -strip to remove the debug information before publish and formal released

For ELF file, to some cases, it may contains the debug section, static symbol table, which contains function name, function address etc, it will decrease security when version released, Use "strip" option to remove these "debug information" (remove debug section and static symbol table).

Virtual Machine Detection

Detect if application executed in the "VMware", "Virtual Box" environment

When VM environment has been detected, the protected application will quit execution.

For those developer use Virbox Protector GUI tool and only need to protect Native applications in general and no special security requirement to protect critical functions/methods, it is quite easy for developer to set and modify "Protection Option" tab (Virbox Protector GUI tool) to accomplish general protection to prevent decompiling and memory dump. and no additional complicate configuration setting required.

For Developer use The Virbox Protector CLI tool, they can specify the argument to complete general protection to native language project also. Following protection option setting can be referred and used when developer use the Virbox Protector GUI tool:

General protection setting in Virbox Protector GUI tool as shown in below:

Just click to select each options.

  • The Features in the "Protection Option" is mainly used to prevent the attacker/cracker dynamic analysis: Memory check, Debugger Detection, VM detection etc.

General protection setting in Virbox Protector CLI tool as shown in below:

First you can find CLI help in general:

virboxprotector_con --help

and then you can find help to protect the specific type of application by specify type: "=java" or other types

virboxprotector_con --help=java

Find CLI help for native application by:

virboxprotector_con --help=native

you can find argument setting in below:

  • Resource Section:

Protection Comparison: Before and After

Import Table (PE):

Original Import table:

![img](Best Practice_Protect Native.assets/imp.png)

Decompile the Import Table (Before Protection)

Decompile the Import Table (After Protection)

Note: With the protection to the Import Table, the original import table has been deleted, the calling among the modules replace with packer code.

Protect the native application which require highly security

-- "Functions Option" Setting

Protect the critical Functions/method, fragment of code in fine grain level

Besides of general protection to native applications introduced above, Virbox protector supports developer to specify and protect those critical functions/method, critical code logic with multi level of obfuscation technology. which can be combined & implemented with general protection, to enhance security level of protected native project to prevent from de-assembling, decompiling.

In some cases, the developer intent to design a highly security protection scheme to native applications. such as to protect the license (key) for authentication, encrypt those critical/important algorithm, the process of protocal encapsulation, client/server authentication, those critical code logic,

Then it is recommend to set the Function Option tab to protect those functions/methods with fine-grained protection and highly security , developer will have multiple options to select and protect to those functions/algorithms:

Code of Encryption,

Code of Obfuscation,

Code of Virtualization,

or No protection etc.

Stand from the cracker point of view, the most of critical steps in the decompiling process is locating the the position of sensitive code or string from the thousands of code project. which to get critical code logic, credentials (such as "key", "password") via reverse engineering or modify the code logic to crack the whole project. For example, to analysis protocal, usually, the cracker only require to reverse engineering the communication protocal, encryption/decryption or signing algorithm, and then to crack the protocal and no need to modify the all of programs (which used to create the game cheating program, Unauthorized plugin or fake player and game mod). As to crack or piracy the program functionality, usually, it is necessary to modify/patch/tamper the authentication mechanism (logic) to original program, or edit the authentication data (key)

FeatureSettingDescription

[E] Code of Encryption

Use "On default" setting (encrypt the entry functions only)

To Encrypt the specified functions.

[M] Code of Obfuscation

No need to select to protect the functions

To obfuscate the selectd functions/methods

[V] Code of Virtualization

No need to select to protect the functions

To virtualise the selected functions/methods

Virbox Protector GUI/CLI tool

Developer may free to use GUI/CLI tool to protect the "functions/methods or code logic", ( For CLI tool, which require developer has basic security knownledge accordingly).

Function Option introduction

Code of Encryption

Code of Encryption implemented via self-modifying code (SMC), which decrypts itself when the function is called, and then jumps to the correct function instruction for execution. It can prevent the code from being encrypted and execute the original instruction at runtime, so there is almost no performance impact, and it can prevent unpacking and static analysis and decompilation.

Functions Protected by Code of Encryption: Before Protection:

Functions Protected by Code of Encryption: After Protection:

Code of Obfuscation

Codes of Obfuscation, is the transformation process of making applications difficult or impossible to decompile and reverse. and the retrieved and reversed instruction are more difficult for humans to recognize and parse. Code Obfuscation normally be used to protect the algorithm, functions, methods, which significantly to increase the difficulty of understanding or modifying an assembly code..

Following techniques will be used:

Renaming of class/functions/method/variables, equivalent transformation, immediate encryption, dummy code insertion, instruction pattern transformation, false branch, string encryption, etc.

Code of Obfuscation may bring part of negative impact to the application's performance in execution, and most frequently be used to protect:

  • Critical code logic, and relate functions/method called;

  • Entrance and characteristic of cryptography library functions (such as AES S-box, ECC curve etc);

  • Protocol encapsulation process;

  • Critical function's boundaries;

The purpose & applied for

  • To prevent the protected function being decompile and readable which to increase the difficulty of parsing/reverse engineering

  • It can not be retrieved to original instruction, to prevent static and dynamic analysis and debugging

  • Functions is broken down to random instructions blocks and destroy the function boundary;

  • Transforms memory accesses and jump instructions, breaking cross-reference analysis by decompiler. Makes functions without instruction traits, preventing them from being targeted by traits.

  • Obfuscated instructions contain stubs that detect debugger Run Trace traces.

Functions Protected by Code of Obfuscation: Before Protection:

Functions Protected by Code of Obfuscation: After Protection:

Code of Virtualization

Code of Virtualization is the process to convert the instruction sets in the assembly into the random and unique instruction sets generated which only can executed into the Virtual Machine self-defined. This makes the code of a protected algorithm completely bullet-proof and hidden from others. All you need to conceal your precious logic is to apply a special attribute to your methods or classes, you only require to select those function/method and set the protection attribute as "Virtualization"

![img](Best Practice_Protect Native.assets/convert.png)

It will cause negative impact to execution performance of program, so pls do not select "Code virtualization" in large scale, only use it to protect those most of important and critical functions, methods or variable, such as:

  • The critical algorithm need to protect;

  • the vairiable/functions which probably be tampered (scuh as authentication logic, etc.)

The functions,method protected by use of "Code of Virtualization"

Before Protection

After Protection

The Security:

Virtualization>Obfuscation>Encryption

The Performance impact to application execution

Virtualization>Obfuscation>Encryption

so, beware to use the "Code of Virtualization" to protect the function/method, only select those critical and important function to protect with "Virtualization".

SDK Label to Protect critical code section/functions

Virbox Protector also support developer to set and mark a label to the specific code section, which can be precisely to insert the label and protect these code of section. developer also may use the SDK Label function to protect the data or check and verify the memory integrity.

SDK Label support to be integrated and calling by C/C++ program language. you can find the SDK label sample in the <install_dir>/example/sdk which under the installation directory of Virbox Protector.

Use SDK label to Protect Data, String, Credetial

If the project code contains sensitive string, data, credential, key, certificates, etc, it is recommend to protect these sensitive data by use of SDK label. Developer may use SDK label to set a mark to these data, string, when set the mark to these sensitive string or data, Virbox protector will automatically recognize these label, so, every time when developer use Virbox protector to start the protection process, a random encryption key will be generated which makes and guarantee the encryption result is different.

Memory Check

The "Memory Check" feature (Protection Option tab), when you click and select this feature, it will execute the check the memory when application start to execute. consider the attacker may crack the protected application with take the way to skip the detection with the way of dynamic memory patch. so it is recommend developer may also check the memory by use of the SDK lable to call VBProtectVerifyImage. and mix the memory check with your code logic together which enhance the memory security.

Plugin: DSProtector

Virbox protector provide plunin, DSProtector, both GUI tool and CLI tool for developer to protect/encrypt the relevant read only file, such as scripting file, audio/video, image, configuration file, database etc. to prevent these sensitive file from being cracked.

More detail please refer the DSProtector, User Manual.

Tips to publish the release version

  • For the application public released in windows system, pls exclude the symbol table files (.pdb/.map

  • For the application in Linux/Android environment, It's mandatory to remove the symbol table (click to select to remove the dbg information)

Automatic Integration

Use Virbox Protector CLI tool to integrate to build project

The on default path of CLI tool ofVirbox Protector: virboxprotector_con located at:

Windows:
C:\Program Files\senseshield\Virbox Protector 3\bin

Linux:
/usr/share/virboxprotector/bin

macOS:
/Applications/Virbox Protector 3.app/Contents/MacOS/bin

Use the configuration file to integrate to build project

There are 2 ways to use Virbox Protector CLI tools to build your project:

With the protection configuration file or Without protection configuration file

Login license

virboxprotector_con <file_name> -global --username=<user_name> --password= -o <output_filename>

With Configuration file to integrate and build your project**

Use the Virbox Protector GUI tool to generate the configuration file first and then use the CLI tool to protect your project WITH the configuration generated previously.

For how to generate the configuration file by use of Virbox GUI, the process is similar to the process to protect the project. More details, pls refer to relate the section of Quick Start Guide to Virbox Protector GUI tool.

then, you can find the .ssp file in: \protected, the sub directory in the output path. then call the CLI tool:

virboxprotector_con.exe with following syntax:

virboxprotector_con <input_file> -o <output_file>

virboxprotector_con will automatically to search the <input_file>.ssp which to be the configuration file to start the protection.

Without Configuration file to integrate and build your project

​ Use Virbox Protector CLI to protect your project without configuration file (.ssp file)

Use and set the option/argument to Virbox Protector CLI tool to protect your project.

for those developer has rich experience in Virbox Protector protection process, they can use Virbox Protector CLI tool with specified option/argument to protect their project directly.

If no additional option/argument pass in the CLI tool: virboxprotector_con

then it will use the option/argument on default to protect the project. for on default option/argument setting, pls refer CLI user manual. or refer following protection option setting in below

Developer also can use a SDK label to mark those critical function/method, then protect the project.

Use Command Line Interface to protect Native program projects: Protection Option Setting:

Protection Option

PE

Protection OptionCLI ArgumentOn default value settng

Compression

--pack=

1

Memory Check

--mem-check=

1

Protect Import Table

--imp-protect=

1

Encrypt Resource Section

--res-sect-enc=

1

Overlay data Encryption

--overlay-enc=

1

Debugging Detection

--detect-dbg=

0

VM Detection

--detect-vm=

0

ELF

Protection OptionCLI Argument SettingOn default value

Compression

--pack=

1

Memory Check

--mem-check=

1

Debugging Detection

--detect-dbg=

0

Remove symbol table

--strip-dbginfo=

1

MachO

Protection OptionCLI Argument SettingOn default Value

Memo Check

--mem-check=

1

Debugging Detection

--detect-dbg=

0

Function Option (Protect function/method)

Protection OptionCLI Argument

Ignore the unsupported functions/methods

--ignore-unsupported=<value>

Code of Encryption

-e

Code of Obfuscation

-m

Code of Virtualization

-v

Virbox protector supports developer to specify the function/method name or use "rule" to protect native language projects, which to protect the critical functions/method with different kind of protection options: Code of Encryption, Code of obfuscation (Mutation) and Code of Virtualization.

Use the semicolon: ; to separate functions, support to use wild card: *

Sample:

-m "function1;function2" -v "function3;function4" -e "test*" --ignore-unsupported=1

CLI Sample

Protect the main program in Windows system:

virboxprotector_con test.exe --pack=1 --imp-protect=1 --mem-check=1 --res-sec-enc=1 --detect-dbg=1 -o protected/test.exe

Protect the linux programs:

virboxprotector_con libhello.so --pack=1 --mem-check=1 --detect-dbg=0 -o protected/libhello.so

Protect Linux program (remain the symbol table and generate the release version):

#Generate the version release which contains symbol table for futher analysis.
virboxprotector_con libhello.so --pack=1 --mem-check=1 --strip-dbginfo=0 -o protected/libhello_with_sym.so

#Remove (strip) symbol table to release & publish
virboxprotector_con -strip protected/libhello_with_sym.so -o protected/libhello.so

Protect macOS application:

virboxprotector_con libtest.dylib --detect-dbg=1 --mem-check=1 -e "*" -o protected/libtest.dylib

Appendix: The tools to evaluate security performance

Prerequisation

  1. Deassembling/Decompiling) tools ready and developer familiar the basic using and decompiling process. which can be used and evaluated the protection performance.

  2. The correspondence symbol file in the source code program:

    Please keep the .pdb/.map file in the source code program before compiling for windows platform;

    For linux platform, when developer compile and build the project, please keep the symbol table: compiling option add: -g

    No symbol file required to kept when developer use the SDK label to mark the functions (Fragment of code)need to be protected.

Recommend Static Analysis tool (decompiler) used:

  • IDA Pro (Paid version required): latest version is 8.2 IDA Pro

  • https://hex-rays.com/ida-pro/

    Ghidra (Free & Open source) [Releases · NationalSecurityAgency/ghidra (github.com)](

PreviousProtect the Local desktop applicationNextProtect Jar/War Project with Java BCE Protection Mode

Last updated