Protect PHP project
Introduction
PHP, as one of high level, interpreted scripting program language, which widely and popular be used to develop different kind of projects and application by software developers.
As a interpreted language, the PHP application contains 2 kinds of PHP file: php-cgi.exe, the interpreter and php file: ***.php file, which is source code, which will be called/interpreted by php-cgi.exe when php application executed.
The Mechanism to protect the PHP application:
Using Virbox Protector, to encrypt the php-cgi.exe, the PHP interpreter;
Use the DS Protector, a plug in unit to protect relevant PHP source code: ***.php file;
Depoyment: use the protected (encrypted) php-cgi.exe and encrypted php file to replace original php-cgi.exe and .php when executed.
Protect the PHP code in 3 steps
Protect the php-cgi.exe
by use of Virbox Protector
Protect the .php
file by use of DS protector;
Deployment in different environment
Prerequisites
Apply trial license & download/install Virbox Protector;
PHP application for test/evaluation is ready;
Protection Process
1. Protect the php-cgi.exe by use of Virbox Protector
Open Virbox Protector GUI and import (drag) php-cgi.exe into Virbox Protector.
Go to Virbox Protection directory. find the virboxprotector.exe which located in the \bin sub directory and open it. then drag the php-cgi.exe into the virbox protector.
Set the configuration to "Function Options" and protect the specified functions.
Virbox Protector supports to protect the software application to the specified function's level and provides several protection mode for developer selection to protect the critical functions.
Developer may select the functions contained in the PE file and set the protection mode to specified functions here.
Click "Add Function" button, left click to select the functions which you want to protect, right click to set the protection mode: Virtualization, Obfuscation, Encryption,
Ctrl+A to select “all of Function"
it is not recommend to select "all of Function" to protect, due to execution performance may impacted;
Set the configuration to "Protection Option"
set the Output path, developer may set the output path and file name of protected file;
It is NOT recommend to use same file name with your source file name, otherwise the protected file may replace your source file.
2. Click to select the Protection Options
2.1) Import Table Protection:
To protect and encrypt the "Import table" and hide the API list to protect the functions called from external, it is recommend to click and select this option to enhance the security level;
ℹ️Applied for PE file only;
2.2) Compression:
To compress the file size and prevent the static decompiling
ℹ️If the file size is too small, the compressed file size may not smaller or even bigger than the source file size; and not applicable for .NET file and arx file type
2.3) Memory Check (Verify the code Integrity)
when program executed in memory, The loader of Virbox Protector will check each memory block to ensure the code integrity to prevent tampering, repackaging;
2.4) Resource Section Encryption
Encrypt the Resource Section in the program, and use the license to decrypt when program executed and preventing the resources information being extracted and tampered illegally.
ℹ️Resource Section Encryption applied for local PE program only;
3. ds Plugin Switch on/off
Switch on/off the DS Protector, a plug in unit which used to encrypt/protect the .php file, you need to "switch on" the "ds" button to open "DS Protector"and set the password for protected php file here.
ℹ️Another way to open the DS Protector is go to the \bin subdirectory of Virbox Protector and double click: deprotector.exe to open DS Protector. but you still need to "Switch on" ds button to enable the ds function in Virbox Protector and set the password here.
Click "Protect Selected Project" to start protection process
When you complete the setting to "Function Option" and "Protection Option", Click to the button "Protect Selected Projects
" in the Menu, to start the "Protection" Process. and click "OK" to complete the Protection process.
then you will find 2 new file has been generated in the output path:
php-cgi.exe.ssp, this is the configuration file which save the protection setting; and this file will be used when you use the ds protector to encrypt the .php file later.
php-cgi.ssp.exe, this is the protected php interpreter file.
2. Protect the .php by use of DS Protector
ℹ️Backup your PHP file in advance
Open DS Protector and add the .php file to protect.
Then DS Protector will load the configuration file which generated automatically.
Add file into DS protector, click to "Protect
"
If you open DS Protector later, then you need to add the configuration file manually, and add the .php file also. see following steps attached:
ℹ️ Rename the protected php-cgi.exe to original project name before deployment
3 Deployment in different environment
phpstudy2018 and phpstudy-pro
Rename the protected php-cgi.exe to original file name
Restart the Apache service and start the php-cgi.exe;
XAMPP
For the PHP projects executed in the XAMPP environment, the service use httpd.exe. so the developer who use the XAMPP environment, pls follow the same way in above to protect:
User Virbox Protector to protect the httpd.exe
Use DS Protector to encrypt the php file.
Back up the source project code before protection.
Use the protected htppd.exe and protected php file and restart apache service to execution
wampserver service
The protection process in wampserver is same as other environment.
Developer need to find the location of httpd.exe, using the procmon, the monitoring tool to find the location
Find the httpd.exe location
Then next step will be same as normal protection process
Use Virbox Protector to protect httpd.exe
Use DS Protector to encrypt the php file.
Use protected httpd.exe and encrypted php to replace original PHP project.
Restart service to execution;
IIS service
Start up PHP application via IIS service;
Check and find the PHP process is php-cgi.exe via Control panel--administrator--IIS:
Find the php-cgi.exe in taskmanager.
Then next step will be same as normal protection process
Use Virbox Protector to protect httpd.exe
Use DS Protector to encrypt the php file.
Use protected httpd.exe and encrypted php to replace original PHP project.
Restart service to execution;
Protection process & Deployment in Linux Environment
Apache Service
In this case, we introduce how to protect the PHP project in Linux/Apache environment:
Ubuntu :
Start up Apache service, view service status, find the apache2 service process and PID
Then next step will be same as normal protection process
Use Virbox Protector to protect httpd.exe
Use DS Protector to encrypt the php file.
Use protected httpd.exe and encrypted php to replace original PHP project.
Restart service to execution;
CentOS:
Start Apache service and view service status, to find the httpd service process and PID
Then next step will be same as normal protection process
Use Virbox Protector to protect httpd process;
Use DS Protector to encrypt the php file.
Use protected httpd.exe and encrypted php to replace original PHP project.
Restart service to execution;
ℹ️If you start the DS protector with normal user right, it may failed to encrypt file, use system administrator to encrypt the php resource file.
php-fpm service
PHP project use the nginx service and php-fpm service to execute php project.
Start php-fpm service and view the service status, find the service process and PID
Then next step will be same as normal protection process
Use Virbox Protector to protect php-fpm process;
Use DS Protector to encrypt the php file.
Use protected php-fpm process and encrypted php to replace original PHP project.
Restart service to execution;
ℹ️If you start the DS protector with normal user right, it may failed to encrypt file, use system administrator to encrypt the php resource file.
Last updated