Protect PHP project

Introduction

PHP, as one of high level, interpreted scripting program language, which widely and popular be used to develop different kind of projects and application by software developers.

As a interpreted language, the PHP application contains 2 kinds of PHP file: php-cgi.exe, the interpreter and php file: ***.php file, which is source code, which will be called/interpreted by php-cgi.exe when php application executed.

The Mechanism to protect the PHP application:

  • ​ Using Virbox Protector, to encrypt the php-cgi.exe, the PHP interpreter;

  • ​ Use the DS Protector, a plug in unit to protect relevant PHP source code: ***.php file;

Depoyment: use the protected (encrypted) php-cgi.exe and encrypted php file to replace original php-cgi.exe and .php when executed.

Protect the PHP code in 3 steps

Protect the php-cgi.exe by use of Virbox Protector

Protect the .php file by use of DS protector;

Deployment in different environment

Prerequisites

Apply trial license & download/install Virbox Protector;

PHP application for test/evaluation is ready;

Protection Process

1. Protect the php-cgi.exe by use of Virbox Protector

Open Virbox Protector GUI and import (drag) php-cgi.exe into Virbox Protector.

Go to Virbox Protection directory. find the virboxprotector.exe which located in the \bin sub directory and open it. then drag the php-cgi.exe into the virbox protector.

Set the configuration to "Function Options" and protect the specified functions.

Virbox Protector supports to protect the software application to the specified function's level and provides several protection mode for developer selection to protect the critical functions.

Developer may select the functions contained in the PE file and set the protection mode to specified functions here.

Click "Add Function" button, left click to select the functions which you want to protect, right click to set the protection mode: Virtualization, Obfuscation, Encryption,

Ctrl+A to select “all of Function"

it is not recommend to select "all of Function" to protect, due to execution performance may impacted;

Set the configuration to "Protection Option"

  1. set the Output path, developer may set the output path and file name of protected file;

It is NOT recommend to use same file name with your source file name, otherwise the protected file may replace your source file.

2. Click to select the Protection Options

2.1) Import Table Protection:

To protect and encrypt the "Import table" and hide the API list to protect the functions called from external, it is recommend to click and select this option to enhance the security level;

ℹ️Applied for PE file only;

2.2) Compression:

To compress the file size and prevent the static decompiling

ℹ️If the file size is too small, the compressed file size may not smaller or even bigger than the source file size; and not applicable for .NET file and arx file type

2.3) Memory Check (Verify the code Integrity)

when program executed in memory, The loader of Virbox Protector will check each memory block to ensure the code integrity to prevent tampering, repackaging;

2.4) Resource Section Encryption

Encrypt the Resource Section in the program, and use the license to decrypt when program executed and preventing the resources information being extracted and tampered illegally.

ℹ️Resource Section Encryption applied for local PE program only;

3. ds Plugin Switch on/off

Switch on/off the DS Protector, a plug in unit which used to encrypt/protect the .php file, you need to "switch on" the "ds" button to open "DS Protector"and set the password for protected php file here.

ℹ️Another way to open the DS Protector is go to the \bin subdirectory of Virbox Protector and double click: deprotector.exe to open DS Protector. but you still need to "Switch on" ds button to enable the ds function in Virbox Protector and set the password here.

Click "Protect Selected Project" to start protection process

When you complete the setting to "Function Option" and "Protection Option", Click to the button "Protect Selected Projects" in the Menu, to start the "Protection" Process. and click "OK" to complete the Protection process.

then you will find 2 new file has been generated in the output path:

php-cgi.exe.ssp, this is the configuration file which save the protection setting; and this file will be used when you use the ds protector to encrypt the .php file later.

php-cgi.ssp.exe, this is the protected php interpreter file.

2. Protect the .php by use of DS Protector

ℹ️Backup your PHP file in advance

Open DS Protector and add the .php file to protect.

Then DS Protector will load the configuration file which generated automatically.

Add file into DS protector, click to "Protect"

If you open DS Protector later, then you need to add the configuration file manually, and add the .php file also. see following steps attached:

ℹ️ Rename the protected php-cgi.exe to original project name before deployment

3 Deployment in different environment

phpstudy2018 and phpstudy-pro

Rename the protected php-cgi.exe to original file name

Restart the Apache service and start the php-cgi.exe;

XAMPP

For the PHP projects executed in the XAMPP environment, the service use httpd.exe. so the developer who use the XAMPP environment, pls follow the same way in above to protect:

User Virbox Protector to protect the httpd.exe

Use DS Protector to encrypt the php file.

Back up the source project code before protection.

Use the protected htppd.exe and protected php file and restart apache service to execution

wampserver service

The protection process in wampserver is same as other environment.

Developer need to find the location of httpd.exe, using the procmon, the monitoring tool to find the location

Find the httpd.exe location

Then next step will be same as normal protection process

Use Virbox Protector to protect httpd.exe

Use DS Protector to encrypt the php file.

Use protected httpd.exe and encrypted php to replace original PHP project.

Restart service to execution;

IIS service

Start up PHP application via IIS service;

Check and find the PHP process is php-cgi.exe via Control panel--administrator--IIS:

Find the php-cgi.exe in taskmanager.

Then next step will be same as normal protection process

Use Virbox Protector to protect httpd.exe

Use DS Protector to encrypt the php file.

Use protected httpd.exe and encrypted php to replace original PHP project.

Restart service to execution;

Protection process & Deployment in Linux Environment

Apache Service

In this case, we introduce how to protect the PHP project in Linux/Apache environment:

Ubuntu :

Start up Apache service, view service status, find the apache2 service process and PID

Then next step will be same as normal protection process

Use Virbox Protector to protect httpd.exe

Use DS Protector to encrypt the php file.

Use protected httpd.exe and encrypted php to replace original PHP project.

Restart service to execution;

CentOS:

Start Apache service and view service status, to find the httpd service process and PID

Then next step will be same as normal protection process

Use Virbox Protector to protect httpd process;

Use DS Protector to encrypt the php file.

Use protected httpd.exe and encrypted php to replace original PHP project.

Restart service to execution;

ℹ️If you start the DS protector with normal user right, it may failed to encrypt file, use system administrator to encrypt the php resource file.

php-fpm service

PHP project use the nginx service and php-fpm service to execute php project.

Start php-fpm service and view the service status, find the service process and PID

Then next step will be same as normal protection process

Use Virbox Protector to protect php-fpm process;

Use DS Protector to encrypt the php file.

Use protected php-fpm process and encrypted php to replace original PHP project.

Restart service to execution;

ℹ️If you start the DS protector with normal user right, it may failed to encrypt file, use system administrator to encrypt the php resource file.

Last updated