VBA Project Locked; Project is Unviewable

Author: Carrie Roberts (@OrOneEqualsOne)

You can protect your macro (VBA code) in your MS Office documents from being view-able in the VBA Editor. Most people are aware of the option to password protect your code but this can be bypassed as shown in this blog. There is also a password-less protection option that simply tells the user that the Project is locked and “unviewable” as shown in the image below.

The unviewable option is not able to be set through the MS office application itself, but instead, it needs to be done as a modification to the file after it is saved. This feature is documented as the ProjectProtectionState and ProjectVisibilityState attributes of the PROJECT stream in Office files here.

The ProjectProtectionState and ProjectVisibilityState attributes are encrypted data structures but it turns out that if you set them to something arbitrary, it will protect the document and make it locked/unviewable. If you change only the ProjectVisibilityState it will still show the project structure but not allow viewing of individual code modules. If you change both, you will get the locked/unviewable message immediately upon trying to expand the root of the project and will not be able to see the project structure.

There is a walk through here of how to change your office document to be locked/unviewable, but I would like to provide an automated solution. One major advantage of the automated solution is that it can not only set this protection, it can also remove this protection from any document. I added this feature to Stan Hegt’s (@StanHacked) EvilClippy tool and it can be used as follows.

To set the Locked/Unviewable attributes use the ‘-u’ option:

EvilClippy.exe -u macrofile.doc

To remove the Locked/Unviewable attributes use the ‘-uu’ option:

EvilClippy.exe -uu macrofile.doc

You can remove the Locked/Unviewable attributes on files that were not locked with EvilClippy as well.

Up until this research, the change to make a VBA Project locked/unviewable was said to be irreversible but it turns out that if you simulate a password protected document by setting the ProjectCLSID to all zero’s and use valid values for ProjectProtectionState (CMG), ProjectVisibilityState (GC) and ProjectPassword (DPB) you can undo this protection.

ID={00000000–0000–0000–0000–000000000000}

CMG=CAC866BE34C234C230C630C6
DPB=94963888C84FE54FE5B01B50E59251526FE67A1CC76C84ED0DAD653FD058F324BFD9D38DED37
GC=5E5CF2C27646414741474

Above are values that will undo the protection, but because the MS Office Compound File Binary Format (CFBF) is sensitive to data length changes, your best bet is to let EvilClippy make these changes for you.

Bonus: The EvilCippy ‘-uu’ option also removes any password protection from the VBA Project.