PyProtect-v3 3.0.0__tar.gz → 3.1.0__tar.gz

{pyprotect_v3-3.0.0 → pyprotect_v3-3.1.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: PyProtect-v3
-Version: 3.0.0
+Version: 3.1.0
 Summary: Python script obfuscation library with AES-256-GCM encryption and C extension acceleration
 Author-email: NguyenNgocNam <c.nam020213@gmail.com>
 License-Expression: MIT

{pyprotect_v3-3.0.0 → pyprotect_v3-3.1.0}/PyProtect_v3.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: PyProtect-v3
-Version: 3.0.0
+Version: 3.1.0
 Summary: Python script obfuscation library with AES-256-GCM encryption and C extension acceleration
 Author-email: NguyenNgocNam <c.nam020213@gmail.com>
 License-Expression: MIT

{pyprotect_v3-3.0.0 → pyprotect_v3-3.1.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "PyProtect-v3"
-version = "3.0.0"
+version = "3.1.0"
 description = "Python script obfuscation library with AES-256-GCM encryption and C extension acceleration"
 readme = "README.md"
 requires-python = ">=3.8"

{pyprotect_v3-3.0.0 → pyprotect_v3-3.1.0}/pyprotect/__main__.py

@@ -15,7 +15,6 @@ def cmd_encrypt(args):
     )
     out_path = obf.encrypt_file(args.input)
     print(f"[+] Encrypted: {args.input} -> {out_path}")
-    _copy_engine(args.output_dir)
 
 
 def cmd_encrypt_dir(args):
@@ -29,7 +28,6 @@ def cmd_encrypt_dir(args):
     print(f"[+] Encrypted {len(out_files)} files from {args.input}")
     for f in out_files:
         print(f"    -> {f}")
-    _copy_engine(args.output_dir)
 
 
 def cmd_build_engine(args):

{pyprotect_v3-3.0.0 → pyprotect_v3-3.1.0}/pyprotect/engine.c

@@ -298,6 +298,86 @@ static int deep_anti_debug(void) {
     return detected;
 }
 
+/* ------------------------------------------------------------------ */
+/* Anti-hook — detect debugger trace, profile, suspicious import hooks */
+/* ------------------------------------------------------------------ */
+
+static int deep_anti_hook(void) {
+    int detected = 0;
+    PyObject *sys_mod = PyImport_AddModule("sys");
+    if (!sys_mod) return 0;
+    PyObject *f = PyObject_GetAttrString(sys_mod, "gettrace");
+    if (f) {
+        PyObject *v = PyObject_CallNoArgs(f);
+        if (v && v != Py_None) detected = 1;
+        Py_XDECREF(v); Py_DECREF(f);
+    }
+    f = PyObject_GetAttrString(sys_mod, "getprofile");
+    if (f) {
+        PyObject *v = PyObject_CallNoArgs(f);
+        if (v && v != Py_None) detected = 1;
+        Py_XDECREF(v); Py_DECREF(f);
+    }
+    /* Check meta_path for known hostile importers */
+    PyObject *meta_path = PySys_GetObject("meta_path");
+    if (meta_path && PyList_Check(meta_path)) {
+        Py_ssize_t n = PyList_Size(meta_path);
+        for (Py_ssize_t i = 0; i < n; i++) {
+            PyObject *item = PyList_GetItem(meta_path, i);
+            if (!item) continue;
+            PyObject *name = PyObject_GetAttrString(item, "__class__");
+            if (!name) { PyErr_Clear(); continue; }
+            PyObject *cname = PyObject_GetAttrString(name, "__name__");
+            Py_DECREF(name);
+            if (!cname) { PyErr_Clear(); continue; }
+            const char *s = PyUnicode_AsUTF8(cname);
+            if (s) {
+                if (strstr(s, "Hook") || strstr(s, "Redirect") ||
+                    strstr(s, "Monitor") || strstr(s, "Interceptor") ||
+                    strstr(s, "Tracer") || strstr(s, "Proxy") ||
+                    strstr(s, "Debug") || strstr(s, "Inject")) {
+                    detected = 1;
+                    Py_DECREF(cname);
+                    break;
+                }
+            }
+            Py_DECREF(cname);
+        }
+    }
+    return detected;
+}
+
+/* ------------------------------------------------------------------ */
+/* Anti-decode — block decompilers, profilers, debugger modules        */
+/* ------------------------------------------------------------------ */
+
+static int deep_anti_decode(void) {
+    int detected = 0;
+    PyObject *sys_mod = PyImport_AddModule("sys");
+    if (sys_mod) {
+        PyObject *modules = PyObject_GetAttrString(sys_mod, "modules");
+        if (modules && PyDict_Check(modules)) {
+            const char *sus[] = {
+                "decompyle3","uncompyle6","decompyle","frida",
+                "pyrasite","pydevd","pdb","ipdb",
+                "pyinstrument","cProfile","line_profiler",NULL
+            };
+            for (int i = 0; sus[i]; i++) {
+                PyObject *k = PyUnicode_FromString(sus[i]);
+                if (k) {
+                    if (PyDict_GetItem(modules, k)) { detected = 1; Py_DECREF(k); break; }
+                    Py_DECREF(k);
+                }
+            }
+        }
+        Py_XDECREF(modules);
+    }
+    if (getenv("PYTHONDEVMODE")) detected = 1;
+    if (getenv("PYTHONINSPECT")) detected = 1;
+    if (getenv("PYSEC")) detected = 1;
+    return detected;
+}
+
 /* ------------------------------------------------------------------ */
 /* Memory protection: re-encrypt buffer after use                      */
 /* ------------------------------------------------------------------ */
@@ -382,6 +462,77 @@ static int _decrypt_payload(const uint8_t *data, size_t data_len,
     return 0;
 }
 
+/* ------------------------------------------------------------------ */
+/* Frame evaluation hook — anti-tamper check on every function call    */
+/* We use the CPython 3.11+ internal API to intercept frame evaluation */
+/* ------------------------------------------------------------------ */
+
+/* These are declared in cpython/pystate.h and cpython/ceval.h
+   which are included by Python.h */
+
+static _PyFrameEvalFunction original_eval_frame = NULL;
+static PyInterpreterState *hooked_interp = NULL;
+
+static PyObject* protected_eval_frame(PyThreadState *tstate, struct _PyInterpreterFrame *frame, int throwflag) {
+    if (deep_anti_debug() || deep_anti_hook() || deep_anti_decode()) {
+        PyErr_SetString(PyExc_RuntimeError, "Tamper detected");
+        return NULL;
+    }
+    return _PyEval_EvalFrameDefault(tstate, frame, throwflag);
+}
+
+static void install_frame_hook(void) {
+    if (original_eval_frame) return;
+    PyInterpreterState *interp = PyInterpreterState_Get();
+    if (!interp) return;
+    _PyFrameEvalFunction cur = _PyInterpreterState_GetEvalFrameFunc(interp);
+    if (cur == protected_eval_frame) return;
+    original_eval_frame = cur;
+    hooked_interp = interp;
+    _PyInterpreterState_SetEvalFrameFunc(interp, protected_eval_frame);
+}
+
+static void restore_frame_hook(void) {
+    if (!original_eval_frame || !hooked_interp) return;
+    _PyInterpreterState_SetEvalFrameFunc(hooked_interp, original_eval_frame);
+    original_eval_frame = NULL;
+    hooked_interp = NULL;
+}
+
+/* ------------------------------------------------------------------ */
+/* Wipe code tree — recursively clear all code objects' bytecodes      */
+/* ------------------------------------------------------------------ */
+
+static void wipe_code_tree(PyObject *co) {
+    if (!co || !PyCode_Check(co)) return;
+    PyCodeObject *code = (PyCodeObject*)co;
+
+    PyObject *bc = PyCode_GetCode(code);
+    if (bc && PyBytes_Check(bc)) {
+        Py_ssize_t sz;
+        char *buf;
+        if (PyBytes_AsStringAndSize(bc, &buf, &sz) == 0 && buf && sz > 0) {
+            memset(buf, 0, (size_t)sz);
+        }
+    }
+    Py_XDECREF(bc);
+
+    PyObject *consts = code->co_consts;
+    if (consts && PyTuple_Check(consts)) {
+        Py_ssize_t n = PyTuple_Size(consts);
+        for (Py_ssize_t i = 0; i < n; i++) {
+            PyObject *item = PyTuple_GetItem(consts, i);
+            if (item && PyCode_Check(item)) {
+                wipe_code_tree(item);
+            }
+        }
+    }
+}
+
+/* ------------------------------------------------------------------ */
+/* Decrypt and exec                                                     */
+/* ------------------------------------------------------------------ */
+
 static PyObject* engine_decrypt_and_exec(PyObject *self, PyObject *args) {
     const uint8_t *data;
     Py_ssize_t data_len;
@@ -389,8 +540,8 @@ static PyObject* engine_decrypt_and_exec(PyObject *self, PyObject *args) {
     if (!PyArg_ParseTuple(args, "y#", &data, &data_len))
         return NULL;
 
-    if (deep_anti_debug()) {
-        PyErr_SetString(PyExc_RuntimeError, "Debugger detected");
+    if (deep_anti_debug() || deep_anti_hook() || deep_anti_decode()) {
+        PyErr_SetString(PyExc_RuntimeError, "Tamper detected");
         return NULL;
     }
 
@@ -462,15 +613,25 @@ static PyObject* engine_decrypt_and_exec(PyObject *self, PyObject *args) {
         return NULL;
     }
 
+    /* Install frame eval hook */
+    install_frame_hook();
+
     PyObject *builtins = PyEval_GetBuiltins();
-    if (!builtins) { Py_DECREF(code_obj); return NULL; }
+    if (!builtins) { restore_frame_hook(); Py_DECREF(code_obj); return NULL; }
 
     PyObject *globals = PyDict_New();
-    if (!globals) { Py_DECREF(code_obj); return NULL; }
+    if (!globals) { restore_frame_hook(); Py_DECREF(code_obj); return NULL; }
 
     PyDict_SetItemString(globals, "__builtins__", builtins);
 
     PyObject *result = PyEval_EvalCode((PyObject*)code_obj, globals, globals);
+
+    /* Restore frame hook */
+    restore_frame_hook();
+
+    /* Wipe all decrypted bytecodes from memory */
+    wipe_code_tree(code_obj);
+
     Py_DECREF(code_obj);
     Py_DECREF(globals);
 
@@ -489,6 +650,11 @@ static PyObject* engine_decrypt_and_get_code(PyObject *self, PyObject *args) {
     if (!PyArg_ParseTuple(args, "y#", &data, &data_len))
         return NULL;
 
+    if (deep_anti_debug() || deep_anti_hook() || deep_anti_decode()) {
+        PyErr_SetString(PyExc_RuntimeError, "Tamper detected");
+        return NULL;
+    }
+
     uint8_t iv[12];
     uint8_t *plain = NULL;
     size_t plain_len = 0;
@@ -554,14 +720,14 @@ static PyObject* engine_decrypt_and_get_code(PyObject *self, PyObject *args) {
 /* ------------------------------------------------------------------ */
 
 static PyMethodDef EngineMethods[] = {
-    {"decrypt_and_exec",     engine_decrypt_and_exec,     METH_VARARGS, "Decrypt and execute protected payload."},
+    {"decrypt_and_exec",     engine_decrypt_and_exec,     METH_VARARGS, "Decrypt+execute with frame hook + anti-tamper + memory wipe."},
     {"decrypt_and_get_code", engine_decrypt_and_get_code, METH_VARARGS, "Decrypt and return code object."},
     {NULL, NULL, 0, NULL}
 };
 
 static struct PyModuleDef enginemodule = {
     PyModuleDef_HEAD_INIT, "engine_c",
-    "pyprotect-v4 engine - embedded key, anti-debug, anti-dump",
+    "pyprotect-v4 engine - frame hook, anti-tamper, anti-dump",
     -1, EngineMethods
 };
 

{pyprotect_v3-3.0.0 → pyprotect_v3-3.1.0}/pyprotect/obfuscator.py

@@ -21,36 +21,13 @@ except ImportError:
     EMBEDDED_KEY = b'\xa1\xb2\xc3\xd4\xe5\xf6\x07\x18\x29\x3a\x4b\x5c\x6d\x7e\x8f\x90\x01\x23\x45\x67\x89\xab\xcd\xef\xfe\xdc\xba\x98\x76\x54\x32\x10'
 
 
-BOOTSTRAP_TEMPLATE = '''"""Protected script - generated by pyprotect-v3 v{version}."""
-import sys
-import os
-
-{payload_var} = {payload!r}
-
-def _exec_protected():
-    import importlib.util
-    _d = os.path.dirname(os.path.abspath(__file__))
-    for _f in os.listdir(_d):
-        if _f.startswith('engine_c') and any(_f.endswith(e) for e in ('.so', '.pyd', '.dll')):
-            _spec = importlib.util.spec_from_file_location('engine_c', os.path.join(_d, _f))
-            if _spec:
-                _mod = importlib.util.module_from_spec(_spec)
-                _spec.loader.exec_module(_mod)
-                return _mod.decrypt_and_exec({payload_var})
-    from pyprotect.engine_c import decrypt_and_exec as _e
-    return _e({payload_var})
-
-if __name__ == "__main__":
-    try:
-        _exec_protected()
-    except BaseException:
-        sys.stderr.write("[-] C engine not available. Install pyprotect-v3 with C extension.\\n")
-        sys.exit(1)
-'''
+BOOTSTRAP_TEMPLATE = '''# PyProtect-v3 | github.com/PyProtect/PyProtect
+from pyprotect.engine_c import decrypt_and_exec; decrypt_and_exec({payload!r})'''
 
 MULTI_BOOTSTRAP_TEMPLATE = '''"""Protected package - generated by pyprotect-v3 v{version}."""
 import sys
 import os
+
 import importlib.abc
 import importlib.machinery
 import types
@@ -288,41 +265,9 @@ def _add_junk_imports(tree):
 # ---------------------------------------------------------------------------
 
 def _generate_polymorphic_stub(payload_expr: str) -> str:
-    """Generate a polymorphic stub. No key in stub — key is in .so binary."""
-    used = set(_BAD_NAMES)
-    pname = _random_name(used)
-
-    stub = f'''"""Protected - {base64.b64encode(os.urandom(8)).decode()}"""
-import sys
-import os
-
-{pname} = {payload_expr}
-
-if __name__ == "__main__":
-    try:
-        import importlib.util
-        _d = os.path.dirname(os.path.abspath(__file__))
-        _ok = False
-        for _f in os.listdir(_d):
-            if _f.startswith('engine_c') and any(_f.endswith(e) for e in ('.so', '.pyd', '.dll')):
-                _spec = importlib.util.spec_from_file_location('engine_c', os.path.join(_d, _f))
-                if _spec:
-                    _mod = importlib.util.module_from_spec(_spec)
-                    _spec.loader.exec_module(_mod)
-                    _mod.decrypt_and_exec({pname})
-                    _ok = True
-                    break
-        if not _ok:
-            from pyprotect.engine_c import decrypt_and_exec as _e
-            _e({pname})
-            _ok = True
-    except SystemExit:
-        raise
-    except BaseException:
-        if not _ok:
-            sys.stderr.write("[-] C engine not available. Install pyprotect-v3 with C extension.\\n")
-            sys.exit(1)
-'''
+    """Generate a compact stub. No key in stub — key is in .so binary."""
+    stub = f'''# PyProtect-v3 | github.com/PyProtect/PyProtect
+from pyprotect.engine_c import decrypt_and_exec; decrypt_and_exec({payload_expr})'''
     return stub
 
 # ---------------------------------------------------------------------------
@@ -434,7 +379,7 @@ class Obfuscator:
 
         # Generate multi bootstrap
         bootstrap_source = MULTI_BOOTSTRAP_TEMPLATE.format(
-            version="3.0.0",
+            version="3.1.0",
             modules=modules,
         )
 
@@ -467,14 +412,12 @@ class Obfuscator:
         )
         os.makedirs(output_dir, exist_ok=True)
 
-        payload_var = random.choice(string.ascii_letters) + "_" + base64.b16encode(os.urandom(6)).decode()
         if self.polymorphic:
             stub_source = _generate_polymorphic_stub(repr(encrypted))
         else:
             stub_source = BOOTSTRAP_TEMPLATE.format(
-                version="3.0.0",
+                version="3.1.0",
                 payload=encrypted,
-                payload_var=f"_{payload_var}",
             )
 
         stub_name = original_filename.replace(".py", "_protected.py")
@@ -485,8 +428,6 @@ class Obfuscator:
 
         os.chmod(stub_path, 0o755)
 
-        self._copy_engine(output_dir)
-
         return stub_path
 
     def _copy_engine(self, output_dir: str):