Deleting/overwriting variable contents in memory

[CarlD]

Is there a reliable way to ensure that data assigned to variables in a script is overwritten or deleted when the script exits? I have scripts that encrypt/decrypt data and would like to ensure, if possible, that the encryption keys and decrypted data do not stay in memory after the script exits. Thanks.

[kaisies]

There's probably a decent way to do it, but if you want a secure program, autoit is not a good choice. Retrieving source code from an autoit exe is trivial, and then of course all of your methods can be seen. 

[BrewManNH]

If they're assigned to a variable, you can always change the contents of the variable before exiting. Although I doubt this would be necessary.

[CarlD]

@kaisies: My scripts are compiled to .a3x. Can these be reverse-engineered back to source (my understanding is no), or is the source only exposed while the script is actually running? I can live with the latter.

@BrewManNH: Are you saying that the contents of variables are reliably wiped from memory upon exiting?

[Juvigy]

Yes, a3x can be reverse engineered. About the variables , when you assign a new value to them like, $var=0 before exiting, you are ensuring that the data will be wiped even if the Exiting doesn't free the variable from the memory.

[junkew]

reverse engineering / decompiling is not hard.

But you should anyway never put keys in compiled / packaged code

maybe with the .net udf you can use securestring

https://docs.microsoft.com/en-us/dotnet/api/system.security.securestring?view=netframework-4.7.2

 

 

[Danp2]

Has anyone tested to see if assigning a new value to a variable actually wipes the previous value from memory? I suspect that it doesn't, but haven't tested it yet.

[BrewManNH]

Some of it might still be there if you use a different length "filler" value compared to the original value. Someone with more experience than me would need to double check it though.

It's all a moot point if the passwords are included inside the script in any case.

[CarlD]

Thanks very much, this is all very helpful. I will certainly overwrite sensitive variables with garbage of equal or greater length. That's easy to do and is at least something.

My scripts don't include the keys themselves, only references to the keys. This is still far from ideal, of course, but for this application I'm not looking for perfection, just good enough.

[CarlD]

Have been playing around with methods for overwriting variable contents. Here's what I have -- is there a better way?

; Demo: Func _Xout1Var() -- CarlD 2018-10-02
;
$myvar1 = "This is terribly secret!"
$myvar2 = 123456789
$myvar3 = Binary($myvar2)
$myvar4 = True And False

Local $aMyVars[4]
$aMyVars[0] = "myvar1"
$aMyVars[1] = "myvar2"
$aMyVars[2] = "myvar3"
$aMyVars[3] = "myvar4"
For $i = 0 To UBound($aMyVars) - 1
    Assign($aMyVars[$i], _Xout1Var($aMyVars[$i]))
Next

Exit MsgBox(0, "", $myvar1 & @CRLF & $myvar2 & @CRLF & $myvar3 & @CRLF & $myvar4)
; ---------

Func _Xout1Var($sVarName, $sOverStr = "#")
    If IsDeclared($sVarName) <> 0 Then
        If Not IsString(Eval($sVarName)) Then Assign($sVarName, String(Eval($sVarName)))
        Return StringRegExpReplace(Eval($sVarName), ".", $sOverStr)
    Else
        Return 0
    EndIf
EndFunc  ;==>_Xout1Var

 

Edited October 2, 2018 by CarlD

[caramen]

On 01/10/2018 at 2:10 PM, Danp2 said:

Has anyone tested to see if assigning a new value to a variable actually wipes the previous value from memory? I suspect that it doesn't, but haven't tested it yet.

Ok i got the skills and tools to do that very fast let me do this i will post my diag here. With screens if you want....Good question becose i was lazy to do it but i want to know it me too xD

Edited October 2, 2018 by caramen

[caramen]

Simple Script to do GUI with one label and with one value :

#include <GUIConstantsEx.au3>

$cValue  = 0 ;Fixing value to 0

$cGui    = GUICreate ("Hello world",250,250) ;Gui
$cLabel1 = GUICtrlCreateLabel ("Value ="& $cValue ,20,20)
$cValue2 = GUICtrlCreateButton ("Value2" , 20 , 60 )
$cValue4 = GUICtrlCreateButton ("Value4" , 20 , 120 )
GUISetState(@SW_SHOW, $cGui) ;=> Gui


While (1)
    $idMsg = GUIGetMsg()
        Switch $idMsg
            Case $GUI_EVENT_CLOSE
                Exit
            Case $cValue2
                _Value2 ()
                GUICtrlSetData ( $cLabel1 , "Value ="& $cValue )
            Case $cValue4
                _Value4 ()
                GUICtrlSetData ( $cLabel1 , "Value ="& $cValue )
             EndSwitch
         Sleep(10)
WEnd

Func _Value2 () ;Fixing value to 2
   $cValue = 2
EndFunc

Func _Value4 () ;Fixing value to 4
   $cValue = 4
EndFunc

Executing script, and scanning the memory to fing the used address.

Here the address with value 2

And that was the same address for value 4

 

Well for me that mean the Variable is written in a memory address and if you replace it. It will just wipe the precedent one.

 

If i read memory at same address after closing my script. I check the same address :

If i start the script again a new address is used for the same variable.

 

And the memory value of the both address scanned , after exiting script.

?? = No more 4 Bytes

Do your own conclusion

The only thing i can say is.... even without uncompilating we can see the used valued as you see in my screens.

I can search and scan by number, array, text, binary, string, 2, 4, 8 bytes, Float, Double.

So until you use that in your script i can find it.

 

And if you check wizzely you even can notice we can read the variable name too   You can read it in screen look my script and my screens : you can see C.V.A.L.U.E. that is $cValue

 

Also i stopped that kind of knowledge looooong time ago... and i did it in 40 minutes. A > Z. Pretty easy...

 

Edited October 2, 2018 by caramen

[Juvigy]

Caraman, did you check the memory if before exiting you assign a different value to the variable?

[caramen]

5 hours ago, Juvigy said:

Caraman, did you check the memory if before exiting you assign a different value to the variable?

This step

23 hours ago, caramen said:

Executing script, and scanning the memory to fing the used address.

And this step

23 hours ago, caramen said:

Here the address with value 2

Are done one after one. So yes. 

And then I conclued to :

23 hours ago, caramen said:

Well for me that mean the Variable is written in a memory address and if you replace it. It will just wipe the precedent one.

But i can add for your understanding that : 

Well for me that mean the Variable is written in a memory address and if you replace it. It will just wipe the precedent one. EDIT:  At the same bytes address

More explicite with screen becose of my english :

IN CIRCLE = ADDRESS NUMBER

 

IN SQUARE =

00090D98 = ADDRESS

98 = Bytes 

02 left= Value of the binary/Same as variable

04 right = Value of the binary/Same as variable 

 

Google trad:

It says exactly that the value 4 and the value 2 are inscribed in the same region of the memory. And even more in the same bytes

 

And the proof is here :

That is saying the value as changed.

Actual value  = 2

Previus value = 4

 

Edited October 3, 2018 by caramen

[user4157124]

Numerical data (obviously) can not remain if new value is stored to same location. Consider overwriting string variables by a shorter string (""), an integer (0) or NULL instead. Possibly string functions (or operators other than assignment) keep a copy somewhere.

[caramen]

52 minutes ago, user4157124 said:

Numerical data (obviously) can not remain if new value is stored to same location. Consider overwriting string variables by a shorter string (""), an integer (0) or NULL instead. Possibly string functions (or operators other than assignment) keep a copy somewhere.

Does that mean if i do the same with text value that will change the result ?

[junkew]

Good enough really depends on your requirement.

Obfuscation can help but is not secure.

As long as windows and autoit is not build with security by design there is no guarantee its findable in computer memory.

See this for example. https://github.com/intel/safestringlib

 

[CarlD]

2 hours ago, user4157124 said:

Numerical data (obviously) can not remain if new value is stored to same location. Consider overwriting string variables by a shorter string (""), an integer (0) or NULL instead. Possibly string functions (or operators other than assignment) keep a copy somewhere.

I was wondering about this. If you overwrite a multi-byte string with Null or 0, do the "leftover" bytes hang around in memory or is the garbage collected as soon as the script exits? Not knowing the answer, I thought it might be safer to cast all variables to String and overwrite them with an equal number of dummy bytes.

Also, would successive reassignments help?

$myvar = "SECRET"

$myvar = "######"

$myvar = 0

Edited October 3, 2018 by CarlD

[user4157124]

That's the point yes (was in reply to screenshots; unaltered copy at 00090DB0, 9A). On reassignment both leftover bytes and a copy remain (throughout runtime or until memory reuse). Potentially written to disk additionally (paging, standby, etc.).

[junkew]

Check the crypt.au3 if its helpfull 

https://www.autoitscript.com/autoit3/docs/libfunctions/_Crypt_DeriveKey.htm#CipheringAlgoID

And maybe it helps also besides making sure you overwrite variables to use some obfuscation logic on top of it so the secrets are split and scattered around.

Real simple example (you never should put secrets in the script itself ) but still it does not prevent that strings are coming together

$k1="hiallifcoffeeidrink"
$k2="toheeismeocarsest"

consolewrite(actualSecret($k1,$k2))

func actualSecret($k1,$k2)
    return stringmid($k1,1,1) & stringmid($k1,3,1) & stringmid($k1,5,1) & stringmid($k1,7,1) _
    & stringmid($k1,9,1) & stringmid($k1,11,1) & stringmid($k2,1,1) & stringmid($k2,3,1) _
    & stringmid($k2,5,1) & stringmid($k2,7,1) & stringmid($k2,9,1) & stringmid($k2,11,1) _
    & stringmid($k2,13,1) & stringmid($k2,15,1)  & stringmid($k2,17,1)
EndFunc