Jump to content

Deleting/overwriting variable contents in memory


CarlD
 Share

Recommended Posts

Is there a reliable way to ensure that data assigned to variables in a script is overwritten or deleted when the script exits? I have scripts that encrypt/decrypt data and would like to ensure, if possible, that the encryption keys and decrypted data do not stay in memory after the script exits. Thanks.

Link to comment
Share on other sites

If they're assigned to a variable, you can always change the contents of the variable before exiting. Although I doubt this would be necessary.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites

@kaisies: My scripts are compiled to .a3x. Can these be reverse-engineered back to source (my understanding is no), or is the source only exposed while the script is actually running? I can live with the latter.

@BrewManNH: Are you saying that the contents of variables are reliably wiped from memory upon exiting?

Link to comment
Share on other sites

Yes, a3x can be reverse engineered. About the variables , when you assign a new value to them like, $var=0 before exiting, you are ensuring that the data will be wiped even if the Exiting doesn't free the variable from the memory.

Link to comment
Share on other sites

reverse engineering / decompiling is not hard.

But you should anyway never put keys in compiled / packaged code

maybe with the .net udf you can use securestring

https://docs.microsoft.com/en-us/dotnet/api/system.security.securestring?view=netframework-4.7.2

 

 

Link to comment
Share on other sites

Some of it might still be there if you use a different length "filler" value compared to the original value. Someone with more experience than me would need to double check it though.

It's all a moot point if the passwords are included inside the script in any case.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites

Thanks very much, this is all very helpful. I will certainly overwrite sensitive variables with garbage of equal or greater length. That's easy to do and is at least something.

My scripts don't include the keys themselves, only references to the keys. This is still far from ideal, of course, but for this application I'm not looking for perfection, just good enough.

Link to comment
Share on other sites

Have been playing around with methods for overwriting variable contents. Here's what I have -- is there a better way?

; Demo: Func _Xout1Var() -- CarlD 2018-10-02
;
$myvar1 = "This is terribly secret!"
$myvar2 = 123456789
$myvar3 = Binary($myvar2)
$myvar4 = True And False

Local $aMyVars[4]
$aMyVars[0] = "myvar1"
$aMyVars[1] = "myvar2"
$aMyVars[2] = "myvar3"
$aMyVars[3] = "myvar4"
For $i = 0 To UBound($aMyVars) - 1
    Assign($aMyVars[$i], _Xout1Var($aMyVars[$i]))
Next

Exit MsgBox(0, "", $myvar1 & @CRLF & $myvar2 & @CRLF & $myvar3 & @CRLF & $myvar4)
; ---------

Func _Xout1Var($sVarName, $sOverStr = "#")
    If IsDeclared($sVarName) <> 0 Then
        If Not IsString(Eval($sVarName)) Then Assign($sVarName, String(Eval($sVarName)))
        Return StringRegExpReplace(Eval($sVarName), ".", $sOverStr)
    Else
        Return 0
    EndIf
EndFunc  ;==>_Xout1Var

 

Edited by CarlD
Link to comment
Share on other sites

On 01/10/2018 at 2:10 PM, Danp2 said:

Has anyone tested to see if assigning a new value to a variable actually wipes the previous value from memory? I suspect that it doesn't, but haven't tested it yet.

Ok i got the skills and tools to do that very fast let me do this i will post my diag here. With screens if you want....Good question becose i was lazy to do it but i want to know it me too xD

Edited by caramen

My video tutorials : ( In construction )  || My Discord : https://discord.gg/S9AnwHw

How to Ask Help ||  UIAutomation From Junkew || WebDriver From Danp2 || And Water's UDFs in the Quote

Spoiler

 Water's UDFs:
Active Directory (NEW 2018-10-19 - Version 1.4.10.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Link to comment
Share on other sites

Simple Script to do GUI with one label and with one value :

#include <GUIConstantsEx.au3>

$cValue  = 0 ;Fixing value to 0

$cGui    = GUICreate ("Hello world",250,250) ;Gui
$cLabel1 = GUICtrlCreateLabel ("Value ="& $cValue ,20,20)
$cValue2 = GUICtrlCreateButton ("Value2" , 20 , 60 )
$cValue4 = GUICtrlCreateButton ("Value4" , 20 , 120 )
GUISetState(@SW_SHOW, $cGui) ;=> Gui


While (1)
    $idMsg = GUIGetMsg()
        Switch $idMsg
            Case $GUI_EVENT_CLOSE
                Exit
            Case $cValue2
                _Value2 ()
                GUICtrlSetData ( $cLabel1 , "Value ="& $cValue )
            Case $cValue4
                _Value4 ()
                GUICtrlSetData ( $cLabel1 , "Value ="& $cValue )
             EndSwitch
         Sleep(10)
WEnd

Func _Value2 () ;Fixing value to 2
   $cValue = 2
EndFunc

Func _Value4 () ;Fixing value to 4
   $cValue = 4
EndFunc

Executing script, and scanning the memory to fing the used address.

image.thumb.png.8382cd39552556bab50142f193b7a047.png

Here the address with value 2

image.png.51fe72662423a41329c4614bd6099486.png

And that was the same address for value 4

 

Well for me that mean the Variable is written in a memory address and if you replace it. It will just wipe the precedent one.

 

If i read memory at same address after closing my script. I check the same address :

image.png.25c38f02f17e13a5a71e7a38c2359c66.png

If i start the script again a new address is used for the same variable.

image.png.f76a4528131abdcded9b0222d7e71a3a.png

 

And the memory value of the both address scanned , after exiting script.

image.png.4ba3021f406881d49cb8825505ac2d70.png

?? = No more 4 Bytes

Do your own conclusion ;)

The only thing i can say is.... even without uncompilating we can see the used valued as you see in my screens.

I can search and scan by number, array, text, binary, string, 2, 4, 8 bytes, Float, Double.

So until you use that in your script i can find it.

 

And if you check wizzely you even can notice we can read the variable name too :)  You can read it in screen look my script and my screens : you can see C.V.A.L.U.E. that is $cValue

 

Also i stopped that kind of knowledge looooong time ago... and i did it in 40 minutes. A > Z. Pretty easy...

 

Edited by caramen

My video tutorials : ( In construction )  || My Discord : https://discord.gg/S9AnwHw

How to Ask Help ||  UIAutomation From Junkew || WebDriver From Danp2 || And Water's UDFs in the Quote

Spoiler

 Water's UDFs:
Active Directory (NEW 2018-10-19 - Version 1.4.10.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Link to comment
Share on other sites

5 hours ago, Juvigy said:

Caraman, did you check the memory if before exiting you assign a different value to the variable?

This step

23 hours ago, caramen said:

Executing script, and scanning the memory to fing the used address.

And this step

23 hours ago, caramen said:

Here the address with value 2

Are done one after one. So yes. 

And then I conclued to :

23 hours ago, caramen said:

Well for me that mean the Variable is written in a memory address and if you replace it. It will just wipe the precedent one.

But i can add for your understanding that : 

Well for me that mean the Variable is written in a memory address and if you replace it. It will just wipe the precedent one. EDIT:  At the same bytes address

More explicite with screen becose of my english :

image.thumb.png.0c1c2ef6ead605048be1aba0076128a0.png

IN CIRCLE = ADDRESS NUMBER

 

IN SQUARE =

00090D98 = ADDRESS

98 = Bytes 

02 left= Value of the binary/Same as variable

04 right = Value of the binary/Same as variable 

 

Google trad:

It says exactly that the value 4 and the value 2 are inscribed in the same region of the memory. And even more in the same bytes

 

And the proof is here :

image.png.d8c4c34157c513a3be5064550be6daba.png

That is saying the value as changed.

Actual value  = 2

Previus value = 4

 

Edited by caramen

My video tutorials : ( In construction )  || My Discord : https://discord.gg/S9AnwHw

How to Ask Help ||  UIAutomation From Junkew || WebDriver From Danp2 || And Water's UDFs in the Quote

Spoiler

 Water's UDFs:
Active Directory (NEW 2018-10-19 - Version 1.4.10.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Link to comment
Share on other sites

52 minutes ago, user4157124 said:

Numerical data (obviously) can not remain if new value is stored to same location. Consider overwriting string variables by a shorter string (""), an integer (0) or NULL instead. Possibly string functions (or operators other than assignment) keep a copy somewhere.

Does that mean if i do the same with text value that will change the result ?

My video tutorials : ( In construction )  || My Discord : https://discord.gg/S9AnwHw

How to Ask Help ||  UIAutomation From Junkew || WebDriver From Danp2 || And Water's UDFs in the Quote

Spoiler

 Water's UDFs:
Active Directory (NEW 2018-10-19 - Version 1.4.10.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Link to comment
Share on other sites

Good enough really depends on your requirement.

Obfuscation can help but is not secure.

As long as windows and autoit is not build with security by design there is no guarantee its findable in computer memory.

See this for example. https://github.com/intel/safestringlib

 

Link to comment
Share on other sites

2 hours ago, user4157124 said:

Numerical data (obviously) can not remain if new value is stored to same location. Consider overwriting string variables by a shorter string (""), an integer (0) or NULL instead. Possibly string functions (or operators other than assignment) keep a copy somewhere.

I was wondering about this. If you overwrite a multi-byte string with Null or 0, do the "leftover" bytes hang around in memory or is the garbage collected as soon as the script exits? Not knowing the answer, I thought it might be safer to cast all variables to String and overwrite them with an equal number of dummy bytes.

Also, would successive reassignments help?

$myvar = "SECRET"

$myvar = "######"

$myvar = 0

Edited by CarlD
Link to comment
Share on other sites

  • 2 weeks later...

Check the crypt.au3 if its helpfull 

https://www.autoitscript.com/autoit3/docs/libfunctions/_Crypt_DeriveKey.htm#CipheringAlgoID

And maybe it helps also besides making sure you overwrite variables to use some obfuscation logic on top of it so the secrets are split and scattered around.

Real simple example (you never should put secrets in the script itself ) but still it does not prevent that strings are coming together

$k1="hiallifcoffeeidrink"
$k2="toheeismeocarsest"

consolewrite(actualSecret($k1,$k2))

func actualSecret($k1,$k2)
    return stringmid($k1,1,1) & stringmid($k1,3,1) & stringmid($k1,5,1) & stringmid($k1,7,1) _
    & stringmid($k1,9,1) & stringmid($k1,11,1) & stringmid($k2,1,1) & stringmid($k2,3,1) _
    & stringmid($k2,5,1) & stringmid($k2,7,1) & stringmid($k2,9,1) & stringmid($k2,11,1) _
    & stringmid($k2,13,1) & stringmid($k2,15,1)  & stringmid($k2,17,1)
EndFunc

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...