Protecting sensitive data entered/displayed in a control while still allowing autoit to read the value

[MattHiggs]

Hey all.  I am curious as to how to protect sensitive data in Autoit guis (usually by replacing the text with * characters) while still allowing the script to know what the underlying value is.  Kind of like the "password char" parameter for the inputbox function, but extended to any of the controls in a GUI.  Any input or point in the right direction would be appreciated. 

Edited June 7, 2021 by MattHiggs

[TheXman]

You mean like the $ES_PASSWORD style for Edit/Input controls?

[MattHiggs]

7 minutes ago, TheXman said:

You mean like the $ES_PASSWORD style for Edit/Input controls?

Yes.  But lets say I want to do the same with combo boxes.  Like, for example, I have a checkbox next to a combo box which, when toggled, will hide/reveal the items in the combo box.  Or lets say that I want to take one of the items in the previous combo box while it is still protected and put it in a list view item still protected, but want to be able to still access that string's value from the list view item.  Stuff like that.

Edited June 7, 2021 by MattHiggs

[spudw2k]

I guess it depends how secure you want to (try) and make it.  I say that because a persistent user could work out just about any protection methods using advanced techniques (i.e. debugger, reverse engineering, etc.). 

As a fundamental approach, you could use an array to hold and track the protected values.  

I don't know of a way to mask other controls as simply as ES_PASSWORD does for edit controls.  Instead, I have resorted to replacing the values programmatically and having an ability to reveal them as needed.  Just to give you some ideas, I do something like this with one of my tools:

1) I have a listview with a column of sensitive persistent values that I "mask" with a string of asterisks (************).
2) The column can be unmasked (or masked) on demand by retrieving the real values, or replacing them with my pseudo masked string of asterisks.
3) They also automatically "remask" when the window looses focus (no user action other than changing window focus) .
4) The real persistent values I keep stored in the registry--I also further protect them by using the CryptProtectData API function.
   @funkey has a nice working CryptProtectData example here

Edited June 7, 2021 by spudw2k

[Skysnake]

Could you show an image of a combo with hidden input? Am I missing something?

[spudw2k]

Here is a real quick and dirty demo (without any extra protections like I mentioned in my first reply).

expandcollapse popup

#include <GUIConstantsEx.au3>
#include <MsgBoxConstants.au3>
#include <StringConstants.au3>
#include <GuiComboBox.au3>

Local $hGUI = GUICreate("Example", 300, 200)

Local $idBtnMask = GUICtrlCreateCheckbox("Unmask", 10, 10)
Local $idComboBox = GUICtrlCreateCombo("", 80, 10, 185, 20)
Local $idBtnClose = GUICtrlCreateButton("Close", 210, 170, 85, 25)

; Add items to the combobox.
Local $aValues = StringSplit("Bananas|Potatoes","|",$STR_NOCOUNT)
PopulateComboBox(True)

; Display the GUI.
GUISetState(@SW_SHOW, $hGUI)

; Loop until the user exits.
While 1
    Switch GUIGetMsg()
        Case $GUI_EVENT_CLOSE, $idBtnClose
            ExitLoop
        Case $idBtnMask
            Local $iCmbSelection = _GUICtrlComboBox_GetCurSel($idComboBox)
            If GUICtrlRead($idBtnMask) = $GUI_CHECKED Then
                PopulateComboBox()
            Else
                PopulateComboBox(True)
            EndIf
            _GUICtrlComboBox_SetCurSel($idComboBox, $iCmbSelection)
        Case $idComboBox
            Msgbox(0,"","Item: (" & $aValues[_GUICtrlComboBox_GetCurSel($idComboBox)] & ") selected.")
    EndSwitch
WEnd

; Delete the previous GUI and all controls.
GUIDelete($hGUI)


Func PopulateComboBox($bHidden = False)
    _GUICtrlComboBox_BeginUpdate($idComboBox)
    _GUICtrlComboBox_ResetContent($idComboBox)

    For $sValue In $aValues
        If $bHidden Then
            _GUICtrlComboBox_AddString($idComboBox, StringRegExpReplace($sValue,"(.)","*"))
        Else
            _GUICtrlComboBox_AddString($idComboBox, $sValue)
        EndIf
    Next

    _GUICtrlComboBox_EndUpdate($idComboBox)
EndFunc

 

Thinking more about this, seems kind of odd to make a blind choice with a combobox.  From an end-user perspective, perhaps it would be more useful and intuitive to reveal the items when the combobox is expanded and mask it after a selection is made?  

Edited June 15, 2021 by spudw2k