News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Possible missing prototype ?

Started by skywalker, April 07, 2006, 09:07:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

skywalker

April 07, 2006, 09:07:29 PM
Since RtlSecureZeroMemory is a legit function, should it be prototyped in kernel32.inc ?
(Other programming languages use it)

Synfire

#1
April 07, 2006, 10:47:30 PM
RtlSecureZeroMemory() is declared in NTDDK.H but the prototype would look like this:
Code Select
RtlSecureZeroMemory PROTO ptr:DWORD, cnt:DWORD

Regards,
Bryant Keller

MichaelW

#2
April 07, 2006, 10:58:19 PM
On my Windows 2000 system there is no such function exported from kernel32.dll, or ntdll.dll, or any other DLL.

According to this,
Quote
This routine is available on Windows Server 2003 and later. (Because the routine is declared inline, the body of the routine can be included in earlier versions of the operating system.)
...
The effect of RtlSecureZeroMemory is identical to that of RtlZeroMemory, except that it is guaranteed to zero the memory location, even if it is not subsequently written to. (The compiler can optimize away a call to RtlZeroMemory, if it determines that the caller does not access that memory range again.)

So basically there is no need for it in a MASM program.
eschew obfuscation

skywalker

#3
April 07, 2006, 11:18:17 PM
Quote from: MichaelW on April 07, 2006, 10:58:19 PM
On my Windows 2000 system there is no such function exported from kernel32.dll, or ntdll.dll, or any other DLL.

According to this,
Quote
This routine is available on Windows Server 2003 and later. (Because the routine is declared inline, the body of the routine can be included in earlier versions of the operating system.)
...
The effect of RtlSecureZeroMemory is identical to that of RtlZeroMemory, except that it is guaranteed to zero the memory location, even if it is not subsequently written to. (The compiler can optimize away a call to RtlZeroMemory, if it determines that the caller does not access that memory range again.)

So basically there is no need for it in a MASM program.


Thanks for the info.

I was going by this which is a little furthur down on the MSDN page.
Memory viewers can view that data.

Use RtlSecureZeroMemory to guarantee that sensitive information has been zeroed out. For example, suppose that a function uses a local array variable to store password information. Once the function exits, the password information can remain in the same memory location unless zeroed out by RtlSecureZeroMemory.

skywalker

#4
April 07, 2006, 11:20:46 PM
Quote from: Synfire on April 07, 2006, 10:47:30 PM
RtlSecureZeroMemory() is declared in NTDDK.H but the prototype would look like this:
Code Select
RtlSecureZeroMemory PROTO ptr:DWORD, cnt:DWORD

Regards,
Bryant Keller

Thanks Bryant.

But we don't use header files so I am confused.

MichaelW

#5
April 07, 2006, 11:45:19 PM
AFAIK RtlSecureZeroMemory is an inline function that zeros memory just like RtlZeroMemory, but it is guaranteed to zero the memory because the compiler cannot optimize the call away. Here is the declaration from the WinNT.h that was distributed with the February 2003 PSDK:

Code Select

#if !defined(MIDL_PASS)
FORCEINLINE
PVOID
RtlSecureZeroMemory(
    IN PVOID ptr,
    IN SIZE_T cnt
    )
{
    volatile char *vptr = (volatile char *)ptr;
    while (cnt) {
        *vptr = 0;
        vptr++;
        cnt--;
    }
    return ptr;
}
#endif


For a MASM program you could guarantee that the memory would be zeroed by just calling RtlZeroMemory, or any other function or code that would zero the memory.



eschew obfuscation

hutch--

#6
April 08, 2006, 01:46:01 AM
I must admit, its so simple to write an algo that fills memory, I don't see the point of messing around with this windows junk. With zeroing out a password or similar, what wrong with writing a phony straight after the real one has been used ? Its easy, fast and helps make getting a valid password even harder.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Mark Jones

#7
April 08, 2006, 02:08:29 AM
For that matter, overwrite it with something that in itself, is encrypted.
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

skywalker

#8
April 08, 2006, 12:19:20 PM
Quote from: Mark Jones on April 08, 2006, 02:08:29 AM
For that matter, overwrite it with something that in itself, is encrypted.

Maybe you could help me decipher some code.
I also suspect that the cryptdata does not decrypt to the desired registry entry. Ollydbg showed
just part of the entry.

I would like to see the encrytion/decryption done in a non-registry changing app so I can see what's going on.

Thanks.

What does the 13 represent here.

    invoke  DecryptString, OFFSET cryptdata, 152715150, ADDR KSRegKey, 13
   

    ; what is this doing ?
    invoke  RegQueryValueEx, [hRegKey], ADDR KSRegKey+42, NULL, ADDR uDataCode,\
            ADDR KeyString, ADDR cbRead
Print
Go Up Pages1
User actions