News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Possible missing prototype ?

Started by skywalker, April 07, 2006, 09:07:29 PM

Previous topic - Next topic

skywalker

Since RtlSecureZeroMemory is a legit function, should it be prototyped in kernel32.inc ?
(Other programming languages use it)


Synfire

RtlSecureZeroMemory() is declared in NTDDK.H but the prototype would look like this:
RtlSecureZeroMemory PROTO ptr:DWORD, cnt:DWORD

Regards,
Bryant Keller

MichaelW

On my Windows 2000 system there is no such function exported from kernel32.dll, or ntdll.dll, or any other DLL.

According to this,
Quote
This routine is available on Windows Server 2003 and later. (Because the routine is declared inline, the body of the routine can be included in earlier versions of the operating system.)
...
The effect of RtlSecureZeroMemory is identical to that of RtlZeroMemory, except that it is guaranteed to zero the memory location, even if it is not subsequently written to. (The compiler can optimize away a call to RtlZeroMemory, if it determines that the caller does not access that memory range again.)

So basically there is no need for it in a MASM program.
eschew obfuscation

skywalker

Quote from: MichaelW on April 07, 2006, 10:58:19 PM
On my Windows 2000 system there is no such function exported from kernel32.dll, or ntdll.dll, or any other DLL.

According to this,
Quote
This routine is available on Windows Server 2003 and later. (Because the routine is declared inline, the body of the routine can be included in earlier versions of the operating system.)
...
The effect of RtlSecureZeroMemory is identical to that of RtlZeroMemory, except that it is guaranteed to zero the memory location, even if it is not subsequently written to. (The compiler can optimize away a call to RtlZeroMemory, if it determines that the caller does not access that memory range again.)

So basically there is no need for it in a MASM program.


Thanks for the info.

I was going by this which is a little furthur down on the MSDN page.
Memory viewers can view that data.

Use RtlSecureZeroMemory to guarantee that sensitive information has been zeroed out. For example, suppose that a function uses a local array variable to store password information. Once the function exits, the password information can remain in the same memory location unless zeroed out by RtlSecureZeroMemory.

skywalker

Quote from: Synfire on April 07, 2006, 10:47:30 PM
RtlSecureZeroMemory() is declared in NTDDK.H but the prototype would look like this:
RtlSecureZeroMemory PROTO ptr:DWORD, cnt:DWORD

Regards,
Bryant Keller

Thanks Bryant.

But we don't use header files so I am confused.


MichaelW

AFAIK RtlSecureZeroMemory is an inline function that zeros memory just like RtlZeroMemory, but it is guaranteed to zero the memory because the compiler cannot optimize the call away. Here is the declaration from the WinNT.h that was distributed with the February 2003 PSDK:


#if !defined(MIDL_PASS)
FORCEINLINE
PVOID
RtlSecureZeroMemory(
    IN PVOID ptr,
    IN SIZE_T cnt
    )
{
    volatile char *vptr = (volatile char *)ptr;
    while (cnt) {
        *vptr = 0;
        vptr++;
        cnt--;
    }
    return ptr;
}
#endif


For a MASM program you could guarantee that the memory would be zeroed by just calling RtlZeroMemory, or any other function or code that would zero the memory.



eschew obfuscation

hutch--

I must admit, its so simple to write an algo that fills memory, I don't see the point of messing around with this windows junk. With zeroing out a password or similar, what wrong with writing a phony straight after the real one has been used ? Its easy, fast and helps make getting a valid password even harder.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

Mark Jones

For that matter, overwrite it with something that in itself, is encrypted.
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

skywalker

Quote from: Mark Jones on April 08, 2006, 02:08:29 AM
For that matter, overwrite it with something that in itself, is encrypted.

Maybe you could help me decipher some code.
I also suspect that the cryptdata does not decrypt to the desired registry entry. Ollydbg showed
just part of the entry.

I would like to see the encrytion/decryption done in a non-registry changing app so I can see what's going on.

Thanks.

What does the 13 represent here.

    invoke  DecryptString, OFFSET cryptdata, 152715150, ADDR KSRegKey, 13
   

    ; what is this doing ?
    invoke  RegQueryValueEx, [hRegKey], ADDR KSRegKey+42, NULL, ADDR uDataCode,\
            ADDR KeyString, ADDR cbRead