Since RtlSecureZeroMemory is a legit function, should it be prototyped in kernel32.inc ?
(Other programming languages use it)
RtlSecureZeroMemory() is declared in NTDDK.H but the prototype would look like this:
RtlSecureZeroMemory PROTO ptr:DWORD, cnt:DWORD
Regards,
Bryant Keller
On my Windows 2000 system there is no such function exported from kernel32.dll, or ntdll.dll, or any other DLL.
According to
this (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/k109_8bcffbc1-2930-416b-a192-b70c477d1910.xml.asp),
Quote
This routine is available on Windows Server 2003 and later. (Because the routine is declared inline, the body of the routine can be included in earlier versions of the operating system.)
...
The effect of RtlSecureZeroMemory is identical to that of RtlZeroMemory, except that it is guaranteed to zero the memory location, even if it is not subsequently written to. (The compiler can optimize away a call to RtlZeroMemory, if it determines that the caller does not access that memory range again.)
So basically there is no need for it in a MASM program.
Quote from: MichaelW on April 07, 2006, 10:58:19 PM
On my Windows 2000 system there is no such function exported from kernel32.dll, or ntdll.dll, or any other DLL.
According to this (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/k109_8bcffbc1-2930-416b-a192-b70c477d1910.xml.asp),
Quote
This routine is available on Windows Server 2003 and later. (Because the routine is declared inline, the body of the routine can be included in earlier versions of the operating system.)
...
The effect of RtlSecureZeroMemory is identical to that of RtlZeroMemory, except that it is guaranteed to zero the memory location, even if it is not subsequently written to. (The compiler can optimize away a call to RtlZeroMemory, if it determines that the caller does not access that memory range again.)
So basically there is no need for it in a MASM program.
Thanks for the info.
I was going by this which is a little furthur down on the MSDN page.
Memory viewers can view that data.
Use RtlSecureZeroMemory to guarantee that sensitive information has been zeroed out. For example, suppose that a function uses a local array variable to store password information. Once the function exits, the password information can remain in the same memory location unless zeroed out by RtlSecureZeroMemory.
Quote from: Synfire on April 07, 2006, 10:47:30 PM
RtlSecureZeroMemory() is declared in NTDDK.H but the prototype would look like this:
RtlSecureZeroMemory PROTO ptr:DWORD, cnt:DWORD
Regards,
Bryant Keller
Thanks Bryant.
But we don't use header files so I am confused.
AFAIK RtlSecureZeroMemory is an inline function that zeros memory just like RtlZeroMemory, but it is guaranteed to zero the memory because the compiler cannot optimize the call away. Here is the declaration from the WinNT.h that was distributed with the February 2003 PSDK:
#if !defined(MIDL_PASS)
FORCEINLINE
PVOID
RtlSecureZeroMemory(
IN PVOID ptr,
IN SIZE_T cnt
)
{
volatile char *vptr = (volatile char *)ptr;
while (cnt) {
*vptr = 0;
vptr++;
cnt--;
}
return ptr;
}
#endif
For a MASM program you could guarantee that the memory would be zeroed by just calling RtlZeroMemory, or any other function or code that would zero the memory.
I must admit, its so simple to write an algo that fills memory, I don't see the point of messing around with this windows junk. With zeroing out a password or similar, what wrong with writing a phony straight after the real one has been used ? Its easy, fast and helps make getting a valid password even harder.
For that matter, overwrite it with something that in itself, is encrypted.
Quote from: Mark Jones on April 08, 2006, 02:08:29 AM
For that matter, overwrite it with something that in itself, is encrypted.
Maybe you could help me decipher some code.
I also suspect that the cryptdata does not decrypt to the desired registry entry. Ollydbg showed
just part of the entry.
I would like to see the encrytion/decryption done in a non-registry changing app so I can see what's going on.
Thanks.
What does the 13 represent here.
invoke DecryptString, OFFSET cryptdata, 152715150, ADDR KSRegKey, 13
; what is this doing ?
invoke RegQueryValueEx, [hRegKey], ADDR KSRegKey+42, NULL, ADDR uDataCode,\
ADDR KeyString, ADDR cbRead