I'm handling sensitive information in my program, and I have found (using a debugger) that some of it can still be seen in memory even after I have cleared (overwritten) all my variables. I believe it might be due to the inner workings of some gadgets or Windows controls. How can I just erase all of my process virtual memory at program exit? Can the RtlZeroMemory API help here? (Win 8.1 x86)
If the question is too vague I can make and post a bit of code.
How to erase entire process memory upon exit
How to erase entire process memory upon exit
Last edited by firace on Mon Mar 27, 2017 11:14 am, edited 1 time in total.
Re: How to erase entire process memory upon exit
I think you have probably three options:
1) erase sensitive variables, not by setting them to "" or setting to 0, and even RtlZeroMemory isn't considered good for this, but overwriting with cryptographically secure random data, eg "CryptRandomData(@pwhash$, Len(pwhash))"
2) erase only the areas of memory your sensitive variables are in, assuming they're not Writable or Executable
3) erase every area of memory that isn't Writable or Executable
(Note: 4) erase EVERY area of memory - isn't possible, as you'd be overwriting the code of your secure erase procedure)
You don't want to erase ReadOnly sections because no secure data will be stored there, and the same with Executable areas, although of course you can have Executable sections with Write access, i'll leave that one up to you. (You probably only want to erase areas you're sure will have data to clean - the more areas you clean the greater the risk of a problem/crash)
2 & 3 would require memory enumeration, but that's easy enough at least in Windows with VirtualQueryEx. You should also suspend all other threads except your main one (this shouldn't be a problem as you're wanting to exit the program anyway at that stage), otherwise you could end up breaking a thread and causing a crash before your secure erase procedure finishes.
Also, when you're overwriting memory you of course have to be very careful you're not overwriting anything currently in use... for example any variables you might be using in your secure-erase procedure. (You might end up overwriting the "i" in your "For i =" loop for example)
Special mention must also be made of the system cache/swap disk, and i have no answer for that one.
I don't know of any programs that use approaches 2 or 3 - i thought specific variables were just treated carefully (approach 1), but i'm not sure.
1) erase sensitive variables, not by setting them to "" or setting to 0, and even RtlZeroMemory isn't considered good for this, but overwriting with cryptographically secure random data, eg "CryptRandomData(@pwhash$, Len(pwhash))"
2) erase only the areas of memory your sensitive variables are in, assuming they're not Writable or Executable
3) erase every area of memory that isn't Writable or Executable
(Note: 4) erase EVERY area of memory - isn't possible, as you'd be overwriting the code of your secure erase procedure)
You don't want to erase ReadOnly sections because no secure data will be stored there, and the same with Executable areas, although of course you can have Executable sections with Write access, i'll leave that one up to you. (You probably only want to erase areas you're sure will have data to clean - the more areas you clean the greater the risk of a problem/crash)
2 & 3 would require memory enumeration, but that's easy enough at least in Windows with VirtualQueryEx. You should also suspend all other threads except your main one (this shouldn't be a problem as you're wanting to exit the program anyway at that stage), otherwise you could end up breaking a thread and causing a crash before your secure erase procedure finishes.
Also, when you're overwriting memory you of course have to be very careful you're not overwriting anything currently in use... for example any variables you might be using in your secure-erase procedure. (You might end up overwriting the "i" in your "For i =" loop for example)
Special mention must also be made of the system cache/swap disk, and i have no answer for that one.
I don't know of any programs that use approaches 2 or 3 - i thought specific variables were just treated carefully (approach 1), but i'm not sure.
Re: How to erase entire process memory upon exit
In XP that was relatively simple [even if you had to carry driver with your program 
], in newer Windows I'm not sure, definitely admin rights needed and maybe even that will be not enough.
I can't bring you some code now, but generally idea is like this:
- right on your program quit, you launching another your program (this will be process which erases memory)
- that process (it will need admin rights and so on) pauses all threads of your program, etc, then erases whole memory (where access will be possible). all that should be still possible in newer Windows using WinAPI
There also might be a DLL instead of process, just need to ignore the process memory it uses.
You also can search for some free utils doing similar stuff (if there are any) and use them.
The one more variant might be to pack your process into virtual machine / using some cool exe cryptor/packer, just need some kind of such containers which are performing this cleanup.
PS. Also, you should obviously beware of swap file, because if some data leaks to it all your attempts to care about process memory are futile. There are techniques to prevent dumping your app data to it, but I didn't looked at that long enough
], in newer Windows I'm not sure, definitely admin rights needed and maybe even that will be not enough.I can't bring you some code now, but generally idea is like this:
- right on your program quit, you launching another your program (this will be process which erases memory)
- that process (it will need admin rights and so on) pauses all threads of your program, etc, then erases whole memory (where access will be possible). all that should be still possible in newer Windows using WinAPI
There also might be a DLL instead of process, just need to ignore the process memory it uses.
You also can search for some free utils doing similar stuff (if there are any) and use them.
The one more variant might be to pack your process into virtual machine / using some cool exe cryptor/packer, just need some kind of such containers which are performing this cleanup.
PS. Also, you should obviously beware of swap file, because if some data leaks to it all your attempts to care about process memory are futile. There are techniques to prevent dumping your app data to it, but I didn't looked at that long enough
"W̷i̷s̷h̷i̷n̷g o̷n a s̷t̷a̷r"
Re: How to erase entire process memory upon exit
not if it's still your own process! you can do anything to its memory, you don't even need to call OpenProcess() hehe. no driver or admin rights required eitherLunasole wrote:In XP that was relatively simple [even if you had to carry driver with your program
Re: How to erase entire process memory upon exit
Looks like you're right ^^ I didn't actually tried something like that on windows after XP, just "had a feeling" and guessing that might be not so simple on newer Windows (due to extra "abstraction levels", changes in API or some new restrictions, etc)Keya wrote:not if it's still your own process! you can do anything to its memory, you don't even need to call OpenProcess() hehe. no driver or admin rights required either
"W̷i̷s̷h̷i̷n̷g o̷n a s̷t̷a̷r"
Re: How to erase entire process memory upon exit
Thanks guys. Looks tougher than I expected - I will think about it a little bit more.