Jump to content

Overwrite variable for security purposes?

CarlD

By CarlD
in AutoIt General Help and Support

 Share

Recommended Posts

CarlD Adventurer

CarlD

Posted
Posted

This is a naive question, but here goes. If a variable contains sensitive information, like a password, is there any value to overwriting its contents before exiting the script? In other words, in the example below, would someone poking around in memory after the script finishes still be able to find the original value of variable $sPass? (Putting aside, for present purposes, the obvious fact that the script itself contains the sensitive information.) Is there a better way to cover one's tracks, as it were? Thanks in advance.  

Local $sPass = "My password is 'very+very_strong'"

; Do something here, then overwrite $sPass:

If Not _OverwriteVar("sPass") Then
    MsgBox(0, "", "Variable overwrite failed!")
Else
    MsgBox(0, "", "'sPass' now overwritten with " & $sPass)
EndIf
Exit

Func _OverwriteVar($sVarName, $sOverStrChar = "#")
    If IsDeclared($sVarName) <> 0 Then
        If Not IsString(Eval($sVarName)) Then Assign($sVarName, String(Eval($sVarName)))
        Assign($sVarName, StringRegExpReplace(Eval($sVarName), ".", $sOverStrChar))
        Return 1
    Else
        Return 0
    EndIf
EndFunc  ;==>_OverwriteVar

 

 

Nine Universalist

Nine

Posted
Posted

How about crypting them ?

7 minutes ago, CarlD said:

would someone poking around in memory

Are you living in a dictatorial territories ?

I am always surprised that ppl think that they got such a great software that they need to protect against all over the world spies. 

“They did not know it was impossible, so they did it” ― Mark Twain

Spoiler

Block all input without UAC

Save/Retrieve Images to/from Text

 Monitor Management (VCP commands)

Tool to search in text (au3) files

Date Range Picker

 Virtual Desktop Manager

Sudoku Game 2020

Overlapped Named Pipe IPC

 HotString 2.0 - Hot keys with string

x64 Bitwise Operations

Multi-keyboards HotKeySet

 Recursive Array Display

Fast and simple WCD IPC

Multiple Folders Selector

 Printer Manager

GIF Animation (cached)

Debug Messages Monitor UDF

Screen Scraping

Round Corner GUI UDF

 Multi-Threading Made Easy

Interface Object based on Tag

 

jchd Universalist

jchd

Posted
Posted

This, but it can be simpler to get the secret from the compiled .exe 

Local $sPass = "My password is 'very+very_strong'"

; Do something here, then overwrite $sPass:

_OverwriteVar($sPass)
MsgBox(0, "", "'sPass' now overwritten with " & $sPass)

Func _OverwriteVar(ByRef $sVar, $sOverStrChar = "#")
    $sVar = StringRegExpReplace($sVar, "(?s).", $sOverStrChar)
EndFunc  ;==>_OverwriteVar

 

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

CarlD Adventurer

CarlD

Posted
  • Author
Posted

Thanks for your replies! @jchd, I appreciate your rewrite of the function, which sent me back to the documentation of "ByRef", which I now understand better than before. I guess the accessibility of even compiled code to snoopers makes it advisable to just not put any sensitive information in there, period. @Nine, if I understand you correctly I think you're saying something similar. Don't put passwords and such into code, but solicit the info at runtime and hash it -- right? As for living in dictatorial territories, I'm not sure yet but will know better in November. ;)

jchd Universalist

jchd

Posted
Posted
2 hours ago, CarlD said:

Don't put passwords and such into code, but solicit the info at runtime and hash it -- right?

Yeah, just that. This advice not only applies to AutoIt, even if this platform is especially sensitive to this form of attack over inner data or code.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...