Jump to content

Recommended Posts

Posted

This is a naive question, but here goes. If a variable contains sensitive information, like a password, is there any value to overwriting its contents before exiting the script? In other words, in the example below, would someone poking around in memory after the script finishes still be able to find the original value of variable $sPass? (Putting aside, for present purposes, the obvious fact that the script itself contains the sensitive information.) Is there a better way to cover one's tracks, as it were? Thanks in advance. 

Local $sPass = "My password is 'very+very_strong'"

; Do something here, then overwrite $sPass:

If Not _OverwriteVar("sPass") Then
    MsgBox(0, "", "Variable overwrite failed!")
Else
    MsgBox(0, "", "'sPass' now overwritten with " & $sPass)
EndIf
Exit

Func _OverwriteVar($sVarName, $sOverStrChar = "#")
    If IsDeclared($sVarName) <> 0 Then
        If Not IsString(Eval($sVarName)) Then Assign($sVarName, String(Eval($sVarName)))
        Assign($sVarName, StringRegExpReplace(Eval($sVarName), ".", $sOverStrChar))
        Return 1
    Else
        Return 0
    EndIf
EndFunc  ;==>_OverwriteVar

 

 

Posted

How about crypting them ?

7 minutes ago, CarlD said:

would someone poking around in memory

Are you living in a dictatorial territories ?

I am always surprised that ppl think that they got such a great software that they need to protect against all over the world spies. 

Posted

This, but it can be simpler to get the secret from the compiled .exe

Local $sPass = "My password is 'very+very_strong'"

; Do something here, then overwrite $sPass:

_OverwriteVar($sPass)
MsgBox(0, "", "'sPass' now overwritten with " & $sPass)

Func _OverwriteVar(ByRef $sVar, $sOverStrChar = "#")
    $sVar = StringRegExpReplace($sVar, "(?s).", $sOverStrChar)
EndFunc  ;==>_OverwriteVar

 

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Posted

Thanks for your replies! @jchd, I appreciate your rewrite of the function, which sent me back to the documentation of "ByRef", which I now understand better than before. I guess the accessibility of even compiled code to snoopers makes it advisable to just not put any sensitive information in there, period. @Nine, if I understand you correctly I think you're saying something similar. Don't put passwords and such into code, but solicit the info at runtime and hash it -- right? As for living in dictatorial territories, I'm not sure yet but will know better in November. ;)

Posted
2 hours ago, CarlD said:

Don't put passwords and such into code, but solicit the info at runtime and hash it -- right?

Yeah, just that. This advice not only applies to AutoIt, even if this platform is especially sensitive to this form of attack over inner data or code.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...