ansaurus

Question

Answer 1

+4 A:

As far as I understand, the only difference between ZeroMemory and SecureZeroMemory is SecureZeroMemory is implemented as an inline function, ensuring it won't be optimised out by the compiler.

I don't think Delphi performs the same level of compiler optimisation, so ZeroMemory calls shouldn't be optimised out.

glob 2010-10-27 08:16:15

I think you got the logic inverted. `ZeroMemory` is inline, and can be optimized out. `SecureZeroMemory` is essentially a Win32 function in a DLL, and the call cannot be optimized out at compile time.

MSalters 2010-10-27 08:21:42

@MSalters May I know which Win32 DLL is SecureZeroMemory found in?

seveleven 2010-10-27 08:23:09

SecureZeroMemory is not an exposed function in any Win32 DLL. @glob is right that SecureZeroMemory is inline, as stated in MSDN.

seveleven 2010-10-27 09:56:57

Answer 2

A:

Take a look at the MSDN help here.

The only question whether Delphi's compiler removes ZeroMemory as an optimization result, athough i doubt that.

LTi 2010-10-27 08:16:45

Answer 3

+1 A:

I do not have a Delphi compiler available right now, but I do not think there is a need for SecureZeroMemory.

I do remember that in Delphi, the Win32 API functions/macros CopyMemory and MoveMemory are identical (they are both implemented just as the pointer "versions" of the Move RTL function). Hence, the remark at the MSDN CopyMemory reference page saying that you must use MoveMemory rather than CopyMemory is the blocks overlap, is irrelevant. Delphi's Move always makes the right thing.

I think the same thing applies to ZeroMemory and SecureZeroMemory. The first is implemented as FillChar with #0, and if there would be a SecureZeroMemory function for Deplhi, I think it would also just be a FillChar with #0. (If FillChar would be ignored at some times, it really should be documented in the Delphi reference, but it isn't.)

Please correct me if I am wrong!

Andreas Rejbrand 2010-10-27 08:36:34

Answer 4

+2 A:

Since according to MSDN, SecureZeroMemory() is actually defined as the RtlSecureZeroMemory(), you can declare SecureZeroMemory() as follows:

  procedure SecureZeroMemory(_ptr: Pointer; cnt: Longint); external 'kernel32.dll' name 'RtlSecureZeroMemory';

SecureZeroMemory() is merely an alias of RtlSecureZeroMemory().

Vantomex 2010-10-27 08:57:54

I didn't know that `[Rtl]SecureZeroMemory` was an exported DLL function. But I suppose you have tried your code, and hence, that it *is*. Still, per my answer, I do not think there is ever any *need* to use this function rather than `ZeroMemory` (`FillChar` with #0) in Delphi.

Andreas Rejbrand 2010-10-27 09:04:15

Can't find RtlSecureZeroMemory,SecureZeroMemory, RtlZeroMemory, or ZeroMemory anywhere in kernel32.dll. Those functions are not exported in any Win32 DLL.

seveleven 2010-10-27 09:19:52

@seveleven, I've just checked `kernel32.dll` using a dll export viewer tool, and indeed RtlSecureZeroMemory() exists in `kernel32.dll`.

Vantomex 2010-10-27 10:53:13

However, I didn't test yet whether the MSDN statement applies in Delphi, "If ZeroMemory were called in this example instead of SecureZeroMemory, the compiler could optimize the call because the szPassword buffer is not read from before it goes out of scope ..." I know, `ZeroMemory()` was implemented as `FillChar` with `0` in Delphi, but the case in the MSDN example should be empirically tested to ensure that doesn't apply in Delphi programs.

Vantomex 2010-10-27 11:04:36

ansaurus

tags:

views:

answers:

Using SecureZeroMemory in Delphi

related questions