Protecting passwords in memory
In this age of security awareness, it is important to protect any passwords or other sensitive data that may be used by applications and written to the computer memory. The protection is twofold, firstly by encrypting the sensitive data, and secondly by erasing any memory that might have contained unprotected sensitive data, before the variable goes out of scope.

The Windows API includes the CryptProtectMemory function to encrypt data in memory. For example, one might request user credentials using the API CredUIPromptForWindowsCredentials, and then use these credentials to launch an application using the API CreateProcessWithLogonW function. Between these two functions, the password would be held in a variable and hence the password is somewhere in the computer memory. The password should be protected by encrypting the password as soon as it is returned from the API, then erasing the variable that held the password before it goes out of scope. Just before the CreateProcessWithLogonW function is called the password can be decrypted into a variable, the variable passed to the api and then erase the memory used by this variable.

Sample Application
The attached application demonstrates the usage of the CryptProtectMemory function to encrypt and decrypt data. This application does not involve any passwords, but demonstrates the process of encrypting a text string, and decrypting the text, and a simple method to erase the memory used by a string variable. Erasing a string could be tricky as in VB normal string manipulation assigns a string to a new memory, leaving the original string as free memory. One simply solution to erase the actual data in memory is to use the mid$ statement:
Mid$(sData, 1, Len(sData)) = String$(Len(sData), vbNullChar)
This writes zeroes to the string without changing its location in memory.

The application consists of a form to enter the text, a button to encrypt the text and show the result as hex bytes, and then to decrypt the encrypted text to recover the original text.

Name:  CryptProtectMemory.png
Views: 2779
Size:  9.4 KB
In this application the encrypted data is converted into a hex string, which makes it easy to inspect the result and compare the different encryptions. In normal usage the encrypted data should not be exposed in this way.

The CryptProtectMemory has three different flags for setting different types of encryption and this defines the scope for which the encrypted data can be shared.

Comparing the different encryption settings

The Windows API CryptProtectMemory has 3 flag settings for the type of encryption.
· CRYPTPROTECTMEMORY_SAME_PROCESS
· CRYPTPROTECTMEMORY_SAME_LOGON
· CRYPTPROTECTMEMORY_CROSS_PROCESS

This application provides radio buttons to select the type of encryption, and the text alongside the Decrypt button will show the scope of the selected option.

Explore the implications of these different settings by running multiple instances of this application. Use the run as administrator to create an instance with a different logon session.

Additional documentation is included in the attached project files
CryptProtectMemory.zip