wipe process memory on process exit

good day everyone !!

i’m trying to clean up memory that contains process data on process exit.
i can intercept process termination by PsSetCreateProcessNotifyRoutine, but don’t know how to find out where data segment is mapped.

can anyone give me some advice on this matter ?

thx

Do you mean ‘data segment’ as in what the executable maps, or as in general process address space?

If the later, it’s not as simple as where it’s mapped, because you’d really need to know about committed pages, before they are freed, which could happen before the process exits.

mm

i mean part of the virtual address space which contains variables (.data in exe) and don’t care about executable code

I’m still not clear. What you’re describing (virtual address space) and what you are naming (.data) aren’t necessarily the same thing.

Are you interested in in wiping things allocated like:

x = malloc(10)

-or-

f()
{
char x[1];
}

If so, then that’s definitely not the the .data segement.

If all you really want is the .data segment, then that information is easily computable using the base address of the process and the pe headers, though there are still problems with this.

mm

i need all memory that contains data, not only mapped .data segment (it was just a bad example, sorry about this confusion)

xxxxx@gmail.com wrote:

i need all memory that contains data, not only mapped .data segment (it was just a bad example, sorry about this confusion)

Are you asking about this so you can wipe memory for security purposes?
If so, you are missing the bigger picture. Pages get swapped in and out
of memory all the time. There’s no guarantee at all that the pages in
your data segment have been at the same physical address for their
entire life, and there’s no way for you to track that at process
termination.

However, the operating system zeros free pages before assigning them to
another process.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> i’m trying to clean up memory that contains process data on process exit.

No need in this. When the same physical page will be allocated to another process, it will be automatically zeroed.

As about the page file - there is a “clear page file on shutdown” option.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Well there is some need to do ‘this’ as other people are off inventing
policeware to grab all your memory state and sniff through it looking
for malfeasance independent of any OS zero page policy.

Mark Roddy

On Wed, Jan 27, 2010 at 1:45 PM, Maxim S. Shatskih
wrote:
>> i’m trying to clean up memory that contains process data on process exit.
>
>
> No need in this. When the same physical page will be allocated to another process, it will be automatically zeroed.
>
> As about the page file - there is a “clear page file on shutdown” option.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

yes, it’s planned as a part of security software

so, i need to track all paging for my process during process execution
and manually zero pages before they will be marked as free ?

On Jan 27, 2010, at 9:13 PM, Tim Roberts wrote:

xxxxx@gmail.com wrote:
> i need all memory that contains data, not only mapped .data segment
> (it was just a bad example, sorry about this confusion)
>

Are you asking about this so you can wipe memory for security
purposes?
If so, you are missing the bigger picture. Pages get swapped in and
out
of memory all the time. There’s no guarantee at all that the pages in
your data segment have been at the same physical address for their
entire life, and there’s no way for you to track that at process
termination.

However, the operating system zeros free pages before assigning them
to
another process.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

What sort of security are you trying to provide?

The operating system scrubs pages before handing them to user applications. Only an administrator can subvert this, and an administrator has unrestricted, full control over the machine anyway.

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of sergey pisarev
Sent: Thursday, January 28, 2010 12:40 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] wipe process memory on process exit

yes, it’s planned as a part of security software

so, i need to track all paging for my process during process execution
and manually zero pages before they will be marked as free ?

On Jan 27, 2010, at 9:13 PM, Tim Roberts wrote:

xxxxx@gmail.com wrote:
> i need all memory that contains data, not only mapped .data segment
> (it was just a bad example, sorry about this confusion)
>

Are you asking about this so you can wipe memory for security
purposes?
If so, you are missing the bigger picture. Pages get swapped in and
out
of memory all the time. There’s no guarantee at all that the pages in
your data segment have been at the same physical address for their
entire life, and there’s no way for you to track that at process
termination.

However, the operating system zeros free pages before assigning them
to
another process.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> yes, it’s planned as a part of security software

so, i need to track all paging for my process during process execution
and manually zero pages before they will be marked as free ?

This is already done by the OS, you do not need to do any efforts.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

>> yes, it’s planned as a part of security software

> so, i need to track all paging for my process during process execution
> and manually zero pages before they will be marked as free

This is already done by the OS, you do not need to do any efforts.

I think the OP either gave a wrong description of what he wants to do, or just does not realize his what his
own requirements should be like…

It does not make any sense to zero pages themselves before reusing them, because Windows does it anyway. What it does not do is _immediately_destroying data that may backup swappable page on the disk. Consider a situation when anonymous page gets actually swapped out to the disk and get subsequently read back into RAM, and then gets freed - although all data in its corresponding slot in the pagefile becomes obsolete at the moment page gets freed it does not mean that it gets destroyed on the spot, does it. In other words, pagefile may theoretically contain some sensitive data at the moment the PC gets switched off, which, in turn, opens a theoretical possibility of this data being recovered by
“curious someone” who may get a physical access to your machine while it is off.

This is what the OP’s security software should be bothered about, and, to be honest, I don’t see how something like that can be implemented under Windows without turning MM upside down and inside out…

Anton Bassov

wrote in message news:xxxxx@ntdev…
>>> yes, it’s planned as a part of security software
>> > so, i need to track all paging for my process during process execution
>>> and manually zero pages before they will be marked as free
>
>
>> This is already done by the OS, you do not need to do any efforts.
>
> I think the OP either gave a wrong description of what he wants to do, or
> just does not realize his what his
> own requirements should be like…
>
>
> It does not make any sense to zero pages themselves before reusing them,
> because Windows does it anyway. What it does not do is
> _immediately_destroying data that may backup swappable page on the disk.
> Consider a situation when anonymous page gets actually swapped out to
> the disk and get subsequently read back into RAM, and then gets freed -
> although all data in its corresponding slot in the pagefile becomes
> obsolete at the moment page gets freed it does not mean that it gets
> destroyed on the spot, does it. In other words, pagefile may
> theoretically contain some sensitive data at the moment the PC gets
> switched off, which, in turn, opens a theoretical possibility of this
> data being recovered by
> “curious someone” who may get a physical access to your machine while it
> is off.
>
> This is what the OP’s security software should be bothered about, and, to
> be honest, I don’t see how something like that can be implemented under
> Windows without turning MM upside down and inside out…
>

Just use one of COTS whole-disk-encryption products?
– pa

> Just use one of COTS whole-disk-encryption products?

Reasonable approach, but knowing the most reasonable “external” solution to a problem that your security product claims to solve does not make it easier to sell, does it… Running the system as a root only on exceptional occasions, as well as properly applying access permissions to files and directories are the very first examples that come to one’s mind…

Anton Bassov