c++ - 我是否需要手动将 PCREDENTIAL.CredentialBlob 清零？

Question

我正在使用Windows credentials store像这样:

PCREDENTIAL cred = nullptr;
if (CredRead(entryName, 1, 0, &cred) != TRUE || !cred)
    return -1;

// ... code which handles cred.UserName and cred.CredentialBlob

CredFree(cred);

如您所见，我将缓冲区释放为 required 。但是，我看到 LPBYTE 指针 CredentialBlob 仍然有效，并且仍然在内存中包含密码。我是否必须手动 SecureZeroMemory 以及谁拥有该缓冲区？我发现没有其他源代码可以做到这一点......

我没有找到任何东西，https://msdn.microsoft.com/library/aa919793.aspx仅包含以下通用语句:

Clear credential data from memory after use

Do not leave credentials in memory after use. Clear all credential data from temporary storage after use by calling SecureZeroMemory.

Answer 1

您拥有该缓冲区。 documentation状态:

Any pointers contained within the buffer are pointers to locations within this single allocated block.

在理想的情况下，CredFree 会在释放整个 block 之前将其归零，为此向 Microsoft 提交建议可能是值得的，但就目前情况而言，您最好的选择可能是在调用 CredFree 之前执行以下操作:

SecureZeroMemory (cred->CredentialBlob, cred->CredentialBlobSize);