hide connection user password in memory in delphi TadoConnection

Question

I have made a sample application in Delphi xe10 and make user id and password and database name encrypted and decrypt on connecting the problem is when I open exe process in memory by memory scanner I can find all of them easily by searching some part of the connection string is it such easy to find secure connection data in win applications or I did something wrong?

Answer 1

Don't put the password in the connection string. Instead assign an OnWillConnect event handler to TADOConnection and supply the password there in the supplied parameter.

Answer 2

Thinking out of box.... why you want hide password?

If database is on user's computer, Then he/she can open database simply by windows authentication mode using SQL management studio with out password!

If Database is on a remote server sure it is better to write a web service that fetch data and send result in XML for you program instead of remote opening database .

Answer 3

Try to protect the memory. Use CryptProtectMemory and CryptUnprotectMemory.

https://msdn.microsoft.com/de-de/library/windows/desktop/aa380262(v=vs.85).aspx

Here is an small snippet from my class. Play with it:

        uses
         Winapi.Windows,
          System.SysUtils;
        ....

TMyMemEncryptBlaBla = class
    private
    //......
     public
      function MemEncrypt(const StrInp: String; CryptFlags: DWORD = 0): TBytes;
      function MemDecrypt(const EncInp: TBytes; CryptFlags: DWORD = 0): String;
     end;

    {
 BOOL WINAPI CryptProtectMemory(_Inout_ LPVOID pData,
                                _In_    DWORD  cbData,
                                _In_    DWORD  dwFlags );

 }
function CryptProtectMemory(Data: Pointer; Size: DWORD; Flags: DWORD) : BOOL; stdcall;
 {
 BOOL WINAPI CryptUnprotectMemory(_Inout_ LPVOID pData,
                                  _In_    DWORD  cbData,
                                  _In_    DWORD  dwFlags );

 }

function CryptUnProtectMemory(Data: Pointer; Size : DWORD;Flags: DWORD) : BOOL; stdcall;

// CryptProtectMemory and CryptUnprotectMemory.

 CRYPTPROTECTMEMORY_SAME_PROCESS  = 0; // Set as default
 CRYPTPROTECTMEMORY_CROSS_PROCESS = 1;
 CRYPTPROTECTMEMORY_SAME_LOGON    = 2;
 CRYPTPROTECTMEMORY_BLOCK_SIZE = 16;

implementation

function CryptProtectMemory;  external 'Crypt32.dll' Name 'CryptProtectMemory';
function CryptUnProtectMemory; external 'Crypt32.dll' Name 'CryptUnprotectMemory';

// encrypt
function TMyMemEncryptBlaBla.MemEncrypt(const StrInp: String; CryptFlags: DWORD): TBytes;
begin
  Result := TEncoding.Unicode.GetBytes(StrInp);
  try
    if Length(Result) mod CRYPTPROTECTMEMORY_BLOCK_SIZE <> 0 then
      SetLength(Result, ((Length(Result) div CRYPTPROTECTMEMORY_BLOCK_SIZE) + 1) * CRYPTPROTECTMEMORY_BLOCK_SIZE);
  except
    on E:Exception do
     begin
      MessageBox(0, PChar(E.Message), PChar('E_OUTOFMEMORY'), MB_ICONERROR or MB_OK);
     end;
  end;
  try
     if not CryptProtectMemory(Result, Length(Result), CryptFlags) then
      begin
        MessageBox(0, PChar('MemCrypt: ' + SysErrorMessage(GetLastError)), PChar('MemEncrypt failed'), MB_ICONERROR or MB_OK);
        ZeroMemory(Result, Length(Result));
      end;
  except
    on E:Exception do
      begin
        MessageBox(0, PChar(E.Message), PChar('MemEncrypt Exception'), MB_ICONERROR or MB_OK);
      end;
  end;
end;
//decrypt
function TMyMemEncryptBlaBla.MemDecrypt(const EncInp: TBytes; CryptFlags: DWORD): String;
var
  DecTmp: TBytes;
begin
  DecTmp := Copy(EncInp);
  try
     if CryptUnprotectMemory(DecTmp, Length(DecTmp), CryptFlags) then
        Result := TEncoding.Unicode.GetString(DecTmp)
     else
        MessageBox(0, PChar('MemDecrypt: ' + SysErrorMessage(GetLastError)), PChar('MemDecrypt failed'), MB_ICONERROR or MB_OK);

      ZeroMemory(DecTmp, Length(DecTmp));
  except
    on E:Exception do
        MessageBox(0, PChar(E.Message), PChar('MemDecrypt Exception'), MB_ICONERROR or MB_OK);
  end;
end;

end.

Axel