SecureZeroMemory和ZeroMemory的区别

This function is defined as the RtlSecureZeroMemory function (see WinBase.h). The implementation of RtlSecureZeroMemory is provided inline and can be used on any version of Windows (see WinNT.h.)

Use this function instead of ZeroMemory when you want to ensure that your data will be overwritten promptly, as some C++ compilers can optimize a call toZeroMemory by removing it entirely.

Many programming languages include syntax for initializing complex variables to zero. There can be differences between the results of these operations and theSecureZeroMemory function. UseSecureZeroMemory to clear a block of memory in any programming language.

The following code fragment shows an instance where it is good to useSecureZeroMemory instead ofZeroMemory.

C++

WCHAR szPassword[MAX_PATH];// Retrieve the passwordif (GetPasswordFromUser(szPassword, MAX_PATH))       UsePassword(szPassword);// Clear the password from memorySecureZeroMemory(szPassword, sizeof(szPassword));

If ZeroMemory were called in this example instead of SecureZeroMemory, the compiler could optimize the call because theszPassword buffer is not read from before it goes out of scope. The password would remain on the application stack where it could be captured in a crash dump or probed by a malicious application.

ZeroMerory调用操作可能被编译器优化掉，导致保存敏感信息的堆栈不能被清空而被恶意软件利用或dump到