I an working with API calls to advapi32.dll
for managing Windows Saved Credentials in order to automate certain windows applications which can use saved credentials, which is working fine.
I am trying to update my code to use SecureString
for password throughout, as I have no need to interact with the text contained in passwords at any point so it should be more secure if my application never holds the password in plain text.
I am able to marshal a SecureString to COM task allocator memory to pass to the API calls with:
var unmanagedPassword = Marshal.SecureStringToCoTaskMemUnicode(userCredential.Password);
However, when it comes to reading that information back into the application, I cannot find a way to marshal such an unmanaged string back into a SecureString
without copying the string into managed memory, be it as a string or byte array.
Is there a safe way to do this that I am overlooking?
.AppendChar()
in a loop overMarshal.ReadInt16()
(assuming a Unicode string). There's also an unsafe constructor that takes achar*
and a length. Note that the unmanaged memory should be zeroed and deallocated, otherwise there's not much point to you using aSecureString
while all the data is still floating around in plain text. – Jeroen Mostert