Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - Process environment variables
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Process environment variables

 Post Reply Post Reply
Author
Message
tasya View Drop Down
Newbie
Newbie


Joined: 21 June 2016
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote tasya Quote  Post ReplyReply Direct Link To This Post Topic: Process environment variables
    Posted: 21 June 2016 at 8:53am

Hi! I need to get environment variable of a random process. When I was on XP I wrote the next code:

#define UNICODE

#include <windows.h>
#include <stdio.h>
#include <locale.h>

typedef LONG NTSTATUS;

#define ProcessBasicInformation 0

typedef struct _PROCESS_BASIN_INFORMATION {
NTSTATUS ExitStatus;
PVOID PebBaseAddress;
ULONG_PTR AffinityMask;
LONG BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;

NTSTATUS (__stdcall *NtQueryInformationProcess)(
HANDLE ProcessHandle,
UINT ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);

ULONG (__stdcall *RtlNtStatusToDosError)(
NTSTATUS Status
);

BOOLEAN LocateSignatures(HMODULE mod) {
if (!(NtQueryInformationProcess = (PVOID)GetProcAddress(
mod, "NtQueryInformationProcess"
))) return FALSE;

if (!(RtlNtStatusToDosError = (PVOID)GetProcAddress(
mod, "RtlNtStatusToDosError"
))) return FALSE;

return TRUE;
}

int wmain(int argc, WCHAR* argv[]) {
WCHAR *app, *buf, *tmp;
DWORD pid;
HANDLE proc;
PVOID rupp;
PVOID env;
NTSTATUS nts;
PROCESS_BASIC_INFORMATION pbi;
MEMORY_BASIC_INFORMATION mbi;

if (argc != 2) {
app = wcsrchr(argv[0], '\\');
wprintf(L"Usage: %s [PID]\n", app ? ++app : argv[0]);
return -1;
}

if (!LocateSignatures(GetModuleHandle(L"ntdll.dll"))) {
   return -1;
}

pid = _wtoi(argv[1]);
if (!(proc = OpenProcess(
PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid
))) {
   return -1;
}

if (!(nts = NtQueryInformationProcess(
proc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL
))) {
if (ReadProcessMemory(
proc, (PCHAR)pbi.PebBaseAddress + 0x10, &rupp, sizeof(rupp), NULL
)) {
if (ReadProcessMemory(
proc, (PCHAR)rupp + 0x48, &env, sizeof(env), NULL
)) {
if (!VirtualQueryEx(proc, env, &mbi, sizeof(mbi))) {
   CloseHandle(proc);
return -1;
}

buf = (WCHAR *)malloc(mbi.RegionSize);
if (ReadProcessMemory(
proc, mbi.BaseAddress, buf, mbi.RegionSize, NULL
)) {
tmp = buf;
while (*tmp) {
printf("%.*S\n", wcslen(tmp), tmp);
tmp += wcslen(tmp) + 1;
}
  }
free(buf);
  }
  }
  }
CloseHandle(proc);

return 0;
}

But on Win7 it doesn't work. How to fix this? Thnx for advace

Back to Top
wormworm View Drop Down
Newbie
Newbie
Avatar

Joined: 13 May 2017
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote wormworm Quote  Post ReplyReply Direct Link To This Post Posted: 13 May 2017 at 12:42am
It surly does not work with the fixed address --- a better way is to get the PEB address first, then check PEB->ProcessParameters->Environment, which is a LPVOID, then you can read the variable strings from there.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.