windows 正在阅读另一个进程的环境变量

42fyovps  于 2022-12-14  发布在  Windows
关注(0)|答案(1)|浏览(158)

我试图得到一个进程环境字符串,下面的代码是我已经写好的。

#include <windows.h>
#include <tchar.h>

#define ProcessBasicInformation 0

typedef struct _PROCESS_BASIC_INFORMATION {
    NTSTATUS  ExitStatus;
    PVOID     PebBaseAddress;
    ULONG_PTR AffinityMask;
    LONG      BasePriority;
    HANDLE    UniqueProcessId;
    HANDLE    InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;

int _tmain(int argc, TCHAR* argv[]) {
  TCHAR   *app;
  DWORD    pid;
  HANDLE  proc;
  NTSTATUS nts;
  PVOID   rupp; // RTL_USER_PROCESS_PARAMETERS, offset 0x10
  PVOID    env; // Environment, offset 0x48
  TCHAR   *buf;
  PROCESS_BASIC_INFORMATION pbi;
  MEMORY_BASIC_INFORMATION  mbi;

  if (argc != 2) {
    app = _tcsrchr(argv[0], '\\');
    _tprintf(TEXT("Usage: %s [PID]\n"), app ? ++app : argv[0]);
    return -1;
  }

  _stscanf_s(argv[1], TEXT("%lu"), &pid);
  if (!(proc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid))) {
    return -1;
  }

  if (!(nts = NtQueryInformationProcess(
    proc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL
      ))) {
  if (ReadProcessMemory(
    proc, (PCHAR)pbi.PebBaseAddress + 0x10, &rupp, sizeof(rupp), NULL
      )) {
  if (ReadProcessMemory(proc, (PCHAR)rupp + 0x48, &env, sizeof(env), NULL)) {
     //what I need to do to get enironment strings?
  }
}
  }

  CloseHandle(proc);

  return 0;
}

有人能解释一下我需要做些什么来获取进程的环境字符串吗?

windows

1条答案

按热度按时间
t9aqgxwy

t9aqgxwy1#

首先,您代码只用于x86,但是x64系统如何?在x64上,您必须从x64代码运行以访问x64进程的环境。但是Wow 64进程如何?它们有2个环境!1个naive和1个Wow,这不是相等的字符串。因此,任务可能足够复杂。但是,当然存在解决方案。

NTSTATUS ReadProcessEnv(HANDLE hProcess, PVOID Environment, PWSTR* ppsz)
{
    NTSTATUS status;
    MEMORY_BASIC_INFORMATION mbi;

    if (0 > (status = ZwQueryVirtualMemory(hProcess, Environment, MemoryBasicInformation, &mbi, sizeof(mbi), 0))) return status;

    if (mbi.State != MEM_COMMIT || mbi.Type != MEM_PRIVATE)
    {
        return STATUS_UNSUCCESSFUL;
    }

    mbi.RegionSize -= RtlPointerToOffset(mbi.BaseAddress, Environment);

    //Environment must be WCHAR aligned and how minimum 2*sizeof(WCHAR) size
    if (mbi.RegionSize < 2*sizeof(WCHAR) || ((ULONG_PTR)Environment & (__alignof(WCHAR) - 1)))
    {
        return STATUS_UNSUCCESSFUL;
    }

    if (mbi.RegionSize > 0x10000)// >64Kb Environment ??
    {
        mbi.RegionSize = 0x10000;
    }

    if (PWSTR buf = new WCHAR[mbi.RegionSize])
    {
        if (0 <= (status = ZwReadVirtualMemory(hProcess, Environment, buf, mbi.RegionSize, 0)))
        {
            buf[mbi.RegionSize - 2] = 0;
            buf[mbi.RegionSize - 1] = 0;
            *ppsz = buf;

            return STATUS_SUCCESS;
        }
        delete buf;

        return status;
    }

    return STATUS_INSUFFICIENT_RESOURCES;
}

NTSTATUS ReadProcessEnv(HANDLE hProcess, PWSTR* ppsz)
{
    NTSTATUS status;
    PROCESS_BASIC_INFORMATION pbi;
    _RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
    PVOID Environment;

    if (
        0 > (status = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), 0))
        ||
        0 > (status = ZwReadVirtualMemory(hProcess, &pbi.PebBaseAddress->ProcessParameters, &ProcessParameters, sizeof(PVOID), 0))
        ||
        0 > (status = ZwReadVirtualMemory(hProcess, &ProcessParameters->Environment, &Environment, sizeof(PVOID), 0))
        ) 
        return status;

    return ReadProcessEnv(hProcess, Environment, ppsz);
}

#ifdef _WIN64

NTSTATUS ReadProcessEnvWow(HANDLE hProcess, PWSTR* ppsz)
{
    ULONG WowPeb, ProcessParameters;
    NTSTATUS status;
    PVOID Environment = 0;

    if (0 > (status = ZwQueryInformationProcess(hProcess, ProcessWow64Information, &WowPeb, sizeof(PVOID), 0))) return status;

    if (!WowPeb)
    {
        return STATUS_SUCCESS;
    }

    enum {
        ofs32_ProcessParameters = 0x10,
        ofs32_Environment = 0x48
    };

    if (
        0 > (status = ZwReadVirtualMemory(hProcess, RtlOffsetToPointer(WowPeb, ofs32_ProcessParameters), &ProcessParameters, sizeof(ULONG), 0))
        ||
        0 > (status = ZwReadVirtualMemory(hProcess, RtlOffsetToPointer(ProcessParameters, ofs32_Environment), &Environment, sizeof(ULONG), 0))
        ) 
        return status;

    return ReadProcessEnv(hProcess, Environment, ppsz);
}
#endif

NTSTATUS ReadProcessEnv(
                        PCLIENT_ID cid, 
                        PWSTR* ppsz, 
                        PNTSTATUS pstatus
#ifdef _WIN64
                        , 
                        PWSTR* ppszWow, 
                        PNTSTATUS pstatusWow
#endif
                        )
{
    HANDLE hProcess;
    NTSTATUS status = ZwOpenProcess(&hProcess, PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, &zoa, cid);

    if (0 <= status)
    {
        *ppsz = 0;
        *pstatus = ReadProcessEnv(hProcess, ppsz);
#ifdef _WIN64
        *ppszWow = 0;
        *pstatusWow = ReadProcessEnvWow(hProcess, ppszWow);
#endif
        ZwClose(hProcess);
    }

    return status;
}

void DumpEnv(PCWSTR sz)
{
    while (*sz)
    {
        DbgPrint("%S\n", sz);
        sz += wcslen(sz) + 1;
    }
}

void test(PCLIENT_ID cid)
{
    PWSTR env, envWow;
    NTSTATUS status, s;

#ifdef _WIN64
    NTSTATUS sWow;
#endif

    if (0 <= (status = ReadProcessEnv(cid, &env, &s
#ifdef _WIN64
        , &envWow, &sWow
#endif
        )))
    {
        if (0 <= s)
        {
            DumpEnv(env);
            delete env;
        }

#ifdef _WIN64
        if (0 <= sWow)
        {
            if (envWow)
            {
                DumpEnv(envWow);
                delete envWow;
            }
        }
#endif
    }
}
赞(0)分享  回复(0)举报  2022-12-14
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com