×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Capture env varibles from another process

Capture env varibles from another process

Capture env varibles from another process

(OP)
Try to access the environment variables of a current running proces?  The following is close but no cigar.  Any help to go further.  I know it has to do with the PROCES_PARAMETERS contained within the Process Environment Block PEB.  But I am completely lost at this point.  the following returns the command line of the running process, but I really need to capture the env variables.

BTW, credit goes to other developers for the following.

Thanks in advance.
Regards.

typedef long NTSTATUS;

#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

typedef enum _PROCESSINFOCLASS { ProcessBasicInformation } PROCESSINFOCLASS;

typedef struct _INFOBLOCK
{
    unsigned long dwFiller[16];
    unsigned short wLength;
    unsigned short wMaxLength;
    const unsigned short *dwCmdLineAddress;
    const unsigned short *env;
} INFOBLOCK, *PINFOBLOCK;

typedef struct _PEB
{
    unsigned long dwFiller[4];
    PINFOBLOCK dwInfoBlockAddress;
} PEB, *PPEB;

typedef struct _PROCESS_BASIC_INFORMATION
{
    NTSTATUS ExitStatus;
    PPEB PebBaseAddress;
    unsigned long AffinityMask;
    long BasePriority;
    unsigned long UniqueProcessId;
    unsigned long InheritedFromUniqueProcessId;
} PBI;

typedef NTSTATUS (NTAPI *ZWQueryInformationProcessW)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);

void Get(HANDLE hProcess)
{
    ZWQueryInformationProcessW ZwQueryInformationProcessA;

    HMODULE hModule = GetModuleHandle(_T("ntdll"));

    ZwQueryInformationProcessA = (ZWQueryInformationProcessW)GetProcAddress(hModule, "ZwQueryInformationProcess");

    if (ZwQueryInformationProcessA == NULL) exit(1);

    PBI ProcInfo;
    PEB ProcPEB;
    INFOBLOCK ProcBlock;
    unsigned long ReturnLength;
    //HANDLE hProcess;
    unsigned short *pszCmdLine = NULL;
    int bSuccess;

    //hProcess = GetCurrentProcess();
    //hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, 2780);

    if (! NT_SUCCESS(ZwQueryInformationProcessA(hProcess, ProcessBasicInformation, &ProcInfo, sizeof(ProcInfo), &ReturnLength))) exit(1);

    bSuccess = ReadProcessMemory(hProcess, (const void *)ProcInfo.PebBaseAddress, &ProcPEB, sizeof(ProcPEB), &ReturnLength);

    if (bSuccess != false)
    {
        bSuccess = ReadProcessMemory(hProcess, (const void *)ProcPEB.dwInfoBlockAddress, &ProcBlock, sizeof(ProcBlock), &ReturnLength);

        pszCmdLine = (unsigned short *) new BYTE[ProcBlock.wMaxLength];
    }

    if (bSuccess != false)
    {
        bSuccess = ReadProcessMemory(hProcess, ProcBlock.dwCmdLineAddress, pszCmdLine, ProcBlock.wMaxLength, &ReturnLength);
    }

    _tprintf(TEXT("%S\n"),pszCmdLine);

    if (NULL != pszCmdLine) delete [] pszCmdLine;

    // CloseHandle(hProcess);

    return;
}

int main()
{
    // Get the list of process identifiers.
    unsigned long processID[1024];
    unsigned long size;
    unsigned long n_processID;
    char szProcessName[MAX_PATH] = TEXT("<unknown>");
    HANDLE hProcess;
    HMODULE hModule;
    std::vector<std::pair<unsigned long, std::string> > processes;

    if (! EnumProcesses(processID, sizeof(processID), &size)) return -1;

    // Calculate how many process identifiers were returned.
    n_processID = size / sizeof(unsigned long);

    // Print the name and process identifier for each process.
    for (unsigned ii = 0; ii < n_processID; ++ii)
    {
        if (processID[ii] == 0) continue;
        
        // Get a handle to the process.
        hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, processID[ii]);

        // Get the process name.
        if (hProcess == NULL) continue;

        if (EnumProcessModules(hProcess, &hModule, sizeof(hModule), &size))
        {
            GetModuleBaseName(hProcess, hModule, szProcessName, sizeof(szProcessName)/sizeof(char));

            processes.push_back(std::make_pair(processID[ii], szProcessName));
        }

        if (! stricmp(szProcessName, "cmd.exe"))
        {
            Get(hProcess);

            std::cout << "Found PID: " << processID[ii] << std::endl;
        }

        //_tprintf(TEXT("%s  (PID: %u)\n"), szProcessName, processID[ii]);

        CloseHandle(hProcess);
    }

    std::sort(processes.begin(), processes.end());

    return 0;
}






RE: Capture env varibles from another process

I wrote a utility that does exactly what you want:

I use my command path all the time. The utility manipulates the PATH environment variable of the parent process. The only way to do this in Win32 is to inject code into the target process.

Alas, I currently don't have any webspace, so you'll have to get it from MediaFire:
http://www.mediafire.com/?j1mvmbl2yom
The code and documentation should be relatively self-explanatory.

Hope this helps.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close