标题: 寻找未公开的环境变量

创建: 2018-04-26 13:20 链接: https://scz.617.cn/windows/201804261320.txt

以x64/Win10为例，利用调试器寻找对目标进程起作用的未公开的环境变量。

MSDN里有下述函数原型:

DWORD GetEnvironmentVariable ( LPCTSTR lpName, // rcx LPTSTR lpBuffer, // rdx out DWORD nSize // r8 );

cdb.exe -noinh -snul -hd -o -g -G -xi ld -xe cpr -c "bu KERNELBASE!GetEnvironmentVariableW \"du /c 64 @rcx;gc\";g" mspaint.exe

看到2个环境变量:

"PMV2MAGINUMBERCSCALING" "CLUSTER_NETWORK_NAME"

简单抄录cdb命令行选项的意义:

-hd

Specifies that the debug heap should not be used

-g

sxd ibp
sxi ibp

Ignores the initial breakpoint in target application. This option will
cause the target application to continue running after it is started
or CDB attaches to it, unless another breakpoint has been set.

-G

sxd epr

Ignores the final breakpoint at process termination. By default, CDB
stops during the image run-down process. This option will cause CDB to
exit immediately when the child terminates. This has the same effect
as entering the command sxd epr.

-xi ld

sxi ld

Ignore/Load module

When this exception occurs, the target application does not break into
the debugger at all, and no message is displayed.

-xe cpr

sxe cpr

First chance break/Process creation

When this exception occurs, the target immediately breaks into the
debugger. This break in occurs before any other error handlers are
activated. This method is called first-chance handling.

这个点相当早，PEB已经存在，但无法以符号形式访问PEB，只能用数字偏移。
!gflag不能使用，ntdll.dll尚未映射。

KERNELBASE!GetEnvironmentVariableW()所在位置太高，换个更底层的断点， ntdll!RtlQueryEnvironmentVariable()。

NTSTATUS RtlQueryEnvironmentVariable ( PVOID Environment, // rcx PWSTR Name, // rdx SIZE_T NameLength, // r8 PWSTR Value, // r9 SIZE_T ValueLength, // rsp+0x28 PSIZE_T ReturnLength // rsp+0x30 out );

cdb.exe -noinh -snul -hd -o -g -G -xi bpe -xi ld -xe cpr -c "bu ntdll!RtlQueryEnvironmentVariable \"du /c 64 @rdx;gc\";g" mspaint.exe

这次看到更多环境变量，但混入部分其他数据:

"NO_DEBUG_HEAP" "ProgramW6432" "CommonProgramW6432" "PROCESSOR_ARCHITEW6432" "SHIM_DEBUG_LEVEL" "SHIMENG_DEBUG_LEVEL" "SHIM_FILE_LOG" "__COMPAT_LAYER" "__COMPAT_LAYER" "__PROCESS_HISTORY" "SystemRoot%" "PATH" "PATH" "OANOCACHE" "OAPERUSERTLIBREG" "OACACHEPARAMS" "PMV2MAGINUMBERCSCALING" "systemroot%\system32\emptyregdb.dat" "systemroot%\Registration" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "PATH" "PATH" "_CLUSTER_NETWORK_NAME" "SystemRoot%\system32\windows.storage.dll" "SystemRoot%\system32\windows.storage.dll" "PATH" "PATH" "systemroot%\Debug\WIA" "systemroot%\Debug\WIA\wiatrace.log" "PATH" "PATH" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\windowscodecs.dll" "SystemRoot%\system32\windowscodecs.dll" "SystemRoot%\system32\windowscodecs.dll" "SystemRoot%\system32\windowscodecs.dll" "PATH" "PATH" "PATH" "PATH"

这次cdb的命令行多指定了一个"-xi bpe"，如果没有它，会断在ibp处。本来"-g"的意思就是不断在ibp，但这种场景下仍然断在ibp。估计前述命令行但凡针对ntdll设断，都会从此经过。这个内置断点我们不关心，为了不断下来，在命令行上指定 "-xi 0x80000003"或"-xi bpe"。

ntdll!RtlQueryEnvironmentVariable()所在位置够低，但同时带了一些预期之外的输出，比如那些dll。

看到几个与Shim机制相关的环境变量:

"SHIM_DEBUG_LEVEL"

ntdll!RtlQueryEnvironmentVariable
ntdll!RtlQueryEnvironmentVariable_U+0x34
apphelp!SeUtilsGetEnvironmentVariable+0x67
apphelp!SepApplyDebugPolicy+0x69
apphelp!SE_InitializeEngine+0x45
ntdll!LdrpInitShimEngine+0x149
ntdll!LdrpInitializeProcess+0x1cda
ntdll!_LdrpInitialize+0x4e393
ntdll!LdrpInitialize+0x3b
ntdll!LdrInitializeThunk+0xe

"SHIMENG_DEBUG_LEVEL"

ntdll!RtlQueryEnvironmentVariable
ntdll!RtlQueryEnvironmentVariable_U+0x34
apphelp!SeUtilsGetEnvironmentVariable+0x67
apphelp!SepApplyDebugPolicy+0x8f
apphelp!SE_InitializeEngine+0x45
ntdll!LdrpInitShimEngine+0x149
ntdll!LdrpInitializeProcess+0x1cda
ntdll!_LdrpInitialize+0x4e393
ntdll!LdrpInitialize+0x3b
ntdll!LdrInitializeThunk+0xe

"SHIM_FILE_LOG"

ntdll!RtlQueryEnvironmentVariable
ntdll!RtlQueryEnvironmentVariable_U+0x34
apphelp!SeUtilsGetEnvironmentVariable+0x67
apphelp!SepApplyDebugPolicy+0xb8
apphelp!SE_InitializeEngine+0x45
ntdll!LdrpInitShimEngine+0x149
ntdll!LdrpInitializeProcess+0x1cda
ntdll!_LdrpInitialize+0x4e393
ntdll!LdrpInitialize+0x3b
ntdll!LdrInitializeThunk+0xe

"__COMPAT_LAYER"

ntdll!RtlQueryEnvironmentVariable
ntdll!RtlQueryEnvironmentVariable_U+0x34
apphelp!AslEnvGetVariable+0x66
apphelp!SeSdbProcessLayers+0x135
apphelp!SE_InitializeEngine+0x117
ntdll!LdrpInitShimEngine+0x149
ntdll!LdrpInitializeProcess+0x1cda
ntdll!_LdrpInitialize+0x4e393
ntdll!LdrpInitialize+0x3b
ntdll!LdrInitializeThunk+0xe

"__COMPAT_LAYER"

ntdll!RtlQueryEnvironmentVariable
ntdll!RtlQueryEnvironmentVariable_U+0x34
apphelp!SeUtilsGetEnvironmentVariable+0x67
apphelp!SepEngineDumpCompatEnvironment+0x4f
apphelp!SeEngineDumpState+0x90
apphelp!SE_InstallBeforeInit+0x7e
ntdll!LdrpLoadShimEngine+0xb4
ntdll!LdrpInitShimEngine+0x157
ntdll!LdrpInitializeProcess+0x1cda
ntdll!_LdrpInitialize+0x4e393
ntdll!LdrpInitialize+0x3b
ntdll!LdrInitializeThunk+0xe