标题: 寻找未公开的环境变量 创建: 2018-04-26 13:20 链接: https://scz.617.cn/windows/201804261320.txt 以x64/Win10为例,利用调试器寻找对目标进程起作用的未公开的环境变量。 MSDN里有下述函数原型: -------------------------------------------------------------------------- DWORD GetEnvironmentVariable ( LPCTSTR lpName, // rcx LPTSTR lpBuffer, // rdx out DWORD nSize // r8 ); -------------------------------------------------------------------------- cdb.exe -noinh -snul -hd -o -g -G -xi ld -xe cpr -c "bu KERNELBASE!GetEnvironmentVariableW \"du /c 64 @rcx;gc\";g" mspaint.exe 看到2个环境变量: "PMV2MAGINUMBERCSCALING" "_CLUSTER_NETWORK_NAME_" 简单抄录cdb命令行选项的意义: -------------------------------------------------------------------------- -hd Specifies that the debug heap should not be used -g sxd ibp sxi ibp Ignores the initial breakpoint in target application. This option will cause the target application to continue running after it is started or CDB attaches to it, unless another breakpoint has been set. -G sxd epr Ignores the final breakpoint at process termination. By default, CDB stops during the image run-down process. This option will cause CDB to exit immediately when the child terminates. This has the same effect as entering the command sxd epr. -xi ld sxi ld Ignore/Load module When this exception occurs, the target application does not break into the debugger at all, and no message is displayed. -xe cpr sxe cpr First chance break/Process creation When this exception occurs, the target immediately breaks into the debugger. This break in occurs before any other error handlers are activated. This method is called first-chance handling. 这个点相当早,PEB已经存在,但无法以符号形式访问PEB,只能用数字偏移。 !gflag不能使用,ntdll.dll尚未映射。 -------------------------------------------------------------------------- KERNELBASE!GetEnvironmentVariableW()所在位置太高,换个更底层的断点, ntdll!RtlQueryEnvironmentVariable()。 -------------------------------------------------------------------------- NTSTATUS RtlQueryEnvironmentVariable ( PVOID Environment, // rcx PWSTR Name, // rdx SIZE_T NameLength, // r8 PWSTR Value, // r9 SIZE_T ValueLength, // rsp+0x28 PSIZE_T ReturnLength // rsp+0x30 out ); -------------------------------------------------------------------------- cdb.exe -noinh -snul -hd -o -g -G -xi bpe -xi ld -xe cpr -c "bu ntdll!RtlQueryEnvironmentVariable \"du /c 64 @rdx;gc\";g" mspaint.exe 这次看到更多环境变量,但混入部分其他数据: "_NO_DEBUG_HEAP" "ProgramW6432" "CommonProgramW6432" "PROCESSOR_ARCHITEW6432" "SHIM_DEBUG_LEVEL" "SHIMENG_DEBUG_LEVEL" "SHIM_FILE_LOG" "__COMPAT_LAYER" "__COMPAT_LAYER" "__PROCESS_HISTORY" "SystemRoot%" "PATH" "PATH" "OANOCACHE" "OAPERUSERTLIBREG" "OACACHEPARAMS" "PMV2MAGINUMBERCSCALING" "systemroot%\system32\emptyregdb.dat" "systemroot%\Registration" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "PATH" "PATH" "_CLUSTER_NETWORK_NAME_" "SystemRoot%\system32\windows.storage.dll" "SystemRoot%\system32\windows.storage.dll" "PATH" "PATH" "systemroot%\Debug\WIA" "systemroot%\Debug\WIA\wiatrace.log" "PATH" "PATH" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\UIRibbon.dll" "SystemRoot%\system32\windowscodecs.dll" "SystemRoot%\system32\windowscodecs.dll" "SystemRoot%\system32\windowscodecs.dll" "SystemRoot%\system32\windowscodecs.dll" "PATH" "PATH" "PATH" "PATH" 这次cdb的命令行多指定了一个"-xi bpe",如果没有它,会断在ibp处。本来"-g"的 意思就是不断在ibp,但这种场景下仍然断在ibp。估计前述命令行但凡针对ntdll设 断,都会从此经过。这个内置断点我们不关心,为了不断下来,在命令行上指定 "-xi 0x80000003"或"-xi bpe"。 ntdll!RtlQueryEnvironmentVariable()所在位置够低,但同时带了一些预期之外的 输出,比如那些dll。 看到几个与Shim机制相关的环境变量: "SHIM_DEBUG_LEVEL" ntdll!RtlQueryEnvironmentVariable ntdll!RtlQueryEnvironmentVariable_U+0x34 apphelp!SeUtilsGetEnvironmentVariable+0x67 apphelp!SepApplyDebugPolicy+0x69 apphelp!SE_InitializeEngine+0x45 ntdll!LdrpInitShimEngine+0x149 ntdll!LdrpInitializeProcess+0x1cda ntdll!_LdrpInitialize+0x4e393 ntdll!LdrpInitialize+0x3b ntdll!LdrInitializeThunk+0xe "SHIMENG_DEBUG_LEVEL" ntdll!RtlQueryEnvironmentVariable ntdll!RtlQueryEnvironmentVariable_U+0x34 apphelp!SeUtilsGetEnvironmentVariable+0x67 apphelp!SepApplyDebugPolicy+0x8f apphelp!SE_InitializeEngine+0x45 ntdll!LdrpInitShimEngine+0x149 ntdll!LdrpInitializeProcess+0x1cda ntdll!_LdrpInitialize+0x4e393 ntdll!LdrpInitialize+0x3b ntdll!LdrInitializeThunk+0xe "SHIM_FILE_LOG" ntdll!RtlQueryEnvironmentVariable ntdll!RtlQueryEnvironmentVariable_U+0x34 apphelp!SeUtilsGetEnvironmentVariable+0x67 apphelp!SepApplyDebugPolicy+0xb8 apphelp!SE_InitializeEngine+0x45 ntdll!LdrpInitShimEngine+0x149 ntdll!LdrpInitializeProcess+0x1cda ntdll!_LdrpInitialize+0x4e393 ntdll!LdrpInitialize+0x3b ntdll!LdrInitializeThunk+0xe "__COMPAT_LAYER" ntdll!RtlQueryEnvironmentVariable ntdll!RtlQueryEnvironmentVariable_U+0x34 apphelp!AslEnvGetVariable+0x66 apphelp!SeSdbProcessLayers+0x135 apphelp!SE_InitializeEngine+0x117 ntdll!LdrpInitShimEngine+0x149 ntdll!LdrpInitializeProcess+0x1cda ntdll!_LdrpInitialize+0x4e393 ntdll!LdrpInitialize+0x3b ntdll!LdrInitializeThunk+0xe "__COMPAT_LAYER" ntdll!RtlQueryEnvironmentVariable ntdll!RtlQueryEnvironmentVariable_U+0x34 apphelp!SeUtilsGetEnvironmentVariable+0x67 apphelp!SepEngineDumpCompatEnvironment+0x4f apphelp!SeEngineDumpState+0x90 apphelp!SE_InstallBeforeInit+0x7e ntdll!LdrpLoadShimEngine+0xb4 ntdll!LdrpInitShimEngine+0x157 ntdll!LdrpInitializeProcess+0x1cda ntdll!_LdrpInitialize+0x4e393 ntdll!LdrpInitialize+0x3b ntdll!LdrInitializeThunk+0xe