Hi all,
I have a question: is there a solution to get the environment variables of a win32 proces? I have the process list throught the EnumProcesses windows call, now I woluld like scan inside the enumeration to get the environment variables of each process. Is it possible?

bye Federico

Unofficially, the environment will always be at virtual address 0x10000 of the process, so you can use ReadProcessMemory() to get it.

Officially, you need to first get the a pointer to the process PEB. See this (http://www.codeguru.com/forum/showthread.php?t=371338) thread on how to get it. In the PEB, at offset 16 is a pointer called "ProcessParameters". This pointer leads to a struct called _RTL_USER_PROCESS_PARAMETERS. Its address will always be 0x20000. Inside this struct, at offset 72 is a pointer called "Environment" which points to the process environment. Again, this pointer will always be 0x10000. These offsets are for NT kernel version 5.1 (Windows XP), and are subject to change from version to version if these struct change.

The reason these addresses always come out 0x10000 and 0x20000 has to do with the order in which CreateProcess() allocates memory for the new process. 0x10000 is the lowest usable address. So any process created with CreateProcess() should have these addresses. This excludes some native subsystem processes, but you may not care about those (and they may not be accessible anyway due to security reasons.)

Hi googler,
thank you for your reply! Is it really so hard to get an environment variable in windows? I'm trying to use your advice. Thank again.

Federico

It's very easy to get environment variables for your own process. You have API GetEnvironmentStrings() and GetEnvironmentVariable(). But the environment variables of another process is a different story. The only place they exist is in the user-mode address space of the other process. There are no pre-canned system API that I know of to get them, so the only way I see is to read them from the other process's memory directly with ReadProcessMemory().

Maybe it's enough for you to get the default environment variables from the registry. They're in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
for the system environment
and
HKEY_CURRENT_USER\Environment
for the current user.

I know GetEnvironmentStrings() and GetEnvironmentVariable(), but my story is a bit complex: I have a program which can start some others process, when a new proces is started I need to set a particolar variable. So if my main process crashes I can restart it but I need to retake each variables, to rewrite a list of my process. I think I have to use the environment variable, do you think there is a better and easier way?

bye Federico

When you spawn a new process with CreateProcess() you can set an initial environment for it with the lpEnvironment parameter.

I didn't understand from your description why your main process needs to read the environment of the spawned process if it crashes and restarts.

My main process is a remote front-end to start and stop particolar process. Like all process my main process can crach, at this point I can restart the main process to reopen the remote front-end but I must to know which process are started by the old main instance proces to menage them.

Federico

I guess your problem is that you want to be able to identify with process is "yours". Instead of using EnumProcesses, you can use the combination
CreateToolHelp32Snapshot/Process32First/Process32Next

These enumerators return a struct called PROCESSENTRY32 that has szExeFile in it, which is the name of the exe file for the process. From this you can indentify if this is your process.

Another way to get the name of the exe for a process is with GetModuleFileNameEx(). This will actually return a full path name if that helps. [use a NULL hModule.]

"I guess your problem is that you want to be able to identify with process is "yours"." -> yes and no, I would be able to identify each process started by the main process, even if the main process crashes and I restart a new instance of it. The new instance has to check each process in running and it has to be able to identify, in some way, if a process is started by the old (and crased) instance on main process.

Thanks again for you help


Federico

Why not just maintain a file on disk that contains the list of processes that you started.

Viggy

ok, this is my code but it doesn't work:

#include <windows.h>

typedef LONG NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

typedef enum _PROCESSINFOCLASS { ProcessBasicInformation } PROCESSINFOCLASS;

typedef struct _INFOBLOCK
{
DWORD dwFiller[16];
WORD wLength;
WORD wMaxLength;
DWORD dwCmdLineAddress;
void *env;
} INFOBLOCK, *PINFOBLOCK;

typedef struct _PEB
{
DWORD dwFiller[4];
DWORD dwInfoBlockAddress;
} PEB, *PPEB;

typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
ULONG_PTR AffinityMask;
LONG BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PBI;

typedef NTSTATUS (NTAPI *ZWQueryInformationProcessW)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);

int _tmain(int argc, _TCHAR* argv[])
{
ZWQueryInformationProcessW ZwQueryInformationProcessA;
HMODULE hModule = GetModuleHandle(_T("ntdll"));
ZwQueryInformationProcessA = (ZWQueryInformationProcessW)GetProcAddress(hModule, "ZwQueryInformationProcess");
if(ZwQueryInformationProcessA == NULL)
exit(1);

PBI ProcInfo;
PEB ProcPEB;
INFOBLOCK ProcBlock;
ULONG ReturnLength;
HANDLE hProcess;
TCHAR *pszCmdLine = NULL;

hProcess = GetCurrentProcess();
//hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, 2780);

if(!NT_SUCCESS(ZwQueryInformationProcessA(hProcess, ProcessBasicInformation, &ProcInfo, sizeof(ProcInfo), &ReturnLength)))
exit(1);

BOOL bSuccess = ReadProcessMemory(hProcess, (LPCVOID) ProcInfo.PebBaseAddress, &ProcPEB, sizeof(ProcPEB), &ReturnLength);

if (bSuccess != FALSE)
{
bSuccess = ReadProcessMemory(hProcess, (LPCVOID) ProcPEB.dwInfoBlockAddress, &ProcBlock, sizeof(ProcBlock), &ReturnLength);

pszCmdLine = new TCHAR[ProcBlock.wMaxLength];
}

if (bSuccess != FALSE)
bSuccess = ReadProcessMemory(hProcess, &ProcBlock.dwCmdLineAddress, pszCmdLine, ProcBlock.wMaxLength, &ReturnLength);


if (NULL != pszCmdLine)
delete [] pszCmdLine;

CloseHandle(hProcess);

return 0;
}



I try to get the command line first (then I can take also the environment variables). Why doesn't it work? Beginning from the peb's address is wronk... I don't know.

Federico

Here you go...
#include <tchar.h>
#include <windows.h>

typedef LONG NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

typedef enum _PROCESSINFOCLASS { ProcessBasicInformation } PROCESSINFOCLASS;

typedef struct _INFOBLOCK
{
DWORD dwFiller[16];
WORD wLength;
WORD wMaxLength;
LPCWSTR dwCmdLineAddress;
LPCWSTR env;
} INFOBLOCK, *PINFOBLOCK;

typedef struct _PEB
{
DWORD dwFiller[4];
PINFOBLOCK dwInfoBlockAddress;
} PEB, *PPEB;

typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
ULONG_PTR AffinityMask;
LONG BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PBI;

typedef NTSTATUS (NTAPI *ZWQueryInformationProcessW)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);

int __cdecl _tmain(int argc, _TCHAR* argv[])
{
ZWQueryInformationProcessW ZwQueryInformationProcessA;
HMODULE hModule = GetModuleHandle(_T("ntdll"));
ZwQueryInformationProcessA = (ZWQueryInformationProcessW)GetProcAddress(hModule, "ZwQueryInformationProcess");
if(ZwQueryInformationProcessA == NULL)
exit(1);

PBI ProcInfo;
PEB ProcPEB;
INFOBLOCK ProcBlock;
ULONG ReturnLength;
HANDLE hProcess;
LPWSTR pszCmdLine = NULL;

hProcess = GetCurrentProcess();
//hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, 2780);

if(!NT_SUCCESS(ZwQueryInformationProcessA(hProcess, ProcessBasicInformation, &ProcInfo, sizeof(ProcInfo), &ReturnLength)))
exit(1);

BOOL bSuccess = ReadProcessMemory(hProcess, (LPCVOID) ProcInfo.PebBaseAddress, &ProcPEB, sizeof(ProcPEB), &ReturnLength);

if (bSuccess != FALSE)
{
bSuccess = ReadProcessMemory(hProcess, (LPCVOID) ProcPEB.dwInfoBlockAddress, &ProcBlock, sizeof(ProcBlock), &ReturnLength);

pszCmdLine = (LPWSTR) new BYTE[ProcBlock.wMaxLength];
}

if (bSuccess != FALSE)
bSuccess = ReadProcessMemory(hProcess, ProcBlock.dwCmdLineAddress, pszCmdLine, ProcBlock.wMaxLength, &ReturnLength);

if (NULL != pszCmdLine)
delete [] pszCmdLine;

// CloseHandle(hProcess);

return 0;
}

Hi googler,
thank you, your code is perfect!!!! You are great, now I have to study it. You helped me in a hard position.....

Thanks again
Federico

Hey, it's your code. Your only bug was an extra ampersand in the third ReadProcessMemory. Other than that I just cleaned up some of the types to make it more accurate.

By the way, if you want to copy the environment and you can't find a length field for it in RTL_USER_PROCESS_PARAMETERS, you can do something else instead - call VirtualQueryEx() to get the size of the committed area starting at env, and then copy that much. This will be a multiple of page size, so it's actually bigger than the environment, but the environment ends in a double-L'\0', so you can find that.

I have successfully accomplished the above code. But I am still confused on how to get the "environment variables" of the process.
My issue is; I way to query the environment variables of a current running process and use a specific setting to launch another application. This is not a child process or sub process, has no relation to original process.

FYI, the original process is attaching to one of our databases, the database that it is connected to is an environemnt variable setting. I want to query that variable setting and connect to the same database that the user is currently connected to.

Any further help on this would be greatly appreciated. I have been working this off and on for about two weeks.

Regards.