StealthyEnv - Get environment variables from PEB structure
Alternative to whoami.exe or other well-known binaries to get the environment variables. It is written in C# and I guess it is stealthier because it gets the values parsing the PEB structure.
Repository: https://github.com/ricardojoserf/StealthyEnv
It works like this:
-
Function NtQueryInformationProcess returns a “PROCESS_BASIC_INFORMATION” structure containing a pointer to the PEB base address.
-
The PEB structure contains a pointer “ProcessParameters” to a RTL_USER_PROCESS_PARAMETERS structure.
-
From that structure you can get a pointer “Environment” to the environment variables and a pointer “EnvironmentSize” to the size of the environment variables.
-
Reading the number of bytes indicated in “EnvironmentSize” from the address “Environment” as UNICODE text, you get the environment variables.
Examples
64 bit process:
32 bit process:
