Environment Variables

[rlmd-fonseca]

I found by creating a program that printed all the Environment Variables that process doppelganging wasn't setting any Environment Variables.

So I tried to set Environment variables through the parameter environment on the function RtlCreateProcessParametersEx()

Which lead to the exact same results as if I had passed a nullptr.

I then created a simple program just to test the normal creation of a process through CreateProcess()

The conclusions I got from it were:

1. CreateProcess() will take either an ANSI string and later on convert it into UNICODE and pass it to RtlCreateProcessParametersEx() or an UNICODE string and the flag CREATE_UNICODE_ENVIRONMENT and skip the conversion and then pass it to RtlCreateProcessParametersEx(). In either case the first API called was CreateProcessInternalW()
2. CreateProcessW() requires every string to be in UNICODE and calls CreateProcessInternalW() and passing a UNICODE string with the Environment Variables to RtlCreateProcessParametersEx()
3. CreateProcessA() requires every string to be ANSI, then it converts them to UNICODE and proceeds to call CreateProcessInternalW() and passing a UNICODE string with the Environment Variables to RtlCreateProcessParametersEx()

The UNICODE string with the Environment variables can be seen here:

With this concluded and examining the the RtlCreateProcessParametersEx() dynamically when running process doppelganging it's possible to see that it was being passed a pointer to a UNICODE string with the environment variables.

The issue here being on how to then correctly set the Environment Variables

[hasherezade]

Thank you for submitting! Please let me know if this patch helps.

[rlmd-fonseca]

The environment variables now set properly.