Get-PEB does not return the environment variables about powersploit HOT 4 CLOSED

Considering 'EnvironmentVariables' is made available to you via Get-Process, would you have a problem with me just calling that and assigning my EnvironmentVariables accordingly? Or would you rather I follow the pointer to the environment variables and walk the list?

Example:

$EnvironmentVariables = (Get-Process -Id $ProcessId -ErrorAction SilentlyContinue).StartInfo.EnvironmentVariables

from powersploit.

Matt, Its good to know that's an option. I didn't think to check the startup options. I think it'd be better to only include the functionality in Get-PEB, if it was reading from the environment block. People are going to assume that's the case, so it would do more harm than good including it.

I took a quick look at the ProcessHacker 1.0 source code which is C# and discovered that ProcessHandle.GetEnvironmentVariables(). I'll see what it takes to extract that into PowerShell code. It looks like that's a better source to model Get-PEB after since its pure C#.

My desire for this stems from trying to figure out how to get SQL Server stacktraces to use the symbol server. In that case, the problem is solved. However, if I was debugging powershell.exe or cmd.exe as well as child processes launched from a command line, I'd probably want the PEB to be read.

from powersploit.

If I were to do a Raw memory copy would you prefer I did an Import-DllImports on NtReadVirtualMemory or is there another method you prefer for calling unmanaged APIs?

from powersploit.

Check out Get-StructFromMemory (https://github.com/mattifestation/PowerSploit/blob/master/ReverseEngineering/Get-StructFromMemory.ps1). I use kernel32!VirtualQueryEx to ensure that I can read a particular address in a remote process and kernel32!ReadProcessMemory to read memory in the remote process.

from powersploit.