I'm investigating how C:\Windows\System32\SystemPropertiesAdvanced.exe on Windows 2008 interacts with explorer.exe when updating system environment variables. When updating environment variables this way, explorer.exe will dynamically update its environment block to pick up the changes. I'm aware of multiple ways, to remotely inject environment variables, but was curious as to the implementation SystemPropertiesAdvanced.exe uses.

我正在研究在更新系统环境变量时,Windows 2008上的C:\ Windows \ System32 \ SystemPropertiesAdvanced.exe如何与explorer.exe交互。以这种方式更新环境变量时,explorer.exe将动态更新其环境块以获取更改。我知道多种方法,远程注入环境变量,但对SystemPropertiesAdvanced.exe使用的实现很好奇。

When I press the OK button on the SystemPropertiesAdvanced dialog after updating an environment variable, a new thread is created. Debugging this thread I've come to the following lines of interest:

在更新环境变量后按SystemPropertiesAdvanced对话框上的OK按钮时,将创建一个新线程。调试这个线程我得到以下几个感兴趣的行:

WINSTA!WinStationBSMWorkerThread:
75b292bc 8bff            mov     edi,edi
75b292be 55              push    ebp
75b292bf 8bec            mov     ebp,esp
75b292c1 51              push    ecx
75b292c2 8365fc00        and     dword ptr [ebp-4],0
75b292c6 53              push    ebx
75b292c7 56              push    esi
75b292c8 8b7508          mov     esi,dword ptr [ebp+8]
75b292cb 837e4000        cmp     dword ptr [esi+40h],0
75b292cf 57              push    edi
75b292d0 0f95c0          setne   al
75b292d3 50              push    eax
75b292d4 ff763c          push    dword ptr [esi+3Ch]
75b292d7 8d4624          lea     eax,[esi+24h]
75b292da ff7638          push    dword ptr [esi+38h]
75b292dd ff7628          push    dword ptr [esi+28h]
75b292e0 50              push    eax
75b292e1 ff7620          push    dword ptr [esi+20h]  ds:0023:00404468={SYSDM!szUserEnv (6b3ec434)}
75b292e4 8d4614          lea     eax,[esi+14h]
75b292e7 ff761c          push    dword ptr [esi+1Ch]
75b292ea ff7618          push    dword ptr [esi+18h]
75b292ed 50              push    eax
75b292ee ff7610          push    dword ptr [esi+10h]
75b292f1 ff760c          push    dword ptr [esi+0Ch]
75b292f4 ff7608          push    dword ptr [esi+8]
75b292f7 ff7604          push    dword ptr [esi+4]
75b292fa ff36            push    dword ptr [esi]
75b292fc e821fdffff      call    WINSTA!WinStationBroadcastSystemMessageWorker (75b29022)
75b29301 8d7e44          lea     edi,[esi+44h]
75b29304 57              push    edi
75b29305 894508          mov     dword ptr [ebp+8],eax
75b29308 ff15d810b275    call    dword ptr [WINSTA!_imp__EnterCriticalSection (75b210d8)]
75b2930e 33db            xor     ebx,ebx
75b29310 43              inc     ebx
75b29311 837e3000        cmp     dword ptr [esi+30h],0
75b29315 0f85663d0000    jne     WINSTA!WinStationBSMWorkerThread+0x5b (75b2d081)
75b2931b 57              push    edi
75b2931c 895e2c          mov     dword ptr [esi+2Ch],ebx
75b2931f ff15d410b275    call    dword ptr [WINSTA!_imp__LeaveCriticalSection (75b210d4)]
75b29325 837dfc00        cmp     dword ptr [ebp-4],0
75b29329 0f85683d0000    jne     WINSTA!WinStationBSMWorkerThread+0x7c (75b2d097)
75b2932f 8b4508          mov     eax,dword ptr [ebp+8]
75b29332 5f              pop     edi
75b29333 5e              pop     esi
75b29334 5b              pop     ebx
75b29335 c9              leave
75b29336 c20400          ret     4

I believe that the call to WINSTA!WinStationBroadcastSystemMessageWorker is some how letting explorer.exe know that it should pick up these new environment variables. It's interesting that the reference at 75b292e1 is being identified as SYSDM!szUserEnv by the debugger.

我相信WINSTA!WinStationBroadcastSystemMessageWorker的调用是让explorer.exe知道它应该拿起这些新的环境变量的一些方法。有趣的是,调试器将75b292e1处的引用标识为SYSDM!szUserEnv。

Perhaps not your standard inquiry, but maybe there are other reverse engineers out there. :) [at 100rep I'll set the "tags" properly]

也许不是您的标准询问,但也许还有其他逆向工程师。 :) [在100rep我会正确设置“标签”]

Cheers

1 个解决方案

#1

---