{"id":8287,"date":"2022-12-02T23:15:00","date_gmt":"2022-12-02T23:15:00","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=8287"},"modified":"2022-12-02T23:27:04","modified_gmt":"2022-12-02T23:27:04","slug":"environment-is-variable","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2022\/12\/02\/environment-is-variable\/","title":{"rendered":"Environment&#8230; is variable"},"content":{"rendered":"\n<p>I love environmental variables. They are often <a href=\"https:\/\/www.google.com\/search?q=site:hexacorn.com+environment+variables\">post-worthy<\/a>, and sometimes they are just simply <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/05\/26\/plata-o-plomo-code-injections-execution-tricks\/\" data-type=\"post\" data-id=\"6343\">cool<\/a>.<\/p>\n\n\n\n<p>Yet, many are still not known. Many are still not described.<\/p>\n\n\n\n<p>Looking for &#8216;easy&#8217; research targets inside the Windows directory one can scan executables and DLLs looking for either a string or an import reference to the functions that operate on Environment variables:<\/p>\n\n\n\n<ul><li>RtlSetEnvironmentVariable<\/li><li>setenv<\/li><li>SetEnvironmentVariable<\/li><li>GetEnv<\/li><li>GetEnvironmentVariable<\/li><li>ExpandEnvironment<\/li><\/ul>\n\n\n\n<p>These produce really interesting hits!<\/p>\n\n\n\n<p>Looking at the code of puiobj.dll (PrintUI Objects DLL) we can find a weirdly named environment variable F2ED815E-5F18-4860-A8F2-16471D53C5CF that takes a integer value that seems to be a flag controlling how printer queue jobs are presented.<\/p>\n\n\n\n<p>Looking at curl.exe we see the familiar <a href=\"https:\/\/everything.curl.dev\/cmdline\/configfile\">CURL_HOME<\/a> reference that can alter the way curl works (configuration file location).<\/p>\n\n\n\n<p>The xcopy.exe takes into consideration the value of COPYCMD.<\/p>\n\n\n\n<p>In 2022 no one remembers mswsock.dll, but it also uses environment variables:<\/p>\n\n\n\n<ul><li>SanTcpBypass<\/li><li>SanResizeDisable<\/li><li>SanRecvPollCount<\/li><\/ul>\n\n\n\n<p>The same goes for oleaut32.dll:<\/p>\n\n\n\n<ul><li><a href=\"https:\/\/www.betaarchive.com\/wiki\/index.php\/Microsoft_KB_Archive\/139071#Set_the_OANOCACHE_environment_variable\">OANOCACHE<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/oleauto\/nf-oleauto-oaenableperusertlibregistration\">OAPERUSERTLIBREG<\/a><\/li><li><a href=\"https:\/\/www.betaarchive.com\/wiki\/index.php\/Microsoft_KB_Archive\/937360#OACACHEPARAMS_variable_instructions\">OACACHEPARAMS<\/a><\/li><\/ul>\n\n\n\n<p>Many of environment variable tricks are known by now. Today I posted on <a href=\"https:\/\/twitter.com\/Hexacorn\/status\/1598665412081700865\">Twitter<\/a> and <a href=\"https:\/\/infosec.exchange\/@hexacorn\/109444263329952725\">Mastodon<\/a> about the use of environment variables inside the LNK files which &#8212; while not really being a proper evasion since the shell functions are processed within a context of executing process &#8212; may give some new opportunities to attackers too. <\/p>\n\n\n\n<p>But there is always more&#8230;<\/p>\n\n\n\n<p>Environment variables are very, very prevalent and all over the place. Many of them are kinda invisible, f.ex. many batch files and the aforementioned LNK files rely a lot them, and many of them are batch-file specific, often used internally and not very well documented.<\/p>\n\n\n\n<p>Here&#8217;s a snapshot of various environment variables (many of which are not very well known, I think) present inside the LNK and BAT files on a win10 system with a Visual Studio, Bon Jour, NPCAP, Powershell and Python present:<\/p>\n\n\n\n<ul><li>%ARGS%<\/li><li>%AUT%<\/li><li>%AUTDIR%<\/li><li>%CABOUTPUT%<\/li><li>%CD%<\/li><li>%CLIENTPATH%<\/li><li>%CRT%<\/li><li>%CURRDIR%<\/li><li>%CabOutput%<\/li><li>%CommandPromptType%<\/li><li>%CommonProgramFiles%<\/li><li>%DEVENVDIR%<\/li><li>%DIR%<\/li><li>%DIRECTIVEFILE%<\/li><li>%DevEnvDir%<\/li><li>%DoDump%<\/li><li>%Dot11Support%<\/li><li>%ERRORLEVEL%<\/li><li>%ExtensionSDKDir%<\/li><li>%FSHARPINSTALLDIR%<\/li><li>%Framework40Version%<\/li><li>%FrameworkDIR32%<\/li><li>%FrameworkDIR64%<\/li><li>%FrameworkDir%<\/li><li>%FrameworkDir32%<\/li><li>%FrameworkDir64%<\/li><li>%FrameworkVersion%<\/li><li>%FrameworkVersion32%<\/li><li>%FrameworkVersion64%<\/li><li>%HOMEDRIVE%<\/li><li>%HOMEPATH%<\/li><li>%IFCPATH%<\/li><li>%INCLUDE%<\/li><li>%KEY_NAME%<\/li><li>%LEGACY_MACHINE_SETUP_LOGS_PATH%<\/li><li>%LIB%<\/li><li>%LIBPATH%<\/li><li>%LOCALAPPDATA%<\/li><li>%LoopbackAdapter%<\/li><li>%MACHINE_AMD64_SETUP_LOGS_PATH%<\/li><li>%MACHINE_I386_SETUP_LOGS_PATH%<\/li><li>%NETFXSDKDir%<\/li><li>%NPCAP_DIR%<\/li><li>%OUTPUTDIR%<\/li><li>%OutputDir%<\/li><li>%PATH%<\/li><li>%PERMACHINECLIENTPATH64%<\/li><li>%PERMACHINECLIENTPATH86%<\/li><li>%PERMACHINE_START_MENU_PATH%<\/li><li>%PERUSER_START_MENU_PATH%<\/li><li>%PROCESSOR_ARCHITECTURE%<\/li><li>%PROGRAMDATA%<\/li><li>%PROMPT%<\/li><li>%PYTHONHOME%<\/li><li>%ProgramFiles%<\/li><li>%ProgramW6432%<\/li><li>%RANDOM%<\/li><li>%RETURNCODE%<\/li><li>%SDK%<\/li><li>%SENDMAIL%<\/li><li>%SID%<\/li><li>%SQUISHRUNNER%<\/li><li>%SQUISHSERVER%<\/li><li>%START_TYPE%<\/li><li>%ScriptName%<\/li><li>%SendMail%<\/li><li>%SyncLogsExclude%<\/li><li>%SyncSettingsExclude%<\/li><li>%SystemRoot%<\/li><li>%TARGET%<\/li><li>%TEMP%<\/li><li>%TEMPFILE%<\/li><li>%TESTCASE%<\/li><li>%TESTSUITE%<\/li><li>%TEST_INCLUDE%<\/li><li>%TEST_LIB%<\/li><li>%TMP%<\/li><li>%UCRTVersion%<\/li><li>%USERPROFILE%<\/li><li>%UniversalCRTSdkDir%<\/li><li>%VCIDEInstallDir%<\/li><li>%VCINSTALLDIR%<\/li><li>%VCLIB_GENERAL_OVERRIDE%<\/li><li>%VCToolsInstallDir%<\/li><li>%VCToolsVersion%<\/li><li>%VCVARS_USER_VERSION%<\/li><li>%VC_ATLMFC_IncludePath%<\/li><li>%VC_ExecutablePath_ARM_ARM%<\/li><li>%VC_ExecutablePath_ARM_ARM64%<\/li><li>%VC_ExecutablePath_ARM_x64%<\/li><li>%VC_ExecutablePath_ARM_x86%<\/li><li>%VC_ExecutablePath_x64_ARM%<\/li><li>%VC_ExecutablePath_x64_ARM64%<\/li><li>%VC_ExecutablePath_x64_x64%<\/li><li>%VC_ExecutablePath_x64_x86%<\/li><li>%VC_ExecutablePath_x86_ARM%<\/li><li>%VC_ExecutablePath_x86_ARM64%<\/li><li>%VC_ExecutablePath_x86_x64%<\/li><li>%VC_ExecutablePath_x86_x86%<\/li><li>%VC_IFCPath%<\/li><li>%VC_LibraryPath_ATL_ARM%<\/li><li>%VC_LibraryPath_ATL_ARM64%<\/li><li>%VC_LibraryPath_ATL_ARM64EC%<\/li><li>%VC_LibraryPath_ATL_ARM64EC_spectre%<\/li><li>%VC_LibraryPath_ATL_ARM64_spectre%<\/li><li>%VC_LibraryPath_ATL_ARM_spectre%<\/li><li>%VC_LibraryPath_ATL_x64%<\/li><li>%VC_LibraryPath_ATL_x64_spectre%<\/li><li>%VC_LibraryPath_ATL_x86%<\/li><li>%VC_LibraryPath_ATL_x86_spectre%<\/li><li>%VC_LibraryPath_VC_ARM%<\/li><li>%VC_LibraryPath_VC_ARM64%<\/li><li>%VC_LibraryPath_VC_ARM64EC%<\/li><li>%VC_LibraryPath_VC_ARM64EC_Desktop%<\/li><li>%VC_LibraryPath_VC_ARM64EC_Desktop_spectre%<\/li><li>%VC_LibraryPath_VC_ARM64EC_OneCore%<\/li><li>%VC_LibraryPath_VC_ARM64EC_OneCore_spectre%<\/li><li>%VC_LibraryPath_VC_ARM64EC_Store%<\/li><li>%VC_LibraryPath_VC_ARM64_Desktop%<\/li><li>%VC_LibraryPath_VC_ARM64_Desktop_spectre%<\/li><li>%VC_LibraryPath_VC_ARM64_OneCore%<\/li><li>%VC_LibraryPath_VC_ARM64_OneCore_spectre%<\/li><li>%VC_LibraryPath_VC_ARM64_Store%<\/li><li>%VC_LibraryPath_VC_ARM_Desktop%<\/li><li>%VC_LibraryPath_VC_ARM_Desktop_spectre%<\/li><li>%VC_LibraryPath_VC_ARM_OneCore%<\/li><li>%VC_LibraryPath_VC_ARM_OneCore_spectre%<\/li><li>%VC_LibraryPath_VC_ARM_Store%<\/li><li>%VC_LibraryPath_VC_x64%<\/li><li>%VC_LibraryPath_VC_x64_Desktop%<\/li><li>%VC_LibraryPath_VC_x64_Desktop_spectre%<\/li><li>%VC_LibraryPath_VC_x64_OneCore%<\/li><li>%VC_LibraryPath_VC_x64_OneCore_spectre%<\/li><li>%VC_LibraryPath_VC_x64_Store%<\/li><li>%VC_LibraryPath_VC_x86%<\/li><li>%VC_LibraryPath_VC_x86_Desktop%<\/li><li>%VC_LibraryPath_VC_x86_Desktop_spectre%<\/li><li>%VC_LibraryPath_VC_x86_OneCore%<\/li><li>%VC_LibraryPath_VC_x86_OneCore_spectre%<\/li><li>%VC_LibraryPath_VC_x86_Store%<\/li><li>%VC_VC_IncludePath%<\/li><li>%VIRTUAL_ENV%<\/li><li>%VS160COMNTOOLS%<\/li><li>%VSCMD_ARG_APP_PLAT%<\/li><li>%VSCMD_ARG_CHAMELEON%<\/li><li>%VSCMD_ARG_CLEAN_ENV%<\/li><li>%VSCMD_ARG_HELP%<\/li><li>%VSCMD_ARG_HOST_ARCH%<\/li><li>%VSCMD_ARG_NO_EXT%<\/li><li>%VSCMD_ARG_STARTDIR%<\/li><li>%VSCMD_ARG_TGT_ARCH%<\/li><li>%VSCMD_ARG_VCVARS_SPECTRE%<\/li><li>%VSCMD_ARG_VCVARS_VER%<\/li><li>%VSCMD_ARG_WINSDK%<\/li><li>%VSCMD_ARG_no_logo%<\/li><li>%VSCMD_BANNER_SHELL_NAME_ALT%<\/li><li>%VSCMD_BANNER_TEXT_ALT%<\/li><li>%VSCMD_DEBUG%<\/li><li>%VSCMD_SKIP_SENDTELEMETRY%<\/li><li>%VSCMD_START_DIR%<\/li><li>%VSCMD_TEST%<\/li><li>%VSCMD_VCVARSALL_INIT%<\/li><li>%VSCMD_VER%<\/li><li>%VSINSTALLDIR%<\/li><li>%WORKINGDIR%<\/li><li>%WORKINGDIRONEDRIVE%<\/li><li>%WindowsLibPath%<\/li><li>%WindowsSDKDir%<\/li><li>%WindowsSDKLibVersion%<\/li><li>%WindowsSDKNotFound%<\/li><li>%WindowsSDKVersion%<\/li><li>%WindowsSDK_ExecutablePath_x64%<\/li><li>%WindowsSDK_ExecutablePath_x86%<\/li><li>%WindowsSdkBinPath%<\/li><li>%WindowsSdkDir%<\/li><li>%WindowsSdkVerBinPath%<\/li><li>%cmd%<\/li><li>%computername%<\/li><li>%comspec%<\/li><li>%dir%<\/li><li>%errorlevel%<\/li><li>%findSDK%<\/li><li>%match%<\/li><li>%originPolicy%<\/li><li>%result%<\/li><li>%returnValue%<\/li><li>%scriptPath%<\/li><li>%systemroot%<\/li><li>%temp%<\/li><li>%windir%<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>I love environmental variables. They are often post-worthy, and sometimes they are just simply cool. Yet, many are still not known. Many are still not described. Looking for &#8216;easy&#8217; research targets inside the Windows directory one can scan executables and &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2022\/12\/02\/environment-is-variable\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,56,45],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8287"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=8287"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8287\/revisions"}],"predecessor-version":[{"id":8297,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8287\/revisions\/8297"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=8287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=8287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=8287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}