Open
Conversation
This was referenced Jan 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduce the environment variables trait and listing in memflow. Linked to this memfow-win32 PR implementing environment variables listing for Win32Kernel as well as a rawmem connector to be able to add the possibility to pass a raw memory dump.
Goal
The goal of this feature is to introduce the possibility for the user to inspect environement variables linked to a process. This can help to tie a process to a user/session, workstation role or container/pod, retreive API KEYS some credentials and more.
Example output
The following output is produced when running the envars_list example on a raw memory image using the memflow-rawmem connector.
20:26:25 [INFO] arch=X86(64, false) kernel_hint=fffff8043cff1ca0 dtb=1aa000 20:26:26 [INFO] base=fffff8043cc00000 size=17063936 20:26:26 [INFO] kernel_guid=Some(Win32Guid { file_name: "ntkrnlmp.pdb", guid: "769C521E4833ECF72E21F02BF33691A51" }) 20:26:26 [INFO] trying to find NtBuildNumber export 20:26:26 [INFO] NtBuildNumber found at 0xc11f48 20:26:26 [INFO] trying to find RtlGetVersion export 20:26:26 [INFO] RtlGetVersion found at 0x6d8200 20:26:26 [INFO] nt_build_number: 4026550882 20:26:26 [INFO] kernel version: 10.0.19042 20:26:26 [INFO] kernel_winver=Win32Version { nt_major_version: 10, nt_minor_version: 0, nt_build_number: 4026550882 } 20:26:26 [INFO] PsInitialSystemProcess found at 0xfffff8043d8fc420 20:26:26 [INFO] eprocess_base=ffffbf0f64a63080 20:26:26 [INFO] start_block.dtb=1aa000 20:26:26 [INFO] reading pdb from local cache: /Users/X/Library/Caches/memflow/ntkrnlmp.pdb/769C521E4833ECF72E21F02BF33691A51 20:26:26 [INFO] updating connector mem_map=MemoryMapping: base=1000 size=9e000 real_base=1000 MemoryMapping: base=100000 size=2000 real_base=100000 MemoryMapping: base=103000 size=dfeed000 real_base=103000 MemoryMapping: base=100000000 size=20000000 real_base=100000000 20:26:26 [INFO] updating sysproc_dtb=1aa000 found process: ReprCString { 0: "explorer.exe" } PID 4352 | explorer.exe | sys=X86(64, false) proc=X86(64, false) VARIABLE | VALUE =::=::\ ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\John Doe\AppData\Roaming CommonProgramFiles=C:\Program Files\Common Files CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files CommonProgramW6432=C:\Program Files\Common Files COMPUTERNAME=DESKTOP-0J3S8C2 ComSpec=C:\Windows\system32\cmd.exe DriverData=C:\Windows\System32\Drivers\DriverData FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer FPS_BROWSER_USER_PROFILE_STRING=Default HOMEDRIVE=C: HOMEPATH=\Users\John Doe LOCALAPPDATA=C:\Users\John Doe\AppData\Local LOGONSERVER=\\DESKTOP-0J3S8C2 NUMBER_OF_PROCESSORS=4 OneDrive=C:\Users\John Doe\OneDrive OS=Windows_NT Path=C:\Program Files\AdoptOpenJDK\jdk-11.0.11.9-hotspot\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\John Doe\AppData\Local\Microsoft\WindowsApps;C:\Program Files (x86)\Nmap PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PROCESSOR_ARCHITECTURE=AMD64 PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 142 Stepping 12, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=8e0c ProgramData=C:\ProgramData ProgramFiles=C:\Program Files ProgramFiles(x86)=C:\Program Files (x86) ProgramW6432=C:\Program Files PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules PUBLIC=C:\Users\Public SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\Windows TEMP=C:\Users\JOHNDO~1\AppData\Local\Temp TMP=C:\Users\JOHNDO~1\AppData\Local\Temp USERDOMAIN=DESKTOP-0J3S8C2 USERDOMAIN_ROAMINGPROFILE=DESKTOP-0J3S8C2 USERNAME=John Doe USERPROFILE=C:\Users\John Doe windir=C:\WindowsCheers.
k1nd0ne.