From 5062ff6c75b6a51f30fabfb8d11800f9e729270f Mon Sep 17 00:00:00 2001 From: binarymaster Date: Fri, 17 Jul 2015 01:28:23 +0300 Subject: [PATCH] Update INI - Added support for build 10.0.10240.16384 - Added HOW TO hints to KB --- res/rdpwrap-ini-kb.txt | 76 ++++++++++++++++++++++++++++++++++++++++++ res/rdpwrap.ini | 46 +++++++++++++++++++++++++ 2 files changed, 122 insertions(+) diff --git a/res/rdpwrap-ini-kb.txt b/res/rdpwrap-ini-kb.txt index dc58532..7bee8a3 100644 --- a/res/rdpwrap-ini-kb.txt +++ b/res/rdpwrap-ini-kb.txt @@ -54,6 +54,11 @@ CDefPolicy_Query_eax_ecx=B80001000089812003000090 CDefPolicy_Query_eax_rcx=B80001000089813806000090 [6.0.6000.16386] +; HOW TO search CSessionArbitrationHelper::IsSingleSessionPerUserEnabled function in IDA Pro: +; 1. Search text: CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; 2. All xrefs will point to this function (in x64 version xref points to subroutine, so you need to go one level up) +; 3. Go to first graph block and find memset, VersionInformation, call GetVersionExW, and so on + ; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled ; Imagebase: 6F320000 ; .text:6F3360B9 lea eax, [ebp+VersionInformation] @@ -74,6 +79,11 @@ SingleUserCode.x86=nop SingleUserPatch.x64=1 SingleUserOffset.x64=65E3E SingleUserCode.x64=Zero +; HOW TO search CDefPolicy::Query function in IDA Pro: +; 1. Search text: CDefPolicy::Query +; 2. All xrefs will point to this function (in x64 version xref sometimes points to subroutine, so you need to go one level up) +; 3. Go to first graph block and find cmp/jz instructions on the bottom of block + ; Patch CDefPolicy::Query ; Original ; .text:6F335CD8 cmp edx, [ecx+320h] @@ -835,6 +845,12 @@ SLPolicyOffset.x64=21FD0 SLPolicyFunc.x64=New_Win8SL [6.3.9431.0] +; HOW TO search CEnforcementCore::GetInstanceOfTSLicense function in IDA Pro: +; 1. Search text: CSLQuery::IsLicenseTypeLocalOnly +; 2. All xrefs will point to this function +; 3. Go to function beginning and check ; CODE XREF string, it will point to GetInstanceOfTSLicense function +; 4. Follow CODE XREF, switch to graph view, the next block below is to patch + ; Patch CEnforcementCore::GetInstanceOfTSLicense ; .text:1008A604 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) ; .text:1008A609 test eax, eax @@ -890,6 +906,10 @@ DefPolicyCode.x86=CDefPolicy_Query_eax_ecx DefPolicyPatch.x64=1 DefPolicyOffset.x64=350FD DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +; HOW TO search CSLQuery::Initialize function in IDA Pro: +; 1. Search text: CSLQuery::Initialize - SLGetWindowsInformationDWORD failed +; 2. All xrefs will point to this function + ; Hook CSLQuery::Initialize SLInitHook.x86=1 SLInitOffset.x86=196B0 @@ -1386,6 +1406,36 @@ SLInitHook.x64=1 SLInitOffset.x64=22E40 SLInitFunc.x64=New_CSLQuery_Initialize +[10.0.10240.16384] +; Patch CEnforcementCore::GetInstanceOfTSLicense +LocalOnlyPatch.x86=1 +LocalOnlyOffset.x86=A7D96 +LocalOnlyCode.x86=jmpshort +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=96901 +LocalOnlyCode.x64=jmpshort +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +SingleUserPatch.x86=1 +SingleUserOffset.x86=32A95 +SingleUserCode.x86=nop +SingleUserPatch.x64=1 +SingleUserOffset.x64=18F74 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=2F5B9 +DefPolicyCode.x86=CDefPolicy_Query_eax_ecx +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=22865 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +; Hook CSLQuery::Initialize +SLInitHook.x86=1 +SLInitOffset.x86=46581 +SLInitFunc.x86=New_CSLQuery_Initialize +SLInitHook.x64=1 +SLInitOffset.x64=250F0 +SLInitFunc.x64=New_CSLQuery_Initialize + [SLInit] ; Is server bServerSku=1 @@ -1405,6 +1455,13 @@ ulMaxDebugSessions=0 bInitialized=1 [6.3.9431.0-SLInit] +; HOW TO search SLInit global variables in IDA Pro: +; 1. Search text: The SL policy for ',27h,'Allow Multiple Sessions',27h,' is not defined +; 2. Xref will point to CSLQuery::Initialize function +; 3. Follow xref, look for cmp instruction nearby +; 4. It will be comparsion with CSLQuery::bServerSku constant +; 5. Now it's easy to find other constants + bFUSEnabled.x86 =A22A8 lMaxUserSessions.x86 =A22AC bAppServerAllowed.x86 =A22B0 @@ -1574,3 +1631,22 @@ bMultimonAllowed.x64 =F3458 bServerSku.x64 =F345C ulMaxDebugSessions.x64=F3460 bRemoteConnAllowed.x64=F3464 + +[10.0.10240.16384-SLInit] +bFUSEnabled.x86 =C3F60 +lMaxUserSessions.x86 =C3F64 +bAppServerAllowed.x86 =C3F68 +bInitialized.x86 =C3F6C +bMultimonAllowed.x86 =C3F70 +bServerSku.x86 =C3F74 +ulMaxDebugSessions.x86=C3F78 +bRemoteConnAllowed.x86=C3F7C + +lMaxUserSessions.x64 =F23B0 +bAppServerAllowed.x64 =F23B4 +bServerSku.x64 =F23B8 +bFUSEnabled.x64 =F3460 +bInitialized.x64 =F3464 +bMultimonAllowed.x64 =F3468 +ulMaxDebugSessions.x64=F346C +bRemoteConnAllowed.x64=F3470 diff --git a/res/rdpwrap.ini b/res/rdpwrap.ini index 11610e6..13cee34 100644 --- a/res/rdpwrap.ini +++ b/res/rdpwrap.ini @@ -543,6 +543,32 @@ SLInitHook.x64=1 SLInitOffset.x64=22E40 SLInitFunc.x64=New_CSLQuery_Initialize +[10.0.10240.16384] +LocalOnlyPatch.x86=1 +LocalOnlyOffset.x86=A7D96 +LocalOnlyCode.x86=jmpshort +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=96901 +LocalOnlyCode.x64=jmpshort +SingleUserPatch.x86=1 +SingleUserOffset.x86=32A95 +SingleUserCode.x86=nop +SingleUserPatch.x64=1 +SingleUserOffset.x64=18F74 +SingleUserCode.x64=Zero +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=2F5B9 +DefPolicyCode.x86=CDefPolicy_Query_eax_ecx +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=22865 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +SLInitHook.x86=1 +SLInitOffset.x86=46581 +SLInitFunc.x86=New_CSLQuery_Initialize +SLInitHook.x64=1 +SLInitOffset.x64=250F0 +SLInitFunc.x64=New_CSLQuery_Initialize + [SLInit] bServerSku=1 bRemoteConnAllowed=1 @@ -695,6 +721,7 @@ bMultimonAllowed.x86 =C17E8 bServerSku.x86 =C17EC ulMaxDebugSessions.x86=C17F0 bRemoteConnAllowed.x86=C17F4 + bFUSEnabled.x64 =EEBF0 lMaxUserSessions.x64 =EEBF4 bAppServerAllowed.x64 =EEBF8 @@ -722,3 +749,22 @@ bMultimonAllowed.x64 =F3458 bServerSku.x64 =F345C ulMaxDebugSessions.x64=F3460 bRemoteConnAllowed.x64=F3464 + +[10.0.10240.16384-SLInit] +bFUSEnabled.x86 =C3F60 +lMaxUserSessions.x86 =C3F64 +bAppServerAllowed.x86 =C3F68 +bInitialized.x86 =C3F6C +bMultimonAllowed.x86 =C3F70 +bServerSku.x86 =C3F74 +ulMaxDebugSessions.x86=C3F78 +bRemoteConnAllowed.x86=C3F7C + +lMaxUserSessions.x64 =F23B0 +bAppServerAllowed.x64 =F23B4 +bServerSku.x64 =F23B8 +bFUSEnabled.x64 =F3460 +bInitialized.x64 =F3464 +bMultimonAllowed.x64 =F3468 +ulMaxDebugSessions.x64=F346C +bRemoteConnAllowed.x64=F3470