zabpehely
/
rdpwrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 5 Wiki Activity

Commit 2014.11.02 

Added support for termsrv.dll 6.4.9860.0
This commit is contained in:
binarymaster 2014-11-02 16:00:46 +03:00
parent de975423bd
commit 5f07396fad
6 changed files with 182 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
src-x86-binarymaster/rdpwrap.dll
View File

Binary file not shown.

63
src-x86-binarymaster/src/rdpwrap.dpr
View File

@ -34,12 +34,17 @@ library rdpwrap;
// 6.3.9600.16384 (Windows 8.1) [init hook + extended patch] // 6.3.9600.16384 (Windows 8.1) [init hook + extended patch]
// 6.3.9600.17095 (Windows 8.1 with KB2959626) [init hook + extended patch] // 6.3.9600.17095 (Windows 8.1 with KB2959626) [init hook + extended patch]
// 6.4.9841.0 (Windows 10 Technical Preview) [init hook + extended patch] // 6.4.9841.0 (Windows 10 Technical Preview) [init hook + extended patch]
// 6.4.9860.0 (Windows 10 Technical Preview 1) [init hook + extended patch]
// Known failures // Known failures
// 6.0.6000.16386 (Windows Vista RTM x86, crashes on logon attempt) // 6.0.6000.16386 (Windows Vista RTM x86, crashes on logon attempt)
// Internal changelog: // Internal changelog:
// 2014.11.02 :
// - researching termsrv.dll 6.4.9860.0
// - done
// 2014.10.19 : // 2014.10.19 :
// - added support for version 6.0.6000.16386 (x64) // - added support for version 6.0.6000.16386 (x64)
// - added support for version 6.0.6001.18000 (x64) // - added support for version 6.0.6001.18000 (x64)
@ -422,6 +427,19 @@ const
// .text:1003B994 nop // .text:1003B994 nop
// CDefPolicy_Query_eax_ecx // CDefPolicy_Query_eax_ecx
// ------------------- TermService build 6.4.9860.0
// Original
// .text:1003BEC9 cmp eax, [ecx+320h]
// .text:1003BECF jz loc_1005EE1A
//_______________
//
// Changed
// .text:1003BEC9 mov eax, 100h
// .text:1003BECE mov [ecx+320h], eax
// .text:1003BED4 nop
// CDefPolicy_Query_eax_ecx
var var
Stub_SLGetWindowsInformationDWORD: far_jmp; Stub_SLGetWindowsInformationDWORD: far_jmp;
Old_SLGetWindowsInformationDWORD: OldCode; Old_SLGetWindowsInformationDWORD: OldCode;
@ -842,6 +860,16 @@ begin
ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $BFA08); ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $BFA08);
bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $BFA0C); bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $BFA0C);
end; end;
if (FV.Release = 9860) and (FV.Build = 0) then begin
bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $BF7E0);
lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $BF7E4);
bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $BF7E8);
bInitialized := Pointer(Cardinal(TermSrvBase) + $BF7EC);
bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $BF7F0);
bServerSku := Pointer(Cardinal(TermSrvBase) + $BF7F4);
ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $BF7F8);
bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $BF7FC);
end;
if bServerSku <> nil then begin if bServerSku <> nil then begin
WriteLog('[0x'+IntToHex(DWORD(bServerSku), 1)+'] bServerSku = 1'); WriteLog('[0x'+IntToHex(DWORD(bServerSku), 1)+'] bServerSku = 1');
bServerSku^ := 1; bServerSku^ := 1;
@ -1460,6 +1488,41 @@ begin
@Jump, SizeOf(far_jmp), bw); @Jump, SizeOf(far_jmp), bw);
end; end;
if (FV.Release = 9860) and (FV.Build = 0) then begin
WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense');
// .text:100962BB call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *)
// .text:100962C0 test eax, eax
// .text:100962C2 js short loc_100962DF
// .text:100962C4 cmp [ebp+var_C], 0
// .text:100962C8 jz short loc_100962DF <- jmp
SignPtr := Pointer(Cardinal(TermSrvBase) + $962C8);
b := $EB;
WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw);
WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled');
// .text:10030841 lea eax, [esp+150h+VersionInformation]
// .text:10030845 inc ebx <- nop
// .text:10030846 mov [edi], ebx
// .text:10030848 push eax ; lpVersionInformation
// .text:10030849 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x)
SignPtr := Pointer(Cardinal(TermSrvBase) + $30845);
WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw);
WriteLog('Patch CDefPolicy::Query');
SignPtr := Pointer(Cardinal(TermSrvBase) + $3BEC9);
WriteProcessMemory(GetCurrentProcess, SignPtr,
@CDefPolicy_Query_eax_ecx[0],
SizeOf(CDefPolicy_Query_eax_ecx), bw);
WriteLog('Hook CSLQuery::Initialize');
SignPtr := Pointer(Cardinal(TermSrvBase) + $46F18);
Jump.PushOp := $68;
Jump.PushArg := @New_CSLQuery_Initialize;
Jump.RetOp := $C3;
WriteProcessMemory(GetCurrentProcess, SignPtr,
@Jump, SizeOf(far_jmp), bw);
end;
end; end;
end; end;

BIN
src-x86-binarymaster/src/rdpwrap.identcache
View File

Binary file not shown.

BIN
src-x86-x64-Fusix/rdpw32.dll
View File

Binary file not shown.

BIN
src-x86-x64-Fusix/rdpw64.dll
View File

Binary file not shown.

119
src-x86-x64-Fusix/src/RDPWrap.cpp
View File

@ -33,12 +33,17 @@
// 6.3.9600.16384 (Windows 8.1) [init hook + extended patch] // 6.3.9600.16384 (Windows 8.1) [init hook + extended patch]
// 6.3.9600.17095 (Windows 8.1 with KB2959626) [init hook + extended patch] // 6.3.9600.17095 (Windows 8.1 with KB2959626) [init hook + extended patch]
// 6.4.9841.0 (Windows 10 Technical Preview) [init hook + extended patch] // 6.4.9841.0 (Windows 10 Technical Preview) [init hook + extended patch]
// 6.4.9860.0 (Windows 10 Technical Preview 1) [init hook + extended patch]
// Known failures // Known failures
// 6.0.6000.16386 (Windows Vista RTM x86, crashes on logon attempt) // 6.0.6000.16386 (Windows Vista RTM x86, crashes on logon attempt)
// Internal changelog: // Internal changelog:
// 2014.11.02 :
// - researching termsrv.dll 6.4.9860.0
// - done
// 2014.10.19 : // 2014.10.19 :
// - added support for version 6.0.6000.16386 (x64) // - added support for version 6.0.6000.16386 (x64)
// - added support for version 6.0.6001.18000 (x64) // - added support for version 6.0.6001.18000 (x64)
@ -368,6 +373,19 @@ char CDefPolicy_Query_eax_rcx[] = {0xB8, 0x00, 0x01, 0x00, 0x00, 0x89, 0x81, 0x3
// .text:000000018000C130 nop // .text:000000018000C130 nop
// char CDefPolicy_Query_eax_rcx[] // char CDefPolicy_Query_eax_rcx[]
// termsrv.dll build 6.4.9860.0
// Original
// .text:000000018000B9F5 cmp [rcx+63Ch], eax
// .text:000000018000B9FB jz sub_18003B9C8
//_______________
//
// Changed
// .text:000000018000B9F5 mov eax, 100h
// .text:000000018000B9FA mov [rcx+638h], eax
// .text:000000018000BA00 nop
// char CDefPolicy_Query_eax_rcx[]
#else #else
typedef unsigned long PLATFORM_DWORD; typedef unsigned long PLATFORM_DWORD;
struct FARJMP struct FARJMP
@ -608,6 +626,19 @@ char CDefPolicy_Query_eax_ecx[] = {0xB8, 0x00, 0x01, 0x00, 0x00, 0x89, 0x81, 0x2
// .text:1003B994 nop // .text:1003B994 nop
// char CDefPolicy_Query_eax_ecx[] // char CDefPolicy_Query_eax_ecx[]
// termsrv.dll build 6.4.9860.0
// Original
// .text:1003BEC9 cmp eax, [ecx+320h]
// .text:1003BECF jz loc_1005EE1A
//_______________
//
// Changed
// .text:1003BEC9 mov eax, 100h
// .text:1003BECE mov [ecx+320h], eax
// .text:1003BED4 nop
// char CDefPolicy_Query_eax_ecx[]
#endif #endif
FARJMP Old_SLGetWindowsInformationDWORD, Stub_SLGetWindowsInformationDWORD; FARJMP Old_SLGetWindowsInformationDWORD, Stub_SLGetWindowsInformationDWORD;
@ -1061,6 +1092,28 @@ HRESULT WINAPI New_CSLQuery_Initialize()
bRemoteConnAllowed = (DWORD*)(TermSrvBase + 0xBFA0C); bRemoteConnAllowed = (DWORD*)(TermSrvBase + 0xBFA0C);
#endif #endif
} }
if (FV.Release == 9860 && FV.Build == 0)
{
#ifdef _WIN64
bFUSEnabled = (DWORD*)(TermSrvBase + 0xECBD8);
lMaxUserSessions = (DWORD*)(TermSrvBase + 0xECBDC);
bAppServerAllowed = (DWORD*)(TermSrvBase + 0xECBE0);
bInitialized = (DWORD*)(TermSrvBase + 0xECBE4);
bMultimonAllowed = (DWORD*)(TermSrvBase + 0xECBE8);
bServerSku = (DWORD*)(TermSrvBase + 0xECBEC);
ulMaxDebugSessions = (DWORD*)(TermSrvBase + 0xECBF0);
bRemoteConnAllowed = (DWORD*)(TermSrvBase + 0xECBF4);
#else
bFUSEnabled = (DWORD*)(TermSrvBase + 0xBF7E0);
lMaxUserSessions = (DWORD*)(TermSrvBase + 0xBF7E4);
bAppServerAllowed = (DWORD*)(TermSrvBase + 0xBF7E8);
bInitialized = (DWORD*)(TermSrvBase + 0xBF7EC);
bMultimonAllowed = (DWORD*)(TermSrvBase + 0xBF7F0);
bServerSku = (DWORD*)(TermSrvBase + 0xBF7F4);
ulMaxDebugSessions = (DWORD*)(TermSrvBase + 0xBF7F8);
bRemoteConnAllowed = (DWORD*)(TermSrvBase + 0xBF7FC);
#endif
}
if (bServerSku) if (bServerSku)
{ {
Log = new char[1024]; Log = new char[1024];
@ -2142,6 +2195,72 @@ void Hook()
#endif #endif
WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &Jump, sizeof(FARJMP), &bw); WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &Jump, sizeof(FARJMP), &bw);
} }
if (FV.Release == 9860 && FV.Build == 0)
{
WriteToLog("Patch CEnforcementCore::GetInstanceOfTSLicense\r\n");
#ifdef _WIN64
// .text:0000000180081083 call ?IsLicenseTypeLocalOnly@CSLQuery@@SAJAEAU_GUID@@PEAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *)
// .text:0000000180081088 test eax, eax
// .text:000000018008108A js short loc_1800810AB
// .text:000000018008108C cmp [rsp+58h+arg_18], 0
// .text:0000000180081091 jz short loc_1800810AB <- jmp
SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x81091);
#else
// .text:100962BB call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *)
// .text:100962C0 test eax, eax
// .text:100962C2 js short loc_100962DF
// .text:100962C4 cmp [ebp+var_C], 0
// .text:100962C8 jz short loc_100962DF <- jmp
SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x962C8);
#endif
b = 0xEB;
WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &b, sizeof(b), &bw);
WriteToLog("Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled\r\n");
#ifdef _WIN64
// .text:0000000180011AA3 lea rcx, [rsp+190h+VersionInformation] ; lpVersionInformation
// .text:0000000180011AA8 mov ebx, 1 <- 0
// .text:0000000180011AAD mov [rsp+190h+VersionInformation.dwOSVersionInfoSize], 11Ch
// .text:0000000180011AB5 mov [rdi], ebx
// .text:0000000180011AB7 call cs:__imp_GetVersionExW
SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x11AA9);
b = 0;
#else
// .text:10030841 lea eax, [esp+150h+VersionInformation]
// .text:10030845 inc ebx <- nop
// .text:10030846 mov [edi], ebx
// .text:10030848 push eax ; lpVersionInformation
// .text:10030849 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x)
SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x30845);
b = 0x90;
#endif
WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &b, sizeof(b), &bw);
WriteToLog("Patch CDefPolicy::Query\r\n");
#ifdef _WIN64
SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0xB9F5);
WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &CDefPolicy_Query_eax_rcx, sizeof(CDefPolicy_Query_eax_rcx), &bw);
#else
SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x3BEC9);
WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &CDefPolicy_Query_eax_ecx, sizeof(CDefPolicy_Query_eax_ecx), &bw);
#endif
WriteToLog("Hook CSLQuery::Initialize\r\n");
#ifdef _WIN64
SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x1EB00);
Jump.MovOp = 0x48;
Jump.MovRegArg = 0xB8;
Jump.MovArg = (PLATFORM_DWORD)New_CSLQuery_Initialize;
Jump.PushRaxOp = 0x50;
Jump.RetOp = 0xC3;
#else
SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x46F18);
Jump.PushOp = 0x68;
Jump.PushArg = (PLATFORM_DWORD)New_CSLQuery_Initialize;
Jump.RetOp = 0xC3;
#endif
WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &Jump, sizeof(FARJMP), &bw);
}
} }
} }
WriteToLog("resume\r\n"); WriteToLog("resume\r\n");