diff --git a/src-x86-binarymaster/src/LiteINI.pas b/src-x86-binarymaster/src/LiteINI.pas new file mode 100644 index 0000000..08d144d --- /dev/null +++ b/src-x86-binarymaster/src/LiteINI.pas @@ -0,0 +1,375 @@ +{ + Copyright 2014 Stas'M Corp. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +} + +unit LiteINI; + +interface + +uses + SysUtils; + +type + SList = Array of String; + INIValue = record + Name: String; + Value: String; + end; + INISection = record + Name: String; + Values: Array of INIValue; + end; + INIFile = Array of INISection; + +procedure SListClear(var List: SList); +function SListAppend(var List: SList; S: String): Integer; +function SListFind(List: SList; Value: String): Integer; +function INIFindSection(INI: INIFile; Section: String): Integer; +function INIFindValue(INI: INIFile; Section: Integer; Value: String): Integer; +function INIAddSection(var INI: INIFile; Section: String): Integer; +function INIAddValue(var INI: INIFile; Section: Integer; ValueName, Value: String): Integer; +procedure INIUnload(var INI: INIFile); +procedure INILoad(var INI: INIFile; FileName: String); +function INISectionExists(INI: INIFile; Section: String): Boolean; +function INIValueExists(INI: INIFile; Section: String; Value: String): Boolean; +function INIReadSectionLowAPI(INI: INIFile; Section: Integer; var List: SList): Boolean; +function INIReadSection(INI: INIFile; Section: String): SList; +function INIReadStringLowAPI(INI: INIFile; Section, Value: Integer; var Str: String): Boolean; +function INIReadString(INI: INIFile; Section, Value, Default: String): String; +function INIReadInt(INI: INIFile; Section, Value: String; Default: Integer): Integer; +function INIReadDWord(INI: INIFile; Section, Value: String; Default: Cardinal): Cardinal; +function INIReadIntHex(INI: INIFile; Section, Value: String; Default: Integer): Integer; +function INIReadDWordHex(INI: INIFile; Section, Value: String; Default: Cardinal): Cardinal; +function INIReadBool(INI: INIFile; Section, Value: String; Default: Boolean): Boolean; +function INIReadBytes(INI: INIFile; Section, Value: String): TBytes; +function INIReadBytesDef(INI: INIFile; Section, Value: String; Default: TBytes): TBytes; + +implementation + +procedure SListClear(var List: SList); +begin + SetLength(List, 0); +end; + +function SListAppend(var List: SList; S: String): Integer; +begin + SetLength(List, Length(List) + 1); + List[Length(List) - 1] := S; + Result := Length(List) - 1; +end; + +function SListFind(List: SList; Value: String): Integer; +var + I: Integer; +begin + Result := -1; + for I := 0 to Length(List) - 1 do + if List[I] = Value then begin + Result := I; + Break; + end; +end; + +function INIFindSection(INI: INIFile; Section: String): Integer; +var + I: Integer; +begin + Result := -1; + for I := 0 to Length(INI) - 1 do + if INI[I].Name = Section then begin + Result := I; + Exit; + end; +end; + +function INIFindValue(INI: INIFile; Section: Integer; Value: String): Integer; +var + I: Integer; +begin + Result := -1; + if (Section < 0) or (Section >= Length(INI)) then + Exit; + for I := 0 to Length(INI[Section].Values) - 1 do + if INI[Section].Values[I].Name = Value then begin + Result := I; + Exit; + end; +end; + +function INIAddSection(var INI: INIFile; Section: String): Integer; +begin + Result := INIFindSection(INI, Section); + if Result >= 0 then + Exit; + Result := Length(INI); + SetLength(INI, Result + 1); + INI[Result].Name := Section; + SetLength(INI[Result].Values, 0); +end; + +function INIAddValue(var INI: INIFile; Section: Integer; ValueName, Value: String): Integer; +var + I: Integer; +begin + Result := -1; + if (Section < 0) or (Section >= Length(INI)) then + Exit; + I := INIFindValue(INI, Section, ValueName); + if I = -1 then begin + Result := Length(INI[Section].Values); + SetLength(INI[Section].Values, Result + 1); + INI[Section].Values[Result].Name := ValueName; + INI[Section].Values[Result].Value := Value; + end else begin + INI[Section].Values[I].Value := Value; + Result := I; + end; +end; + +procedure INIUnload(var INI: INIFile); +begin + SetLength(INI, 0); +end; + +procedure INILoad(var INI: INIFile; FileName: String); +var + F: TextFile; + S, ValueName, Value: String; + INIList: SList; + I, Sect: Integer; +begin + INIUnload(INI); + if not FileExists(FileName) then + Exit; + AssignFile(F, FileName); + Reset(F); + // Read and filter lines + while not EOF(F) do begin + Readln(F, S); + if (Pos(';', S) <> 1) + and (Pos('#', S) <> 1) + and ( + ((Pos('[', S) > 0) and (Pos(']', S) > 0)) or + (Pos('=', S) > 0) + ) + then + SListAppend(INIList, S); + end; + CloseFile(F); + // Parse 2 (parse format) + Sect := -1; + for I := 0 to Length(INIList) - 1 do begin + S := Trim(INIList[I]); + if Length(S) >= 2 then + if (S[1] = '[') and (S[Length(S)] = ']') then begin + S := Trim(Copy(S, 2, Length(S) - 2)); + Sect := INIAddSection(INI, S); + Continue; + end; + S := INIList[I]; + if Pos('=', S) > 0 then begin + ValueName := Trim(Copy(S, 1, Pos('=', S) - 1)); + Value := Copy(S, Pos('=', S) + 1, Length(S) - Pos('=', S)); + if Sect = -1 then + Sect := INIAddSection(INI, ''); + INIAddValue(INI, Sect, ValueName, Value); + end; + end; +end; + +function INISectionExists(INI: INIFile; Section: String): Boolean; +begin + Result := INIFindSection(INI, Section) > -1; +end; + +function INIValueExists(INI: INIFile; Section: String; Value: String): Boolean; +var + Sect: Integer; +begin + Sect := INIFindSection(INI, Section); + Result := INIFindValue(INI, Sect, Value) > -1; +end; + +function INIReadSectionLowAPI(INI: INIFile; Section: Integer; var List: SList): Boolean; +var + I: Integer; +begin + Result := False; + SetLength(List, 0); + if (Section < 0) or (Section >= Length(INI)) then + Exit; + for I := 0 to Length(INI[Section].Values) - 1 do + SListAppend(List, INI[Section].Values[I].Name); + Result := True; +end; + +function INIReadSection(INI: INIFile; Section: String): SList; +var + Sect: Integer; +begin + Sect := INIFindSection(INI, Section); + INIReadSectionLowAPI(INI, Sect, Result); +end; + +function INIReadStringLowAPI(INI: INIFile; Section, Value: Integer; var Str: String): Boolean; +begin + Result := False; + if (Section < 0) or (Section >= Length(INI)) then + Exit; + if (Value < 0) or (Value >= Length(INI[Section].Values)) then + Exit; + Str := INI[Section].Values[Value].Value; + Result := True; +end; + +function INIReadString(INI: INIFile; Section, Value, Default: String): String; +var + Sect, Val: Integer; +begin + Sect := INIFindSection(INI, Section); + Val := INIFindValue(INI, Sect, Value); + if not INIReadStringLowAPI(INI, Sect, Val, Result) then + Result := Default; +end; + +function INIReadInt(INI: INIFile; Section, Value: String; Default: Integer): Integer; +var + S: String; + E: Integer; +begin + S := INIReadString(INI, Section, Value, ''); + Val(S, Result, E); + if E <> 0 then + Result := Default; +end; + +function INIReadDWord(INI: INIFile; Section, Value: String; Default: Cardinal): Cardinal; +var + S: String; + E: Integer; +begin + S := INIReadString(INI, Section, Value, ''); + Val(S, Result, E); + if E <> 0 then + Result := Default; +end; + +function INIReadIntHex(INI: INIFile; Section, Value: String; Default: Integer): Integer; +var + S: String; + E: Integer; +begin + S := INIReadString(INI, Section, Value, ''); + Val('$'+S, Result, E); + if E <> 0 then + Result := Default; +end; + +function INIReadDWordHex(INI: INIFile; Section, Value: String; Default: Cardinal): Cardinal; +var + S: String; + E: Integer; +begin + S := INIReadString(INI, Section, Value, ''); + Val('$'+S, Result, E); + if E <> 0 then + Result := Default; +end; + +function INIReadBool(INI: INIFile; Section, Value: String; Default: Boolean): Boolean; +var + S: String; + I: Cardinal; + E: Integer; +begin + S := INIReadString(INI, Section, Value, ''); + Val(S, I, E); + if E <> 0 then + Result := Default + else + Result := I > 0; +end; + +function StringToBytes(S: String; var B: TBytes): Boolean; +var + I: Integer; +begin + Result := False; + if Odd(Length(S)) then + Exit; + SetLength(B, Length(S) div 2); + for I := 0 to Length(B) - 1 do begin + B[I] := 0; + case S[(I*2)+2] of + '0': ; + '1': B[I] := B[I] or $1; + '2': B[I] := B[I] or $2; + '3': B[I] := B[I] or $3; + '4': B[I] := B[I] or $4; + '5': B[I] := B[I] or $5; + '6': B[I] := B[I] or $6; + '7': B[I] := B[I] or $7; + '8': B[I] := B[I] or $8; + '9': B[I] := B[I] or $9; + 'A','a': B[I] := B[I] or $A; + 'B','b': B[I] := B[I] or $B; + 'C','c': B[I] := B[I] or $C; + 'D','d': B[I] := B[I] or $D; + 'E','e': B[I] := B[I] or $E; + 'F','f': B[I] := B[I] or $F; + else Exit; + end; + case S[(I*2)+1] of + '0': ; + '1': B[I] := B[I] or $10; + '2': B[I] := B[I] or $20; + '3': B[I] := B[I] or $30; + '4': B[I] := B[I] or $40; + '5': B[I] := B[I] or $50; + '6': B[I] := B[I] or $60; + '7': B[I] := B[I] or $70; + '8': B[I] := B[I] or $80; + '9': B[I] := B[I] or $90; + 'A','a': B[I] := B[I] or $A0; + 'B','b': B[I] := B[I] or $B0; + 'C','c': B[I] := B[I] or $C0; + 'D','d': B[I] := B[I] or $D0; + 'E','e': B[I] := B[I] or $E0; + 'F','f': B[I] := B[I] or $F0; + else Exit; + end; + end; + Result := True; +end; + +function INIReadBytes(INI: INIFile; Section, Value: String): TBytes; +var + S: String; +begin + S := INIReadString(INI, Section, Value, ''); + if not StringToBytes(S, Result) then + SetLength(Result, 0); +end; + +function INIReadBytesDef(INI: INIFile; Section, Value: String; Default: TBytes): TBytes; +var + S: String; +begin + S := INIReadString(INI, Section, Value, ''); + if not StringToBytes(S, Result) then + Result := Default; +end; + +end. diff --git a/src-x86-binarymaster/src/rdpwrap-old.dpr b/src-x86-binarymaster/src/rdpwrap-old.dpr new file mode 100644 index 0000000..b4c8351 --- /dev/null +++ b/src-x86-binarymaster/src/rdpwrap-old.dpr @@ -0,0 +1,1648 @@ +{ + Copyright 2014 Stas'M Corp. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +} + +library rdpwrap; + +uses + SysUtils, + Windows, + TlHelp32; + +{$R rdpwrap.res} + +// Hook core definitions + +type + OldCode = packed record + One: DWORD; + two: Word; + end; + + far_jmp = packed record + PushOp: Byte; + PushArg: Pointer; + RetOp: Byte; + end; + + mov_far_jmp = packed record + MovOp: Byte; + MovArg: Byte; + PushOp: Byte; + PushArg: Pointer; + RetOp: Byte; + end; + + TTHREADENTRY32 = packed record + dwSize: DWORD; + cntUsage: DWORD; + th32ThreadID: DWORD; + th32OwnerProcessID: DWORD; + tpBasePri: LongInt; + tpDeltaPri: LongInt; + dwFlags: DWORD; + end; + IntArray = Array of Integer; + FILE_VERSION = record + Version: record case Boolean of + True: (dw: DWORD); + False: (w: record + Minor, Major: Word; + end;) + end; + Release, Build: Word; + bDebug, bPrerelease, bPrivate, bSpecial: Boolean; + end; + +const + THREAD_SUSPEND_RESUME = 2; + TH32CS_SNAPTHREAD = 4; +var + bw: DWORD; + IsHooked: Boolean = False; + FCount: Cardinal = 0; + +// Unhooked import + +function OpenThread(dwDesiredAccess: DWORD; bInheritHandle: BOOL; + dwThreadId: DWORD): DWORD; stdcall; external kernel32; + +function CreateToolhelp32Snapshot(dwFlags, th32ProcessID: DWORD): DWORD; + stdcall; external kernel32; + +function Thread32First(hSnapshot: THandle; var lpte: TTHREADENTRY32): bool; + stdcall; external kernel32; + +function Thread32Next(hSnapshot: THandle; var lpte: TTHREADENTRY32): bool; + stdcall; external kernel32; + +// Wrapped import + +var + TSMain: function(dwArgc: DWORD; lpszArgv: PWideChar): DWORD; stdcall; + TSGlobals: function(lpGlobalData: Pointer): DWORD; stdcall; + +// Hooked import and vars + +var + SLGetWindowsInformationDWORD: function(pwszValueName: PWideChar; + pdwValue: PDWORD): HRESULT; stdcall; + TermSrvBase: Pointer; + FV: FILE_VERSION; + +const + CDefPolicy_Query_edx_ecx: Array[0..12] of Byte = + ($BA,$00,$01,$00,$00,$89,$91,$20,$03,$00,$00,$5E,$90); + CDefPolicy_Query_eax_esi: Array[0..11] of Byte = + ($B8,$00,$01,$00,$00,$89,$86,$20,$03,$00,$00,$90); + CDefPolicy_Query_eax_ecx: Array[0..11] of Byte = + ($B8,$00,$01,$00,$00,$89,$81,$20,$03,$00,$00,$90); + +{ +termsrv.dll 6.0.6000.16386 + +Original +.text:6F335CD8 cmp edx, [ecx+320h] +.text:6F335CDE pop esi +.text:6F335CDF jz loc_6F3426F1 +_______________ + +Changed +.text:6F335CD8 mov edx, 100h +.text:6F335CDD mov [ecx+320h], edx +.text:6F335CE3 pop esi +.text:6F335CE4 nop +CDefPolicy_Query_edx_ecx + +termsrv.dll 6.0.6001.18000 + +Original +.text:6E817FD8 cmp edx, [ecx+320h] +.text:6E817FDE pop esi +.text:6E817FDF jz loc_6E826F16 +_______________ + +Changed +.text:6E817FD8 mov edx, 100h +.text:6E817FDD mov [ecx+320h], edx +.text:6E817FE3 pop esi +.text:6E817FE4 nop +CDefPolicy_Query_edx_ecx + +termsrv.dll 6.0.6002.18005 + +Original +.text:6F5979C0 cmp edx, [ecx+320h] +.text:6F5979C6 pop esi +.text:6F5979C7 jz loc_6F5A6F26 +_______________ + +Changed +.text:6F5979C0 mov edx, 100h +.text:6F5979C5 mov [ecx+320h], edx +.text:6F5979CB pop esi +.text:6F5979CC nop +CDefPolicy_Query_edx_ecx + +termsrv.dll 6.0.6002.19214 + +Original +.text:6F5979B8 cmp edx, [ecx+320h] +.text:6F5979BE pop esi +.text:6F5979BF jz loc_6F5A6F3E +_______________ + +Changed +.text:6F5979B8 mov edx, 100h +.text:6F5979BD mov [ecx+320h], edx +.text:6F5979C3 pop esi +.text:6F5979C4 nop +CDefPolicy_Query_edx_ecx + +termsrv.dll 6.0.6002.23521 + +Original +.text:6F5979CC cmp edx, [ecx+320h] +.text:6F5979D2 pop esi +.text:6F5979D3 jz loc_6F5A6F2E +_______________ + +Changed +.text:6F5979CC mov edx, 100h +.text:6F5979D1 mov [ecx+320h], edx +.text:6F5979D7 pop esi +.text:6F5979D8 nop +CDefPolicy_Query_edx_ecx + +termsrv.dll 6.1.7600.16385 + +Original +.text:6F2F96F3 cmp eax, [esi+320h] +.text:6F2F96F9 jz loc_6F30E256 +_______________ + +Changed +.text:6F2F96F3 mov eax, 100h +.text:6F2F96F8 mov [esi+320h], eax +.text:6F2F96FE nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.1.7601.17514 + +Original +.text:6F2F9D53 cmp eax, [esi+320h] +.text:6F2F9D59 jz loc_6F30B25E +_______________ + +Changed +.text:6F2F9D53 mov eax, 100h +.text:6F2F9D58 mov [esi+320h], eax +.text:6F2F9D5E nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.1.7601.18540 + +Original +.text:6F2F9D9F cmp eax, [esi+320h] +.text:6F2F9DA5 jz loc_6F30B2AE +_______________ + +Changed +.text:6F2F9D9F mov eax, 100h +.text:6F2F9DA4 mov [esi+320h], eax +.text:6F2F9DAA nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.1.7601.22750 + +Original +.text:6F2F9E21 cmp eax, [esi+320h] +.text:6F2F9E27 jz loc_6F30B6CE +_______________ + +Changed +.text:6F2F9E21 mov eax, 100h +.text:6F2F9E26 mov [esi+320h], eax +.text:6F2F9E2C nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.1.7601.18637 + +Original +.text:6F2F9DBB cmp eax, [esi+320h] +.text:6F2F9DC1 jz loc_6F30B2A6 +_______________ + +Changed +.text:6F2F9DBB mov eax, 100h +.text:6F2F9DC0 mov [esi+320h], eax +.text:6F2F9DC6 nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.1.7601.22843 + +Original +.text:6F2F9E25 cmp eax, [esi+320h] +.text:6F2F9E2B jz loc_6F30B6D6 +_______________ + +Changed +.text:6F2F9E25 mov eax, 100h +.text:6F2F9E2A mov [esi+320h], eax +.text:6F2F9E30 nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.2.8102.0 + +Original +.text:1000E47C cmp eax, [esi+320h] +.text:1000E482 jz loc_1002D775 +_______________ + +Changed +.text:1000E47C mov eax, 100h +.text:1000E481 mov [esi+320h], eax +.text:1000E487 nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.2.8250.0 + +Original +.text:10013520 cmp eax, [esi+320h] +.text:10013526 jz loc_1002DB85 +_______________ + +Changed +.text:10013520 mov eax, 100h +.text:10013525 mov [esi+320h], eax +.text:1001352B nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.2.8400.0 + +Original +.text:10013E48 cmp eax, [esi+320h] +.text:10013E4E jz loc_1002E079 +_______________ + +Changed +.text:10013E48 mov eax, 100h +.text:10013E4D mov [esi+320h], eax +.text:10013E53 nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.2.9200.16384 + +Original +.text:10013F08 cmp eax, [esi+320h] +.text:10013F0E jz loc_1002E161 +_______________ + +Changed +.text:10013F08 mov eax, 100h +.text:10013F0D mov [esi+320h], eax +.text:10013F13 nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.2.9200.17048 + +Original +.text:1001F408 cmp eax, [esi+320h] +.text:1001F40E jz loc_1002E201 +_______________ + +Changed +.text:1001F408 mov eax, 100h +.text:1001F40D mov [esi+320h], eax +.text:1001F413 nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.2.9200.21166 + +Original +.text:10013F30 cmp eax, [esi+320h] +.text:10013F36 jz loc_1002E189 +_______________ + +Changed +.text:10013F30 mov eax, 100h +.text:10013F35 mov [esi+320h], eax +.text:10013F3B nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.3.9431.0 + +Original +.text:1002EA25 cmp eax, [ecx+320h] +.text:1002EA2B jz loc_100348C1 +_______________ + +Changed +.text:1002EA25 mov eax, 100h +.text:1002EA2A mov [ecx+320h], eax +.text:1002EA30 nop +CDefPolicy_Query_eax_ecx + +termsrv.dll 6.3.9600.16384 + +Original +.text:10016115 cmp eax, [ecx+320h] +.text:1001611B jz loc_10034DE1 +_______________ + +Changed +.text:10016115 mov eax, 100h +.text:1001611A mov [ecx+320h], eax +.text:10016120 nop +CDefPolicy_Query_eax_ecx + +termsrv.dll 6.3.9600.17095 + +Original +.text:10037529 cmp eax, [ecx+320h] +.text:1003752F jz loc_10043662 +_______________ + +Changed +.text:10037529 mov eax, 100h +.text:1003752E mov [ecx+320h], eax +.text:10037534 nop +CDefPolicy_Query_eax_ecx + +termsrv.dll 6.4.9841.0 + +Original +.text:1003B989 cmp eax, [ecx+320h] +.text:1003B98F jz loc_1005E809 +_______________ + +Changed +.text:1003B989 mov eax, 100h +.text:1003B98E mov [ecx+320h], eax +.text:1003B994 nop +CDefPolicy_Query_eax_ecx + +termsrv.dll 6.4.9860.0 + +Original +.text:1003BEC9 cmp eax, [ecx+320h] +.text:1003BECF jz loc_1005EE1A +_______________ + +Changed +.text:1003BEC9 mov eax, 100h +.text:1003BECE mov [ecx+320h], eax +.text:1003BED4 nop +CDefPolicy_Query_eax_ecx +} + +var + Stub_SLGetWindowsInformationDWORD: far_jmp; + Old_SLGetWindowsInformationDWORD: OldCode; + +// Main code + +procedure WriteLog(S: AnsiString); +const + LogFile = '\rdpwrap.txt'; +var + F: TextFile; +begin + if not FileExists(LogFile) then + Exit; + AssignFile(F, LogFile); + Append(F); + Write(F, S+#13#10); + CloseFile(F); +end; + +procedure StopThreads; +var + h, CurrTh, ThrHandle, CurrPr: DWORD; + Thread: TTHREADENTRY32; +begin + CurrTh := GetCurrentThreadId; + CurrPr := GetCurrentProcessId; + h := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); + if h <> INVALID_HANDLE_VALUE then + begin + Thread.dwSize := SizeOf(TTHREADENTRY32); + if Thread32First(h, Thread) then + repeat + if (Thread.th32ThreadID <> CurrTh) and + (Thread.th32OwnerProcessID = CurrPr) then + begin + ThrHandle := OpenThread(THREAD_SUSPEND_RESUME, false, + Thread.th32ThreadID); + if ThrHandle > 0 then + begin + SuspendThread(ThrHandle); + CloseHandle(ThrHandle); + end; + end; + until not Thread32Next(h, Thread); + CloseHandle(h); + end; +end; + +procedure RunThreads; +var + h, CurrTh, ThrHandle, CurrPr: DWORD; + Thread: TTHREADENTRY32; +begin + CurrTh := GetCurrentThreadId; + CurrPr := GetCurrentProcessId; + h := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); + if h <> INVALID_HANDLE_VALUE then + begin + Thread.dwSize := SizeOf(TTHREADENTRY32); + if Thread32First(h, Thread) then + repeat + if (Thread.th32ThreadID <> CurrTh) and + (Thread.th32OwnerProcessID = CurrPr) then + begin + ThrHandle := OpenThread(THREAD_SUSPEND_RESUME, false, + Thread.th32ThreadID); + if ThrHandle > 0 then + begin + ResumeThread(ThrHandle); + CloseHandle(ThrHandle); + end; + end; + until not Thread32Next(h, Thread); + CloseHandle(h); + end; +end; + +function GetModuleAddress(ModuleName: String; ProcessId: DWORD; var BaseAddr: Pointer; var BaseSize: DWORD): Boolean; +var + hSnap: THandle; + md: MODULEENTRY32; +begin + Result := False; + hSnap := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessId); + if hSnap = INVALID_HANDLE_VALUE Then + Exit; + md.dwSize := SizeOf(MODULEENTRY32); + if Module32First(hSnap, md) then + begin + if LowerCase(ExtractFileName(md.szExePath)) = LowerCase(ModuleName) then + begin + Result := True; + BaseAddr := Pointer(md.modBaseAddr); + BaseSize := md.modBaseSize; + CloseHandle(hSnap); + Exit; + end; + while Module32Next(hSnap, md) Do + begin + if LowerCase(ExtractFileName(md.szExePath)) = LowerCase(ModuleName) then + begin + Result := True; + BaseAddr := Pointer(md.modBaseAddr); + BaseSize := md.modBaseSize; + Break; + end; + end; + end; + CloseHandle(hSnap); +end; + +{procedure FindMem(Mem: Pointer; MemSz: DWORD; Buf: Pointer; BufSz: DWORD; + From: DWORD; var A: IntArray); +var + I: Integer; +begin + SetLength(A, 0); + I:=From; + if From>0 then + Inc(PByte(Mem), From); + while I < MemSz - BufSz + 1 do + begin + if (not IsBadReadPtr(Mem, BufSz)) and (CompareMem(Mem, Buf, BufSz)) then + begin + SetLength(A, Length(A)+1); + A[Length(A)-1] := I; + end; + Inc(I); + Inc(PByte(Mem)); + end; +end;} + +function GetModuleVersion(const ModuleName: TFileName; var FileVersion: FILE_VERSION): Boolean; +type + VS_VERSIONINFO = record + wLength, wValueLength, wType: Word; + szKey: Array[1..16] of WideChar; + Padding1: Word; + Value: VS_FIXEDFILEINFO; + Padding2, Children: Word; + end; + PVS_VERSIONINFO = ^VS_VERSIONINFO; +const + VFF_DEBUG = 1; + VFF_PRERELEASE = 2; + VFF_PRIVATE = 8; + VFF_SPECIAL = 32; +var + hMod: HMODULE; + hResourceInfo: HRSRC; + VersionInfo: PVS_VERSIONINFO; +begin + Result := False; + + if ModuleName = '' then + hMod := GetModuleHandle(nil) + else + hMod := GetModuleHandle(PWideChar(ModuleName)); + if hMod = 0 then + Exit; + + hResourceInfo := FindResource(hMod, PWideChar(1), PWideChar($10)); + if hResourceInfo = 0 then + Exit; + + VersionInfo := Pointer(LoadResource(hMod, hResourceInfo)); + if VersionInfo = nil then + Exit; + + FileVersion.Version.dw := VersionInfo.Value.dwFileVersionMS; + FileVersion.Release := Word(VersionInfo.Value.dwFileVersionLS shr 16); + FileVersion.Build := Word(VersionInfo.Value.dwFileVersionLS); + FileVersion.bDebug := (VersionInfo.Value.dwFileFlags and VFF_DEBUG) = VFF_DEBUG; + FileVersion.bPrerelease := (VersionInfo.Value.dwFileFlags and VFF_PRERELEASE) = VFF_PRERELEASE; + FileVersion.bPrivate := (VersionInfo.Value.dwFileFlags and VFF_PRIVATE) = VFF_PRIVATE; + FileVersion.bSpecial := (VersionInfo.Value.dwFileFlags and VFF_SPECIAL) = VFF_SPECIAL; + + Result := True; +end; + +function GetFileVersion(const FileName: TFileName; var FileVersion: FILE_VERSION): Boolean; +type + VS_VERSIONINFO = record + wLength, wValueLength, wType: Word; + szKey: Array[1..16] of WideChar; + Padding1: Word; + Value: VS_FIXEDFILEINFO; + Padding2, Children: Word; + end; + PVS_VERSIONINFO = ^VS_VERSIONINFO; +const + VFF_DEBUG = 1; + VFF_PRERELEASE = 2; + VFF_PRIVATE = 8; + VFF_SPECIAL = 32; +var + hFile: HMODULE; + hResourceInfo: HRSRC; + VersionInfo: PVS_VERSIONINFO; +begin + Result := False; + + hFile := LoadLibraryEx(PWideChar(FileName), 0, LOAD_LIBRARY_AS_DATAFILE); + if hFile = 0 then + Exit; + + hResourceInfo := FindResource(hFile, PWideChar(1), PWideChar($10)); + if hResourceInfo = 0 then + Exit; + + VersionInfo := Pointer(LoadResource(hFile, hResourceInfo)); + if VersionInfo = nil then + Exit; + + FileVersion.Version.dw := VersionInfo.Value.dwFileVersionMS; + FileVersion.Release := Word(VersionInfo.Value.dwFileVersionLS shr 16); + FileVersion.Build := Word(VersionInfo.Value.dwFileVersionLS); + FileVersion.bDebug := (VersionInfo.Value.dwFileFlags and VFF_DEBUG) = VFF_DEBUG; + FileVersion.bPrerelease := (VersionInfo.Value.dwFileFlags and VFF_PRERELEASE) = VFF_PRERELEASE; + FileVersion.bPrivate := (VersionInfo.Value.dwFileFlags and VFF_PRIVATE) = VFF_PRIVATE; + FileVersion.bSpecial := (VersionInfo.Value.dwFileFlags and VFF_SPECIAL) = VFF_SPECIAL; + + Result := True; +end; + +function OverrideSL(ValueName: String; var Value: DWORD): Boolean; +begin + Result := True; + // Allow Remote Connections + if ValueName = 'TerminalServices-RemoteConnectionManager-AllowRemoteConnections' then begin + Value := 1; + Exit; + end; + // Allow Multiple Sessions + if ValueName = 'TerminalServices-RemoteConnectionManager-AllowMultipleSessions' then begin + Value := 1; + Exit; + end; + // Allow Multiple Sessions (Application Server Mode) + if ValueName = 'TerminalServices-RemoteConnectionManager-AllowAppServerMode' then begin + Value := 1; + Exit; + end; + // Allow Multiple Monitors + if ValueName = 'TerminalServices-RemoteConnectionManager-AllowMultimon' then begin + Value := 1; + Exit; + end; + // Max User Sessions (0 = unlimited) + if ValueName = 'TerminalServices-RemoteConnectionManager-MaxUserSessions' then begin + Value := 0; + Exit; + end; + // Max Debug Sessions (Win 8, 0 = unlimited) + if ValueName = 'TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions' then begin + Value := 0; + Exit; + end; + // Max Sessions + // 0 - logon not possible even from console + // 1 - only one active user (console or remote) + // 2 - allow concurrent sessions + if ValueName = 'TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions' then begin + Value := 2; + Exit; + end; + // Allow Advanced Compression with RDP 7 Protocol + if ValueName = 'TerminalServices-RDP-7-Advanced-Compression-Allowed' then begin + Value := 1; + Exit; + end; + // IsTerminalTypeLocalOnly = 0 + if ValueName = 'TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly' then begin + Value := 0; + Exit; + end; + // Max Sessions (hard limit) + if ValueName = 'TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions' then begin + Value := 1000; + Exit; + end; + // Allow Easy Print + if ValueName = 'TerminalServices-DeviceRedirection-Licenses-TSEasyPrintAllowed' then begin + Value := 1; + Exit; + end; + Result := False; +end; + +function New_SLGetWindowsInformationDWORD(pwszValueName: PWideChar; + pdwValue: PDWORD): HRESULT; stdcall; +var + dw: DWORD; +begin + // wrapped SLGetWindowsInformationDWORD function + // termsrv.dll will call this function instead of original SLC.dll + + // Override SL Policy + + WriteLog('Policy query: ' + pwszValueName); + if OverrideSL(pwszValueName, dw) then begin + pdwValue^ := dw; + Result := S_OK; + WriteLog('Rewrite: ' + IntToStr(pdwValue^)); + Exit; + end; + + // If the requested value name is not defined above + + // revert to original SL Policy function + WriteProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, + @Old_SLGetWindowsInformationDWORD, SizeOf(OldCode), bw); + + // get result + Result := SLGetWindowsInformationDWORD(pwszValueName, pdwValue); + if Result = S_OK then + WriteLog('Result: ' + IntToStr(pdwValue^)) + else + WriteLog('Failed'); + // wrap it back + WriteProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, + @Stub_SLGetWindowsInformationDWORD, SizeOf(far_jmp), bw); +end; + +function New_Win8SL(pwszValueName: PWideChar; pdwValue: PDWORD): HRESULT; register; +var + dw: DWORD; +begin + // wrapped unexported function SLGetWindowsInformationDWORDWrapper in termsrv.dll + // for Windows 8 support + + // Override SL Policy + + WriteLog('Policy query: ' + pwszValueName); + if OverrideSL(pwszValueName, dw) then begin + pdwValue^ := dw; + Result := S_OK; + WriteLog('Rewrite: ' + IntToStr(pdwValue^)); + Exit; + end; + + // If the requested value name is not defined above + // use function from SLC.dll + + Result := SLGetWindowsInformationDWORD(pwszValueName, pdwValue); + if Result = S_OK then + WriteLog('Result: ' + IntToStr(pdwValue^)) + else + WriteLog('Failed'); +end; + +function New_Win8SL_CP(eax: DWORD; pdwValue: PDWORD; ecx: DWORD; pwszValueName: PWideChar): HRESULT; register; +begin + // wrapped unexported function SLGetWindowsInformationDWORDWrapper in termsrv.dll + // for Windows 8 Consumer Preview support + + Result := New_Win8SL(pwszValueName, pdwValue); +end; + +function New_CSLQuery_Initialize: HRESULT; stdcall; +var + bServerSku, + bRemoteConnAllowed, + bFUSEnabled, + bAppServerAllowed, + bMultimonAllowed, + lMaxUserSessions, + ulMaxDebugSessions, + bInitialized: PDWORD; +begin + bServerSku := nil; + bRemoteConnAllowed := nil; + bFUSEnabled := nil; + bAppServerAllowed := nil; + bMultimonAllowed := nil; + lMaxUserSessions := nil; + ulMaxDebugSessions := nil; + bInitialized := nil; + WriteLog('> CSLQuery::Initialize'); + if (FV.Release = 9431) and (FV.Build = 0) then begin + bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $A22A8); + lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $A22AC); + bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $A22B0); + bInitialized := Pointer(Cardinal(TermSrvBase) + $A22B4); + bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $A22B8); + bServerSku := Pointer(Cardinal(TermSrvBase) + $A22BC); + ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $A22C0); + bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $A22C4); + end; + if (FV.Release = 9600) and (FV.Build = 16384) then begin + bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $C02A8); + lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $C02AC); + bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $C02B0); + bInitialized := Pointer(Cardinal(TermSrvBase) + $C02B4); + bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $C02B8); + bServerSku := Pointer(Cardinal(TermSrvBase) + $C02BC); + ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $C02C0); + bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $C02C4); + end; + if (FV.Release = 9600) and (FV.Build = 17095) then begin + bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $C12A8); + lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $C12AC); + bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $C12B0); + bInitialized := Pointer(Cardinal(TermSrvBase) + $C12B4); + bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $C12B8); + bServerSku := Pointer(Cardinal(TermSrvBase) + $C12BC); + ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $C12C0); + bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $C12C4); + end; + if (FV.Release = 9841) and (FV.Build = 0) then begin + bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $BF9F0); + lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $BF9F4); + bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $BF9F8); + bInitialized := Pointer(Cardinal(TermSrvBase) + $BF9FC); + bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $BFA00); + bServerSku := Pointer(Cardinal(TermSrvBase) + $BFA04); + ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $BFA08); + bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $BFA0C); + end; + if (FV.Release = 9860) and (FV.Build = 0) then begin + bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $BF7E0); + lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $BF7E4); + bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $BF7E8); + bInitialized := Pointer(Cardinal(TermSrvBase) + $BF7EC); + bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $BF7F0); + bServerSku := Pointer(Cardinal(TermSrvBase) + $BF7F4); + ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $BF7F8); + bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $BF7FC); + end; + if bServerSku <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(bServerSku), 1)+'] bServerSku = 1'); + bServerSku^ := 1; + end; + if bRemoteConnAllowed <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(bRemoteConnAllowed), 1)+'] bRemoteConnAllowed = 1'); + bRemoteConnAllowed^ := 1; + end; + if bFUSEnabled <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(bFUSEnabled), 1)+'] bFUSEnabled = 1'); + bFUSEnabled^ := 1; + end; + if bAppServerAllowed <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(bAppServerAllowed), 1)+'] bAppServerAllowed = 1'); + bAppServerAllowed^ := 1; + end; + if bMultimonAllowed <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(bMultimonAllowed), 1)+'] bMultimonAllowed = 1'); + bMultimonAllowed^ := 1; + end; + if lMaxUserSessions <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(lMaxUserSessions), 1)+'] lMaxUserSessions = 0'); + lMaxUserSessions^ := 0; + end; + if ulMaxDebugSessions <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(ulMaxDebugSessions), 1)+'] ulMaxDebugSessions = 0'); + ulMaxDebugSessions^ := 0; + end; + if bInitialized <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(bInitialized), 1)+'] bInitialized = 1'); + bInitialized^ := 1; + end; + Result := S_OK; +end; + +procedure HookFunctions; +var + V: DWORD; + TS_Handle, SLC_Handle: THandle; + TermSrvSize: DWORD; + SignPtr: Pointer; + Results: IntArray; + Jump: far_jmp; + MovJump: mov_far_jmp; + nop: DWORD; + b: Byte; +begin + { hook function ^^ + (called once) } + IsHooked := True; + nop := $90909090; + TSMain := nil; + TSGlobals := nil; + SLGetWindowsInformationDWORD := nil; + WriteLog('init'); + + // load termsrv.dll and get functions + TS_Handle := LoadLibrary('termsrv.dll'); + if TS_Handle = 0 then begin + WriteLog('Error: Failed to load Terminal Services library'); + Exit; + end; + WriteLog('Base addr: 0x'+IntToHex(TS_Handle, 8)); + TSMain := GetProcAddress(TS_Handle, 'ServiceMain'); + WriteLog('SvcMain: termsrv.dll+0x'+IntToHex(Cardinal(@TSMain) - TS_Handle, 1)); + TSGlobals := GetProcAddress(TS_Handle, 'SvchostPushServiceGlobals'); + WriteLog('SvcGlobals: termsrv.dll+0x'+IntToHex(Cardinal(@TSGlobals) - TS_Handle, 1)); + + V := 0; + // check termsrv version + if GetModuleVersion('termsrv.dll', FV) then + V := Byte(FV.Version.w.Minor) or (Byte(FV.Version.w.Major) shl 8) + else begin + // check NT version + // V := GetVersion; // deprecated + // V := ((V and $FF) shl 8) or ((V and $FF00) shr 8); + end; + if V = 0 then begin + WriteLog('Error: Failed to detect Terminal Services version'); + Exit; + end; + + WriteLog('Version: '+IntToStr(FV.Version.w.Major)+'.'+IntToStr(FV.Version.w.Minor)); + WriteLog('Release: '+IntToStr(FV.Release)); + WriteLog('Build: '+IntToStr(FV.Build)); + + // temporarily freeze threads + WriteLog('freeze'); + StopThreads(); + + if (V = $0600) then begin + // Windows Vista + // uses SL Policy API (slc.dll) + + // load slc.dll and hook function + SLC_Handle := LoadLibrary('slc.dll'); + SLGetWindowsInformationDWORD := GetProcAddress(SLC_Handle, 'SLGetWindowsInformationDWORD'); + + if @SLGetWindowsInformationDWORD <> nil then + begin + // rewrite original function to call our function (make hook) + + WriteLog('Hook SLGetWindowsInformationDWORD'); + Stub_SLGetWindowsInformationDWORD.PushOp := $68; + Stub_SLGetWindowsInformationDWORD.PushArg := @New_SLGetWindowsInformationDWORD; + Stub_SLGetWindowsInformationDWORD.RetOp := $C3; + ReadProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, + @Old_SLGetWindowsInformationDWORD, SizeOf(OldCode), bw); + WriteProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, + @Stub_SLGetWindowsInformationDWORD, SizeOf(far_jmp), bw); + end; + + if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin + // Patch functions: + // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled + // CDefPolicy::Query + + if (FV.Release = 6000) and (FV.Build = 16386) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F320000 + .text:6F3360B9 lea eax, [ebp+VersionInformation] + .text:6F3360BF inc ebx <- nop + .text:6F3360C0 push eax ; lpVersionInformation + .text:6F3360C1 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F3360CB mov [esi], ebx + .text:6F3360CD call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $160BF); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $15CD8); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_edx_ecx[0], + SizeOf(CDefPolicy_Query_edx_ecx), bw); + end; + if (FV.Release = 6001) and (FV.Build = 18000) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6E800000 + .text:6E8185DE lea eax, [ebp+VersionInformation] + .text:6E8185E4 inc ebx <- nop + .text:6E8185E5 push eax ; lpVersionInformation + .text:6E8185E6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6E8185F0 mov [esi], ebx + .text:6E8185F2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $185E4); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $17FD8); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_edx_ecx[0], + SizeOf(CDefPolicy_Query_edx_ecx), bw); + end; + if (FV.Release = 6002) and (FV.Build = 18005) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F580000 + .text:6F597FA2 lea eax, [ebp+VersionInformation] + .text:6F597FA8 inc ebx <- nop + .text:6F597FA9 push eax ; lpVersionInformation + .text:6F597FAA mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F597FB4 mov [esi], ebx + .text:6F597FB6 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $17FA8); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $179C0); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_edx_ecx[0], + SizeOf(CDefPolicy_Query_edx_ecx), bw); + end; + if (FV.Release = 6002) and (FV.Build = 19214) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F580000 + .text:6F597FBE lea eax, [ebp+VersionInformation] + .text:6F597FC4 inc ebx <- nop + .text:6F597FC5 push eax ; lpVersionInformation + .text:6F597FC6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F597FD0 mov [esi], ebx + .text:6F597FD2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $17FC4); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $179B8); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_edx_ecx[0], + SizeOf(CDefPolicy_Query_edx_ecx), bw); + end; + if (FV.Release = 6002) and (FV.Build = 23521) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F580000 + .text:6F597FAE lea eax, [ebp+VersionInformation] + .text:6F597FB4 inc ebx <- nop + .text:6F597FB5 push eax ; lpVersionInformation + .text:6F597FB6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F597FC0 mov [esi], ebx + .text:6F597FC2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $17FB4); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $179CC); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_edx_ecx[0], + SizeOf(CDefPolicy_Query_edx_ecx), bw); + end; + end; + end; + if (V = $0601) then begin + // Windows 7 + // uses SL Policy API (slc.dll) + + // load slc.dll and hook function + SLC_Handle := LoadLibrary('slc.dll'); + SLGetWindowsInformationDWORD := GetProcAddress(SLC_Handle, 'SLGetWindowsInformationDWORD'); + + if @SLGetWindowsInformationDWORD <> nil then + begin + // rewrite original function to call our function (make hook) + + WriteLog('Hook SLGetWindowsInformationDWORD'); + Stub_SLGetWindowsInformationDWORD.PushOp := $68; + Stub_SLGetWindowsInformationDWORD.PushArg := @New_SLGetWindowsInformationDWORD; + Stub_SLGetWindowsInformationDWORD.RetOp := $C3; + ReadProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, + @Old_SLGetWindowsInformationDWORD, SizeOf(OldCode), bw); + WriteProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, + @Stub_SLGetWindowsInformationDWORD, SizeOf(far_jmp), bw); + end; + + if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin + // Patch functions: + // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled + // CDefPolicy::Query + + if (FV.Release = 7600) and (FV.Build = 16385) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F2E0000 + .text:6F2F9E1F lea eax, [ebp+VersionInformation] + .text:6F2F9E25 inc ebx <- nop + .text:6F2F9E26 push eax ; lpVersionInformation + .text:6F2F9E27 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F2F9E31 mov [esi], ebx + .text:6F2F9E33 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $19E25); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $196F3); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + end; + if (FV.Release = 7601) and (FV.Build = 17514) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F2E0000 + .text:6F2FA497 lea eax, [ebp+VersionInformation] + .text:6F2FA49D inc ebx <- nop + .text:6F2FA49E push eax ; lpVersionInformation + .text:6F2FA49F mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F2FA4A9 mov [esi], ebx + .text:6F2FA4AB call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $1A49D); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19D53); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + end; + if (FV.Release = 7601) and (FV.Build = 18540) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F2E0000 + .text:6F2FA4DF lea eax, [ebp+VersionInformation] + .text:6F2FA4E5 inc ebx <- nop + .text:6F2FA4E6 push eax ; lpVersionInformation + .text:6F2FA4E7 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F2FA4F1 mov [esi], ebx + .text:6F2FA4F3 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $1A4E5); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19D9F); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + end; + if (FV.Release = 7601) and (FV.Build = 22750) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F2E0000 + .text:6F2FA64F lea eax, [ebp+VersionInformation] + .text:6F2FA655 inc ebx <- nop + .text:6F2FA656 push eax ; lpVersionInformation + .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F2FA661 mov [esi], ebx + .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $1A655); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19E21); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + end; + if (FV.Release = 7601) and (FV.Build = 18637) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F2E0000 + .text:6F2FA4D7 lea eax, [ebp+VersionInformation] + .text:6F2FA4DD inc ebx <- nop + .text:6F2FA4DE push eax ; lpVersionInformation + .text:6F2FA4DF mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F2FA4E9 mov [esi], ebx + .text:6F2FA4EB call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $1A4DD); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19DBB); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + end; + if (FV.Release = 7601) and (FV.Build = 22843) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F2E0000 + .text:6F2FA64F lea eax, [ebp+VersionInformation] + .text:6F2FA655 inc ebx <- nop + .text:6F2FA656 push eax ; lpVersionInformation + .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F2FA661 mov [esi], ebx + .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $1A655); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19E25); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + end; + end; + end; + if V = $0602 then begin + // Windows 8 + // uses SL Policy internal unexported function + + // load slc.dll and get function + // (will be used on intercepting undefined values) + SLC_Handle := LoadLibrary('slc.dll'); + SLGetWindowsInformationDWORD := GetProcAddress(SLC_Handle, 'SLGetWindowsInformationDWORD'); + + if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin + // Patch functions: + // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled + // CDefPolicy::Query + // Hook function: + // SLGetWindowsInformationDWORDWrapper + + if (FV.Release = 8102) and (FV.Build = 0) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:1000F7E5 lea eax, [esp+150h+VersionInformation] + .text:1000F7E9 inc esi <- nop + .text:1000F7EA push eax ; lpVersionInformation + .text:1000F7EB mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:1000F7F3 mov [edi], esi + .text:1000F7F5 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $F7E9); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $E47C); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $1B909); + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := @New_Win8SL; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + if (FV.Release = 8250) and (FV.Build = 0) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:100159C5 lea eax, [esp+150h+VersionInformation] + .text:100159C9 inc esi <- nop + .text:100159CA push eax ; lpVersionInformation + .text:100159CB mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:100159D3 mov [edi], esi + .text:100159D5 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $159C9); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $13520); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $1A0A9); + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := @New_Win8SL_CP; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + if (FV.Release = 8400) and (FV.Build = 0) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:1001547E lea eax, [esp+150h+VersionInformation] + .text:10015482 inc esi <- nop + .text:10015483 push eax ; lpVersionInformation + .text:10015484 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:1001548C mov [edi], esi + .text:1001548E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $15482); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $13E48); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19629); + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := @New_Win8SL; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + if (FV.Release = 9200) and (FV.Build = 16384) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:1001554E lea eax, [esp+150h+VersionInformation] + .text:10015552 inc esi <- nop + .text:10015553 push eax ; lpVersionInformation + .text:10015554 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:1001555C mov [edi], esi + .text:1001555E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $15552); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $13F08); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19559); + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := @New_Win8SL; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + if (FV.Release = 9200) and (FV.Build = 17048) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:1002058E lea eax, [esp+150h+VersionInformation] + .text:10020592 inc esi <- nop + .text:10020593 push eax ; lpVersionInformation + .text:10020594 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:1002059C mov [edi], esi + .text:1002059E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $20592); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $1F408); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $17059); + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := @New_Win8SL; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + if (FV.Release = 9200) and (FV.Build = 21166) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:10015576 lea eax, [esp+150h+VersionInformation] + .text:1001557A inc esi <- nop + .text:1001557B push eax ; lpVersionInformation + .text:1001557C mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:10015584 mov [edi], esi + .text:10015586 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $1557A); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $13F30); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19581); + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := @New_Win8SL; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + end; + end; + if V = $0603 then begin + // Windows 8.1 + // uses SL Policy internal inline code + + if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin + // Patch functions: + // CEnforcementCore::GetInstanceOfTSLicense + // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled + // CDefPolicy::Query + // Hook function: + // CSLQuery::Initialize + + if (FV.Release = 9431) and (FV.Build = 0) then begin + WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); + { + .text:1008A604 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) + .text:1008A609 test eax, eax + .text:1008A60B js short loc_1008A628 + .text:1008A60D cmp [ebp+var_8], 0 + .text:1008A611 jz short loc_1008A628 <- jmp + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $8A611); + b := $EB; + WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); + + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:100306A4 lea eax, [esp+150h+VersionInformation] + .text:100306A8 inc ebx <- nop + .text:100306A9 mov [edi], ebx + .text:100306AB push eax ; lpVersionInformation + .text:100306AC call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $306A8); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $2EA25); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_ecx[0], + SizeOf(CDefPolicy_Query_eax_ecx), bw); + + WriteLog('Hook CSLQuery::Initialize'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $196B0); + Jump.PushOp := $68; + Jump.PushArg := @New_CSLQuery_Initialize; + Jump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @Jump, SizeOf(far_jmp), bw); + end; + if (FV.Release = 9600) and (FV.Build = 16384) then begin + WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); + { + .text:100A271C call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) + .text:100A2721 test eax, eax + .text:100A2723 js short loc_100A2740 + .text:100A2725 cmp [ebp+var_8], 0 + .text:100A2729 jz short loc_100A2740 <- jmp + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $A2729); + b := $EB; + WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); + + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:10018024 lea eax, [esp+150h+VersionInformation] + .text:10018028 inc ebx <- nop + .text:10018029 mov [edi], ebx + .text:1001802B push eax ; lpVersionInformation + .text:1001802C call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $18028); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $16115); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_ecx[0], + SizeOf(CDefPolicy_Query_eax_ecx), bw); + + WriteLog('Hook CSLQuery::Initialize'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $1CEB0); + Jump.PushOp := $68; + Jump.PushArg := @New_CSLQuery_Initialize; + Jump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @Jump, SizeOf(far_jmp), bw); + end; + if (FV.Release = 9600) and (FV.Build = 17095) then begin + WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); + { + .text:100A36C4 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) + .text:100A36C9 test eax, eax + .text:100A36CB js short loc_100A36E8 + .text:100A36CD cmp [ebp+var_8], 0 + .text:100A36D1 jz short loc_100A36E8 <- jmp + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $A36D1); + b := $EB; + WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); + + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:10036BA5 lea eax, [esp+150h+VersionInformation] + .text:10036BA9 inc ebx <- nop + .text:10036BAA mov [edi], ebx + .text:10036BAC push eax ; lpVersionInformation + .text:10036BAD call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $36BA9); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $37529); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_ecx[0], + SizeOf(CDefPolicy_Query_eax_ecx), bw); + + WriteLog('Hook CSLQuery::Initialize'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $117F1); + Jump.PushOp := $68; + Jump.PushArg := @New_CSLQuery_Initialize; + Jump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @Jump, SizeOf(far_jmp), bw); + end; + + end; + end; + if V = $0604 then begin + // Windows 10 + // uses SL Policy internal inline code + + if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin + // Patch functions: + // CEnforcementCore::GetInstanceOfTSLicense + // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled + // CDefPolicy::Query + // Hook function: + // CSLQuery::Initialize + + if (FV.Release = 9841) and (FV.Build = 0) then begin + WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); + { + .text:1009569B call sub_100B7EE5 + .text:100956A0 test eax, eax + .text:100956A2 js short loc_100956BF + .text:100956A4 cmp [ebp+var_C], 0 + .text:100956A8 jz short loc_100956BF <- jmp + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $956A8); + b := $EB; + WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); + + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:10030121 lea eax, [esp+150h+VersionInformation] + .text:10030125 inc ebx <- nop + .text:10030126 mov [edi], ebx + .text:10030128 push eax ; lpVersionInformation + .text:10030129 call ds:GetVersionExW + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $30125); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $3B989); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_ecx[0], + SizeOf(CDefPolicy_Query_eax_ecx), bw); + + WriteLog('Hook CSLQuery::Initialize'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $46A68); + Jump.PushOp := $68; + Jump.PushArg := @New_CSLQuery_Initialize; + Jump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @Jump, SizeOf(far_jmp), bw); + end; + + if (FV.Release = 9860) and (FV.Build = 0) then begin + WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); + { + .text:100962BB call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) + .text:100962C0 test eax, eax + .text:100962C2 js short loc_100962DF + .text:100962C4 cmp [ebp+var_C], 0 + .text:100962C8 jz short loc_100962DF <- jmp + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $962C8); + b := $EB; + WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); + + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:10030841 lea eax, [esp+150h+VersionInformation] + .text:10030845 inc ebx <- nop + .text:10030846 mov [edi], ebx + .text:10030848 push eax ; lpVersionInformation + .text:10030849 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $30845); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $3BEC9); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_ecx[0], + SizeOf(CDefPolicy_Query_eax_ecx), bw); + + WriteLog('Hook CSLQuery::Initialize'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $46F18); + Jump.PushOp := $68; + Jump.PushArg := @New_CSLQuery_Initialize; + Jump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @Jump, SizeOf(far_jmp), bw); + end; + + end; + end; + + // unfreeze threads + WriteLog('resume'); + RunThreads(); +end; + +function TermServiceMain(dwArgc: DWORD; lpszArgv: PWideChar): DWORD; stdcall; +begin + // wrap ServiceMain function + WriteLog('> ServiceMain'); + if not IsHooked then + HookFunctions; + Result := 0; + if @TSMain <> nil then + Result := TSMain(dwArgc, lpszArgv); +end; + +function TermServiceGlobals(lpGlobalData: Pointer): DWORD; stdcall; +begin + // wrap SvchostPushServiceGlobals function + WriteLog('> SvchostPushServiceGlobals'); + if not IsHooked then + HookFunctions; + Result := 0; + if @TSGlobals <> nil then + Result := TSGlobals(lpGlobalData); +end; + +// export section + +exports + TermServiceMain index 1 name 'ServiceMain'; +exports + TermServiceGlobals index 2 name 'SvchostPushServiceGlobals'; + +begin + // DllMain procedure is not used +end. \ No newline at end of file diff --git a/src-x86-binarymaster/src/rdpwrap.dpr b/src-x86-binarymaster/src/rdpwrap.dpr index b4c8351..7878a43 100644 --- a/src-x86-binarymaster/src/rdpwrap.dpr +++ b/src-x86-binarymaster/src/rdpwrap.dpr @@ -19,7 +19,8 @@ library rdpwrap; uses SysUtils, Windows, - TlHelp32; + TlHelp32, + LiteINI; {$R rdpwrap.res} @@ -54,7 +55,7 @@ type tpDeltaPri: LongInt; dwFlags: DWORD; end; - IntArray = Array of Integer; + //IntArray = Array of Integer; FILE_VERSION = record Version: record case Boolean of True: (dw: DWORD); @@ -70,9 +71,10 @@ const THREAD_SUSPEND_RESUME = 2; TH32CS_SNAPTHREAD = 4; var + INI: INIFile; + LogFile: String = '\rdpwrap.txt'; bw: DWORD; IsHooked: Boolean = False; - FCount: Cardinal = 0; // Unhooked import @@ -102,312 +104,6 @@ var TermSrvBase: Pointer; FV: FILE_VERSION; -const - CDefPolicy_Query_edx_ecx: Array[0..12] of Byte = - ($BA,$00,$01,$00,$00,$89,$91,$20,$03,$00,$00,$5E,$90); - CDefPolicy_Query_eax_esi: Array[0..11] of Byte = - ($B8,$00,$01,$00,$00,$89,$86,$20,$03,$00,$00,$90); - CDefPolicy_Query_eax_ecx: Array[0..11] of Byte = - ($B8,$00,$01,$00,$00,$89,$81,$20,$03,$00,$00,$90); - -{ -termsrv.dll 6.0.6000.16386 - -Original -.text:6F335CD8 cmp edx, [ecx+320h] -.text:6F335CDE pop esi -.text:6F335CDF jz loc_6F3426F1 -_______________ - -Changed -.text:6F335CD8 mov edx, 100h -.text:6F335CDD mov [ecx+320h], edx -.text:6F335CE3 pop esi -.text:6F335CE4 nop -CDefPolicy_Query_edx_ecx - -termsrv.dll 6.0.6001.18000 - -Original -.text:6E817FD8 cmp edx, [ecx+320h] -.text:6E817FDE pop esi -.text:6E817FDF jz loc_6E826F16 -_______________ - -Changed -.text:6E817FD8 mov edx, 100h -.text:6E817FDD mov [ecx+320h], edx -.text:6E817FE3 pop esi -.text:6E817FE4 nop -CDefPolicy_Query_edx_ecx - -termsrv.dll 6.0.6002.18005 - -Original -.text:6F5979C0 cmp edx, [ecx+320h] -.text:6F5979C6 pop esi -.text:6F5979C7 jz loc_6F5A6F26 -_______________ - -Changed -.text:6F5979C0 mov edx, 100h -.text:6F5979C5 mov [ecx+320h], edx -.text:6F5979CB pop esi -.text:6F5979CC nop -CDefPolicy_Query_edx_ecx - -termsrv.dll 6.0.6002.19214 - -Original -.text:6F5979B8 cmp edx, [ecx+320h] -.text:6F5979BE pop esi -.text:6F5979BF jz loc_6F5A6F3E -_______________ - -Changed -.text:6F5979B8 mov edx, 100h -.text:6F5979BD mov [ecx+320h], edx -.text:6F5979C3 pop esi -.text:6F5979C4 nop -CDefPolicy_Query_edx_ecx - -termsrv.dll 6.0.6002.23521 - -Original -.text:6F5979CC cmp edx, [ecx+320h] -.text:6F5979D2 pop esi -.text:6F5979D3 jz loc_6F5A6F2E -_______________ - -Changed -.text:6F5979CC mov edx, 100h -.text:6F5979D1 mov [ecx+320h], edx -.text:6F5979D7 pop esi -.text:6F5979D8 nop -CDefPolicy_Query_edx_ecx - -termsrv.dll 6.1.7600.16385 - -Original -.text:6F2F96F3 cmp eax, [esi+320h] -.text:6F2F96F9 jz loc_6F30E256 -_______________ - -Changed -.text:6F2F96F3 mov eax, 100h -.text:6F2F96F8 mov [esi+320h], eax -.text:6F2F96FE nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.1.7601.17514 - -Original -.text:6F2F9D53 cmp eax, [esi+320h] -.text:6F2F9D59 jz loc_6F30B25E -_______________ - -Changed -.text:6F2F9D53 mov eax, 100h -.text:6F2F9D58 mov [esi+320h], eax -.text:6F2F9D5E nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.1.7601.18540 - -Original -.text:6F2F9D9F cmp eax, [esi+320h] -.text:6F2F9DA5 jz loc_6F30B2AE -_______________ - -Changed -.text:6F2F9D9F mov eax, 100h -.text:6F2F9DA4 mov [esi+320h], eax -.text:6F2F9DAA nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.1.7601.22750 - -Original -.text:6F2F9E21 cmp eax, [esi+320h] -.text:6F2F9E27 jz loc_6F30B6CE -_______________ - -Changed -.text:6F2F9E21 mov eax, 100h -.text:6F2F9E26 mov [esi+320h], eax -.text:6F2F9E2C nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.1.7601.18637 - -Original -.text:6F2F9DBB cmp eax, [esi+320h] -.text:6F2F9DC1 jz loc_6F30B2A6 -_______________ - -Changed -.text:6F2F9DBB mov eax, 100h -.text:6F2F9DC0 mov [esi+320h], eax -.text:6F2F9DC6 nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.1.7601.22843 - -Original -.text:6F2F9E25 cmp eax, [esi+320h] -.text:6F2F9E2B jz loc_6F30B6D6 -_______________ - -Changed -.text:6F2F9E25 mov eax, 100h -.text:6F2F9E2A mov [esi+320h], eax -.text:6F2F9E30 nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.2.8102.0 - -Original -.text:1000E47C cmp eax, [esi+320h] -.text:1000E482 jz loc_1002D775 -_______________ - -Changed -.text:1000E47C mov eax, 100h -.text:1000E481 mov [esi+320h], eax -.text:1000E487 nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.2.8250.0 - -Original -.text:10013520 cmp eax, [esi+320h] -.text:10013526 jz loc_1002DB85 -_______________ - -Changed -.text:10013520 mov eax, 100h -.text:10013525 mov [esi+320h], eax -.text:1001352B nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.2.8400.0 - -Original -.text:10013E48 cmp eax, [esi+320h] -.text:10013E4E jz loc_1002E079 -_______________ - -Changed -.text:10013E48 mov eax, 100h -.text:10013E4D mov [esi+320h], eax -.text:10013E53 nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.2.9200.16384 - -Original -.text:10013F08 cmp eax, [esi+320h] -.text:10013F0E jz loc_1002E161 -_______________ - -Changed -.text:10013F08 mov eax, 100h -.text:10013F0D mov [esi+320h], eax -.text:10013F13 nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.2.9200.17048 - -Original -.text:1001F408 cmp eax, [esi+320h] -.text:1001F40E jz loc_1002E201 -_______________ - -Changed -.text:1001F408 mov eax, 100h -.text:1001F40D mov [esi+320h], eax -.text:1001F413 nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.2.9200.21166 - -Original -.text:10013F30 cmp eax, [esi+320h] -.text:10013F36 jz loc_1002E189 -_______________ - -Changed -.text:10013F30 mov eax, 100h -.text:10013F35 mov [esi+320h], eax -.text:10013F3B nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.3.9431.0 - -Original -.text:1002EA25 cmp eax, [ecx+320h] -.text:1002EA2B jz loc_100348C1 -_______________ - -Changed -.text:1002EA25 mov eax, 100h -.text:1002EA2A mov [ecx+320h], eax -.text:1002EA30 nop -CDefPolicy_Query_eax_ecx - -termsrv.dll 6.3.9600.16384 - -Original -.text:10016115 cmp eax, [ecx+320h] -.text:1001611B jz loc_10034DE1 -_______________ - -Changed -.text:10016115 mov eax, 100h -.text:1001611A mov [ecx+320h], eax -.text:10016120 nop -CDefPolicy_Query_eax_ecx - -termsrv.dll 6.3.9600.17095 - -Original -.text:10037529 cmp eax, [ecx+320h] -.text:1003752F jz loc_10043662 -_______________ - -Changed -.text:10037529 mov eax, 100h -.text:1003752E mov [ecx+320h], eax -.text:10037534 nop -CDefPolicy_Query_eax_ecx - -termsrv.dll 6.4.9841.0 - -Original -.text:1003B989 cmp eax, [ecx+320h] -.text:1003B98F jz loc_1005E809 -_______________ - -Changed -.text:1003B989 mov eax, 100h -.text:1003B98E mov [ecx+320h], eax -.text:1003B994 nop -CDefPolicy_Query_eax_ecx - -termsrv.dll 6.4.9860.0 - -Original -.text:1003BEC9 cmp eax, [ecx+320h] -.text:1003BECF jz loc_1005EE1A -_______________ - -Changed -.text:1003BEC9 mov eax, 100h -.text:1003BECE mov [ecx+320h], eax -.text:1003BED4 nop -CDefPolicy_Query_eax_ecx -} - var Stub_SLGetWindowsInformationDWORD: far_jmp; Old_SLGetWindowsInformationDWORD: OldCode; @@ -415,8 +111,6 @@ var // Main code procedure WriteLog(S: AnsiString); -const - LogFile = '\rdpwrap.txt'; var F: TextFile; begin @@ -428,6 +122,28 @@ begin CloseFile(F); end; +function GetModuleHandleEx(dwFlags: DWORD; lpModuleName: PWideChar; + var phModule: HMODULE): BOOL; stdcall; external kernel32 name 'GetModuleHandleExW'; + +function GetCurrentModule: HMODULE; +const + GET_MODULE_HANDLE_EX_FLAG_PIN = 1; + GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT = 2; + GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS = 4; +begin + Result := 0; + GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, @GetCurrentModule, Result); +end; + +function GetBinaryPath: String; +var + Buf: Array[0..511] of Byte; +begin + ZeroMemory(@Buf[0], Length(Buf)); + GetModuleFileName(GetCurrentModule, PWideChar(@Buf[0]), Length(Buf)); + Result := PWideChar(@Buf[0]); +end; + procedure StopThreads; var h, CurrTh, ThrHandle, CurrPr: DWORD; @@ -541,7 +257,7 @@ begin end; end;} -function GetModuleVersion(const ModuleName: TFileName; var FileVersion: FILE_VERSION): Boolean; +function GetModuleVersion(const ModuleName: String; var FileVersion: FILE_VERSION): Boolean; type VS_VERSIONINFO = record wLength, wValueLength, wType: Word; @@ -589,7 +305,7 @@ begin Result := True; end; -function GetFileVersion(const FileName: TFileName; var FileVersion: FILE_VERSION): Boolean; +function GetFileVersion(const FileName: String; var FileVersion: FILE_VERSION): Boolean; type VS_VERSIONINFO = record wLength, wValueLength, wType: Word; @@ -637,62 +353,8 @@ end; function OverrideSL(ValueName: String; var Value: DWORD): Boolean; begin Result := True; - // Allow Remote Connections - if ValueName = 'TerminalServices-RemoteConnectionManager-AllowRemoteConnections' then begin - Value := 1; - Exit; - end; - // Allow Multiple Sessions - if ValueName = 'TerminalServices-RemoteConnectionManager-AllowMultipleSessions' then begin - Value := 1; - Exit; - end; - // Allow Multiple Sessions (Application Server Mode) - if ValueName = 'TerminalServices-RemoteConnectionManager-AllowAppServerMode' then begin - Value := 1; - Exit; - end; - // Allow Multiple Monitors - if ValueName = 'TerminalServices-RemoteConnectionManager-AllowMultimon' then begin - Value := 1; - Exit; - end; - // Max User Sessions (0 = unlimited) - if ValueName = 'TerminalServices-RemoteConnectionManager-MaxUserSessions' then begin - Value := 0; - Exit; - end; - // Max Debug Sessions (Win 8, 0 = unlimited) - if ValueName = 'TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions' then begin - Value := 0; - Exit; - end; - // Max Sessions - // 0 - logon not possible even from console - // 1 - only one active user (console or remote) - // 2 - allow concurrent sessions - if ValueName = 'TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions' then begin - Value := 2; - Exit; - end; - // Allow Advanced Compression with RDP 7 Protocol - if ValueName = 'TerminalServices-RDP-7-Advanced-Compression-Allowed' then begin - Value := 1; - Exit; - end; - // IsTerminalTypeLocalOnly = 0 - if ValueName = 'TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly' then begin - Value := 0; - Exit; - end; - // Max Sessions (hard limit) - if ValueName = 'TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions' then begin - Value := 1000; - Exit; - end; - // Allow Easy Print - if ValueName = 'TerminalServices-DeviceRedirection-Licenses-TSEasyPrintAllowed' then begin - Value := 1; + if INIValueExists(INI, 'SLPolicy', ValueName) then begin + Value := INIReadDWord(INI, 'SLPolicy', ValueName, 0); Exit; end; Result := False; @@ -770,6 +432,7 @@ end; function New_CSLQuery_Initialize: HRESULT; stdcall; var + Sect: String; bServerSku, bRemoteConnAllowed, bFUSEnabled, @@ -788,110 +451,82 @@ begin ulMaxDebugSessions := nil; bInitialized := nil; WriteLog('> CSLQuery::Initialize'); - if (FV.Release = 9431) and (FV.Build = 0) then begin - bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $A22A8); - lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $A22AC); - bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $A22B0); - bInitialized := Pointer(Cardinal(TermSrvBase) + $A22B4); - bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $A22B8); - bServerSku := Pointer(Cardinal(TermSrvBase) + $A22BC); - ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $A22C0); - bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $A22C4); - end; - if (FV.Release = 9600) and (FV.Build = 16384) then begin - bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $C02A8); - lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $C02AC); - bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $C02B0); - bInitialized := Pointer(Cardinal(TermSrvBase) + $C02B4); - bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $C02B8); - bServerSku := Pointer(Cardinal(TermSrvBase) + $C02BC); - ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $C02C0); - bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $C02C4); - end; - if (FV.Release = 9600) and (FV.Build = 17095) then begin - bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $C12A8); - lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $C12AC); - bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $C12B0); - bInitialized := Pointer(Cardinal(TermSrvBase) + $C12B4); - bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $C12B8); - bServerSku := Pointer(Cardinal(TermSrvBase) + $C12BC); - ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $C12C0); - bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $C12C4); - end; - if (FV.Release = 9841) and (FV.Build = 0) then begin - bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $BF9F0); - lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $BF9F4); - bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $BF9F8); - bInitialized := Pointer(Cardinal(TermSrvBase) + $BF9FC); - bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $BFA00); - bServerSku := Pointer(Cardinal(TermSrvBase) + $BFA04); - ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $BFA08); - bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $BFA0C); - end; - if (FV.Release = 9860) and (FV.Build = 0) then begin - bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $BF7E0); - lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $BF7E4); - bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $BF7E8); - bInitialized := Pointer(Cardinal(TermSrvBase) + $BF7EC); - bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $BF7F0); - bServerSku := Pointer(Cardinal(TermSrvBase) + $BF7F4); - ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $BF7F8); - bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $BF7FC); + Sect := IntToStr(FV.Version.w.Major)+'.'+IntToStr(FV.Version.w.Minor)+'.'+ + IntToStr(FV.Release)+'.'+IntToStr(FV.Build)+'-SLInit'; + if INISectionExists(INI, Sect) then begin + bServerSku := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'bServerSku.x86', 0)); + bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'bRemoteConnAllowed.x86', 0)); + bFUSEnabled := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'bFUSEnabled.x86', 0)); + bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'bAppServerAllowed.x86', 0)); + bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'bMultimonAllowed.x86', 0)); + lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'lMaxUserSessions.x86', 0)); + ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'ulMaxDebugSessions.x86', 0)); + bInitialized := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'bInitialized.x86', 0)); end; + if bServerSku <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(bServerSku), 1)+'] bServerSku = 1'); - bServerSku^ := 1; + bServerSku^ := INIReadDWord(INI, 'SLInit', 'bServerSku', 1); + WriteLog('[0x'+IntToHex(DWORD(bServerSku), 1)+'] bServerSku = ' + IntToStr(bServerSku^)); end; if bRemoteConnAllowed <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(bRemoteConnAllowed), 1)+'] bRemoteConnAllowed = 1'); - bRemoteConnAllowed^ := 1; + bRemoteConnAllowed^ := INIReadDWord(INI, 'SLInit', 'bRemoteConnAllowed', 1); + WriteLog('[0x'+IntToHex(DWORD(bRemoteConnAllowed), 1)+'] bRemoteConnAllowed = ' + IntToStr(bRemoteConnAllowed^)); end; if bFUSEnabled <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(bFUSEnabled), 1)+'] bFUSEnabled = 1'); - bFUSEnabled^ := 1; + bFUSEnabled^ := INIReadDWord(INI, 'SLInit', 'bFUSEnabled', 1); + WriteLog('[0x'+IntToHex(DWORD(bFUSEnabled), 1)+'] bFUSEnabled = ' + IntToStr(bFUSEnabled^)); end; if bAppServerAllowed <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(bAppServerAllowed), 1)+'] bAppServerAllowed = 1'); - bAppServerAllowed^ := 1; + bAppServerAllowed^ := INIReadDWord(INI, 'SLInit', 'bAppServerAllowed', 1); + WriteLog('[0x'+IntToHex(DWORD(bAppServerAllowed), 1)+'] bAppServerAllowed = ' + IntToStr(bAppServerAllowed^)); end; if bMultimonAllowed <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(bMultimonAllowed), 1)+'] bMultimonAllowed = 1'); - bMultimonAllowed^ := 1; + bMultimonAllowed^ := INIReadDWord(INI, 'SLInit', 'bMultimonAllowed', 1); + WriteLog('[0x'+IntToHex(DWORD(bMultimonAllowed), 1)+'] bMultimonAllowed = ' + IntToStr(bMultimonAllowed^)); end; if lMaxUserSessions <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(lMaxUserSessions), 1)+'] lMaxUserSessions = 0'); - lMaxUserSessions^ := 0; + lMaxUserSessions^ := INIReadDWord(INI, 'SLInit', 'lMaxUserSessions', 0); + WriteLog('[0x'+IntToHex(DWORD(lMaxUserSessions), 1)+'] lMaxUserSessions = ' + IntToStr(lMaxUserSessions^)); end; if ulMaxDebugSessions <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(ulMaxDebugSessions), 1)+'] ulMaxDebugSessions = 0'); - ulMaxDebugSessions^ := 0; + ulMaxDebugSessions^ := INIReadDWord(INI, 'SLInit', 'ulMaxDebugSessions', 0); + WriteLog('[0x'+IntToHex(DWORD(ulMaxDebugSessions), 1)+'] ulMaxDebugSessions = ' + IntToStr(ulMaxDebugSessions^)); end; if bInitialized <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(bInitialized), 1)+'] bInitialized = 1'); - bInitialized^ := 1; + bInitialized^ := INIReadDWord(INI, 'SLInit', 'bInitialized', 1); + WriteLog('[0x'+IntToHex(DWORD(bInitialized), 1)+'] bInitialized = ' + IntToStr(bInitialized^)); end; Result := S_OK; end; procedure HookFunctions; var + Sect, FuncName: String; V: DWORD; TS_Handle, SLC_Handle: THandle; TermSrvSize: DWORD; SignPtr: Pointer; - Results: IntArray; + I: Integer; + PatchList: SList; + Patch: Array of TBytes; Jump: far_jmp; MovJump: mov_far_jmp; - nop: DWORD; - b: Byte; begin { hook function ^^ (called once) } IsHooked := True; - nop := $90909090; TSMain := nil; TSGlobals := nil; SLGetWindowsInformationDWORD := nil; + + WriteLog('Loading configuration...'); + INILoad(INI, ExtractFilePath(GetBinaryPath) + 'rdpwrap.ini'); + if Length(INI) = 0 then begin + WriteLog('Error: Failed to load configuration'); + Exit; + end; + + LogFile := INIReadString(INI, 'Main', 'LogFile', ExtractFilePath(GetBinaryPath) + 'rdpwrap.txt'); WriteLog('init'); // load termsrv.dll and get functions @@ -928,7 +563,16 @@ begin WriteLog('freeze'); StopThreads(); - if (V = $0600) then begin + WriteLog('Loading patch codes...'); + PatchList := INIReadSection(INI, 'PatchCodes'); + SetLength(Patch, Length(PatchList)); + for I := 0 to Length(Patch) - 1 do begin + Patch[I] := INIReadBytes(INI, 'PatchCodes', PatchList[I]); + if Length(Patch[I]) > 16 then // for security reasons + SetLength(Patch[I], 16); // not more than 16 bytes + end; + + if (V = $0600) and (INIReadBool(INI, 'Main', 'SLPolicyHookNT60', True)) then begin // Windows Vista // uses SL Policy API (slc.dll) @@ -949,110 +593,8 @@ begin WriteProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, @Stub_SLGetWindowsInformationDWORD, SizeOf(far_jmp), bw); end; - - if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin - // Patch functions: - // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled - // CDefPolicy::Query - - if (FV.Release = 6000) and (FV.Build = 16386) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F320000 - .text:6F3360B9 lea eax, [ebp+VersionInformation] - .text:6F3360BF inc ebx <- nop - .text:6F3360C0 push eax ; lpVersionInformation - .text:6F3360C1 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F3360CB mov [esi], ebx - .text:6F3360CD call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $160BF); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $15CD8); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_edx_ecx[0], - SizeOf(CDefPolicy_Query_edx_ecx), bw); - end; - if (FV.Release = 6001) and (FV.Build = 18000) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6E800000 - .text:6E8185DE lea eax, [ebp+VersionInformation] - .text:6E8185E4 inc ebx <- nop - .text:6E8185E5 push eax ; lpVersionInformation - .text:6E8185E6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6E8185F0 mov [esi], ebx - .text:6E8185F2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $185E4); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $17FD8); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_edx_ecx[0], - SizeOf(CDefPolicy_Query_edx_ecx), bw); - end; - if (FV.Release = 6002) and (FV.Build = 18005) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F580000 - .text:6F597FA2 lea eax, [ebp+VersionInformation] - .text:6F597FA8 inc ebx <- nop - .text:6F597FA9 push eax ; lpVersionInformation - .text:6F597FAA mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F597FB4 mov [esi], ebx - .text:6F597FB6 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $17FA8); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $179C0); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_edx_ecx[0], - SizeOf(CDefPolicy_Query_edx_ecx), bw); - end; - if (FV.Release = 6002) and (FV.Build = 19214) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F580000 - .text:6F597FBE lea eax, [ebp+VersionInformation] - .text:6F597FC4 inc ebx <- nop - .text:6F597FC5 push eax ; lpVersionInformation - .text:6F597FC6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F597FD0 mov [esi], ebx - .text:6F597FD2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $17FC4); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $179B8); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_edx_ecx[0], - SizeOf(CDefPolicy_Query_edx_ecx), bw); - end; - if (FV.Release = 6002) and (FV.Build = 23521) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F580000 - .text:6F597FAE lea eax, [ebp+VersionInformation] - .text:6F597FB4 inc ebx <- nop - .text:6F597FB5 push eax ; lpVersionInformation - .text:6F597FB6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F597FC0 mov [esi], ebx - .text:6F597FC2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $17FB4); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $179CC); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_edx_ecx[0], - SizeOf(CDefPolicy_Query_edx_ecx), bw); - end; - end; end; - if (V = $0601) then begin + if (V = $0601) and (INIReadBool(INI, 'Main', 'SLPolicyHookNT61', True)) then begin // Windows 7 // uses SL Policy API (slc.dll) @@ -1073,127 +615,6 @@ begin WriteProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, @Stub_SLGetWindowsInformationDWORD, SizeOf(far_jmp), bw); end; - - if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin - // Patch functions: - // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled - // CDefPolicy::Query - - if (FV.Release = 7600) and (FV.Build = 16385) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F2E0000 - .text:6F2F9E1F lea eax, [ebp+VersionInformation] - .text:6F2F9E25 inc ebx <- nop - .text:6F2F9E26 push eax ; lpVersionInformation - .text:6F2F9E27 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F2F9E31 mov [esi], ebx - .text:6F2F9E33 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $19E25); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $196F3); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - end; - if (FV.Release = 7601) and (FV.Build = 17514) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F2E0000 - .text:6F2FA497 lea eax, [ebp+VersionInformation] - .text:6F2FA49D inc ebx <- nop - .text:6F2FA49E push eax ; lpVersionInformation - .text:6F2FA49F mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F2FA4A9 mov [esi], ebx - .text:6F2FA4AB call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $1A49D); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19D53); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - end; - if (FV.Release = 7601) and (FV.Build = 18540) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F2E0000 - .text:6F2FA4DF lea eax, [ebp+VersionInformation] - .text:6F2FA4E5 inc ebx <- nop - .text:6F2FA4E6 push eax ; lpVersionInformation - .text:6F2FA4E7 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F2FA4F1 mov [esi], ebx - .text:6F2FA4F3 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $1A4E5); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19D9F); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - end; - if (FV.Release = 7601) and (FV.Build = 22750) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F2E0000 - .text:6F2FA64F lea eax, [ebp+VersionInformation] - .text:6F2FA655 inc ebx <- nop - .text:6F2FA656 push eax ; lpVersionInformation - .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F2FA661 mov [esi], ebx - .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $1A655); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19E21); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - end; - if (FV.Release = 7601) and (FV.Build = 18637) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F2E0000 - .text:6F2FA4D7 lea eax, [ebp+VersionInformation] - .text:6F2FA4DD inc ebx <- nop - .text:6F2FA4DE push eax ; lpVersionInformation - .text:6F2FA4DF mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F2FA4E9 mov [esi], ebx - .text:6F2FA4EB call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $1A4DD); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19DBB); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - end; - if (FV.Release = 7601) and (FV.Build = 22843) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F2E0000 - .text:6F2FA64F lea eax, [ebp+VersionInformation] - .text:6F2FA655 inc ebx <- nop - .text:6F2FA656 push eax ; lpVersionInformation - .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F2FA661 mov [esi], ebx - .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $1A655); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19E25); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - end; - end; end; if V = $0602 then begin // Windows 8 @@ -1203,412 +624,92 @@ begin // (will be used on intercepting undefined values) SLC_Handle := LoadLibrary('slc.dll'); SLGetWindowsInformationDWORD := GetProcAddress(SLC_Handle, 'SLGetWindowsInformationDWORD'); - - if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin - // Patch functions: - // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled - // CDefPolicy::Query - // Hook function: - // SLGetWindowsInformationDWORDWrapper - - if (FV.Release = 8102) and (FV.Build = 0) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:1000F7E5 lea eax, [esp+150h+VersionInformation] - .text:1000F7E9 inc esi <- nop - .text:1000F7EA push eax ; lpVersionInformation - .text:1000F7EB mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:1000F7F3 mov [edi], esi - .text:1000F7F5 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $F7E9); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $E47C); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - - WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $1B909); - MovJump.MovOp := $89; // mov eax, ecx - MovJump.MovArg := $C8; // __msfastcall compatibility - MovJump.PushOp := $68; - MovJump.PushArg := @New_Win8SL; - MovJump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @MovJump, SizeOf(mov_far_jmp), bw); - end; - if (FV.Release = 8250) and (FV.Build = 0) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:100159C5 lea eax, [esp+150h+VersionInformation] - .text:100159C9 inc esi <- nop - .text:100159CA push eax ; lpVersionInformation - .text:100159CB mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:100159D3 mov [edi], esi - .text:100159D5 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $159C9); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $13520); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - - WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $1A0A9); - MovJump.MovOp := $89; // mov eax, ecx - MovJump.MovArg := $C8; // __msfastcall compatibility - MovJump.PushOp := $68; - MovJump.PushArg := @New_Win8SL_CP; - MovJump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @MovJump, SizeOf(mov_far_jmp), bw); - end; - if (FV.Release = 8400) and (FV.Build = 0) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:1001547E lea eax, [esp+150h+VersionInformation] - .text:10015482 inc esi <- nop - .text:10015483 push eax ; lpVersionInformation - .text:10015484 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:1001548C mov [edi], esi - .text:1001548E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $15482); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $13E48); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - - WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19629); - MovJump.MovOp := $89; // mov eax, ecx - MovJump.MovArg := $C8; // __msfastcall compatibility - MovJump.PushOp := $68; - MovJump.PushArg := @New_Win8SL; - MovJump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @MovJump, SizeOf(mov_far_jmp), bw); - end; - if (FV.Release = 9200) and (FV.Build = 16384) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:1001554E lea eax, [esp+150h+VersionInformation] - .text:10015552 inc esi <- nop - .text:10015553 push eax ; lpVersionInformation - .text:10015554 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:1001555C mov [edi], esi - .text:1001555E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $15552); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $13F08); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - - WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19559); - MovJump.MovOp := $89; // mov eax, ecx - MovJump.MovArg := $C8; // __msfastcall compatibility - MovJump.PushOp := $68; - MovJump.PushArg := @New_Win8SL; - MovJump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @MovJump, SizeOf(mov_far_jmp), bw); - end; - if (FV.Release = 9200) and (FV.Build = 17048) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:1002058E lea eax, [esp+150h+VersionInformation] - .text:10020592 inc esi <- nop - .text:10020593 push eax ; lpVersionInformation - .text:10020594 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:1002059C mov [edi], esi - .text:1002059E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $20592); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $1F408); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - - WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $17059); - MovJump.MovOp := $89; // mov eax, ecx - MovJump.MovArg := $C8; // __msfastcall compatibility - MovJump.PushOp := $68; - MovJump.PushArg := @New_Win8SL; - MovJump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @MovJump, SizeOf(mov_far_jmp), bw); - end; - if (FV.Release = 9200) and (FV.Build = 21166) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:10015576 lea eax, [esp+150h+VersionInformation] - .text:1001557A inc esi <- nop - .text:1001557B push eax ; lpVersionInformation - .text:1001557C mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:10015584 mov [edi], esi - .text:10015586 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $1557A); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $13F30); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - - WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19581); - MovJump.MovOp := $89; // mov eax, ecx - MovJump.MovArg := $C8; // __msfastcall compatibility - MovJump.PushOp := $68; - MovJump.PushArg := @New_Win8SL; - MovJump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @MovJump, SizeOf(mov_far_jmp), bw); - end; - end; end; if V = $0603 then begin // Windows 8.1 // uses SL Policy internal inline code - - if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin - // Patch functions: - // CEnforcementCore::GetInstanceOfTSLicense - // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled - // CDefPolicy::Query - // Hook function: - // CSLQuery::Initialize - - if (FV.Release = 9431) and (FV.Build = 0) then begin - WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); - { - .text:1008A604 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) - .text:1008A609 test eax, eax - .text:1008A60B js short loc_1008A628 - .text:1008A60D cmp [ebp+var_8], 0 - .text:1008A611 jz short loc_1008A628 <- jmp - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $8A611); - b := $EB; - WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); - - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:100306A4 lea eax, [esp+150h+VersionInformation] - .text:100306A8 inc ebx <- nop - .text:100306A9 mov [edi], ebx - .text:100306AB push eax ; lpVersionInformation - .text:100306AC call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $306A8); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $2EA25); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_ecx[0], - SizeOf(CDefPolicy_Query_eax_ecx), bw); - - WriteLog('Hook CSLQuery::Initialize'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $196B0); - Jump.PushOp := $68; - Jump.PushArg := @New_CSLQuery_Initialize; - Jump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @Jump, SizeOf(far_jmp), bw); - end; - if (FV.Release = 9600) and (FV.Build = 16384) then begin - WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); - { - .text:100A271C call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) - .text:100A2721 test eax, eax - .text:100A2723 js short loc_100A2740 - .text:100A2725 cmp [ebp+var_8], 0 - .text:100A2729 jz short loc_100A2740 <- jmp - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $A2729); - b := $EB; - WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); - - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:10018024 lea eax, [esp+150h+VersionInformation] - .text:10018028 inc ebx <- nop - .text:10018029 mov [edi], ebx - .text:1001802B push eax ; lpVersionInformation - .text:1001802C call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $18028); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $16115); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_ecx[0], - SizeOf(CDefPolicy_Query_eax_ecx), bw); - - WriteLog('Hook CSLQuery::Initialize'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $1CEB0); - Jump.PushOp := $68; - Jump.PushArg := @New_CSLQuery_Initialize; - Jump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @Jump, SizeOf(far_jmp), bw); - end; - if (FV.Release = 9600) and (FV.Build = 17095) then begin - WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); - { - .text:100A36C4 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) - .text:100A36C9 test eax, eax - .text:100A36CB js short loc_100A36E8 - .text:100A36CD cmp [ebp+var_8], 0 - .text:100A36D1 jz short loc_100A36E8 <- jmp - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $A36D1); - b := $EB; - WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); - - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:10036BA5 lea eax, [esp+150h+VersionInformation] - .text:10036BA9 inc ebx <- nop - .text:10036BAA mov [edi], ebx - .text:10036BAC push eax ; lpVersionInformation - .text:10036BAD call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $36BA9); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $37529); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_ecx[0], - SizeOf(CDefPolicy_Query_eax_ecx), bw); - - WriteLog('Hook CSLQuery::Initialize'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $117F1); - Jump.PushOp := $68; - Jump.PushArg := @New_CSLQuery_Initialize; - Jump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @Jump, SizeOf(far_jmp), bw); - end; - - end; end; if V = $0604 then begin // Windows 10 // uses SL Policy internal inline code - - if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin - // Patch functions: - // CEnforcementCore::GetInstanceOfTSLicense - // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled - // CDefPolicy::Query - // Hook function: - // CSLQuery::Initialize - - if (FV.Release = 9841) and (FV.Build = 0) then begin - WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); - { - .text:1009569B call sub_100B7EE5 - .text:100956A0 test eax, eax - .text:100956A2 js short loc_100956BF - .text:100956A4 cmp [ebp+var_C], 0 - .text:100956A8 jz short loc_100956BF <- jmp - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $956A8); - b := $EB; - WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); - - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:10030121 lea eax, [esp+150h+VersionInformation] - .text:10030125 inc ebx <- nop - .text:10030126 mov [edi], ebx - .text:10030128 push eax ; lpVersionInformation - .text:10030129 call ds:GetVersionExW - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $30125); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $3B989); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_ecx[0], - SizeOf(CDefPolicy_Query_eax_ecx), bw); - - WriteLog('Hook CSLQuery::Initialize'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $46A68); - Jump.PushOp := $68; - Jump.PushArg := @New_CSLQuery_Initialize; - Jump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @Jump, SizeOf(far_jmp), bw); - end; - - if (FV.Release = 9860) and (FV.Build = 0) then begin - WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); - { - .text:100962BB call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) - .text:100962C0 test eax, eax - .text:100962C2 js short loc_100962DF - .text:100962C4 cmp [ebp+var_C], 0 - .text:100962C8 jz short loc_100962DF <- jmp - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $962C8); - b := $EB; - WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); - - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:10030841 lea eax, [esp+150h+VersionInformation] - .text:10030845 inc ebx <- nop - .text:10030846 mov [edi], ebx - .text:10030848 push eax ; lpVersionInformation - .text:10030849 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $30845); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $3BEC9); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_ecx[0], - SizeOf(CDefPolicy_Query_eax_ecx), bw); - - WriteLog('Hook CSLQuery::Initialize'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $46F18); - Jump.PushOp := $68; - Jump.PushArg := @New_CSLQuery_Initialize; - Jump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @Jump, SizeOf(far_jmp), bw); - end; - - end; end; + Sect := IntToStr(FV.Version.w.Major)+'.'+IntToStr(FV.Version.w.Minor)+'.'+ + IntToStr(FV.Release)+'.'+IntToStr(FV.Build); + + if INISectionExists(INI, Sect) then + if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin + if INIReadBool(INI, Sect, 'LocalOnlyPatch.x86', False) then begin + WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); + try + SignPtr := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'LocalOnlyOffset.x86', 0)); + I := SListFind(PatchList, INIReadString(INI, Sect, 'LocalOnlyCode.x86', '')); + if I >= 0 then + WriteProcessMemory(GetCurrentProcess, SignPtr, @Patch[I][0], Length(Patch[I]), bw); + except + + end; + end; + if INIReadBool(INI, Sect, 'SingleUserPatch.x86', False) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + try + SignPtr := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'SingleUserOffset.x86', 0)); + I := SListFind(PatchList, INIReadString(INI, Sect, 'SingleUserCode.x86', '')); + if I >= 0 then + WriteProcessMemory(GetCurrentProcess, SignPtr, @Patch[I][0], Length(Patch[I]), bw); + except + + end; + end; + if INIReadBool(INI, Sect, 'DefPolicyPatch.x86', False) then begin + WriteLog('Patch CDefPolicy::Query'); + try + SignPtr := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'DefPolicyOffset.x86', 0)); + I := SListFind(PatchList, INIReadString(INI, Sect, 'DefPolicyCode.x86', '')); + if I >= 0 then + WriteProcessMemory(GetCurrentProcess, SignPtr, @Patch[I][0], Length(Patch[I]), bw); + except + + end; + end; + if INIReadBool(INI, Sect, 'SLPolicyInternal.x86', False) then begin + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + try + SignPtr := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'SLPolicyOffset.x86', 0)); + except + SignPtr := nil; + end; + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := nil; + FuncName := INIReadString(INI, Sect, 'SLPolicyFunc.x86', 'New_Win8SL'); + if FuncName = 'New_Win8SL' then + MovJump.PushArg := @New_Win8SL; + if FuncName = 'New_Win8SL_CP' then + MovJump.PushArg := @New_Win8SL_CP; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + if INIReadBool(INI, Sect, 'SLInitHook.x86', False) then begin + WriteLog('Hook CSLQuery::Initialize'); + try + SignPtr := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'SLInitOffset.x86', 0)); + except + SignPtr := nil; + end; + Jump.PushOp := $68; + Jump.PushArg := nil; + FuncName := INIReadString(INI, Sect, 'SLInitFunc.x86', 'New_CSLQuery_Initialize'); + if FuncName = 'New_CSLQuery_Initialize' then + Jump.PushArg := @New_CSLQuery_Initialize; + Jump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @Jump, SizeOf(far_jmp), bw); + end; + end; + // unfreeze threads WriteLog('resume'); RunThreads(); diff --git a/src-x86-binarymaster/src/rdpwrap.ini b/src-x86-binarymaster/src/rdpwrap.ini new file mode 100644 index 0000000..6b44968 --- /dev/null +++ b/src-x86-binarymaster/src/rdpwrap.ini @@ -0,0 +1,1250 @@ +; RDP Wrapper Library configuration +; Do not modify without special knowledge + +[Main] +Updated=2014-11-20 +LogFile=\rdpwrap.txt +SLPolicyHookNT60=1 +SLPolicyHookNT61=1 + +[SLPolicy] +; Allow Remote Connections +TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1 +; Allow Multiple Sessions +TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1 +; Allow Multiple Sessions (Application Server Mode) +TerminalServices-RemoteConnectionManager-AllowAppServerMode=1 +; Allow Multiple Monitors +TerminalServices-RemoteConnectionManager-AllowMultimon=1 +; Max User Sessions (0 = unlimited) +TerminalServices-RemoteConnectionManager-MaxUserSessions=0 +; Max Debug Sessions (Windows 8, 0 = unlimited) +TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0 +; Max Sessions +; 0 - logon not possible even from console +; 1 - only one active user (console or remote) +; 2 - allow concurrent sessions +TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2 +; Allow Advanced Compression with RDP 7 Protocol +TerminalServices-RDP-7-Advanced-Compression-Allowed=1 +; IsTerminalTypeLocalOnly = 0 +TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0 +; Max Sessions (hard limit) +TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000 +; EasyPrint +TerminalServices-DeviceRedirection-Licenses-TSEasyPrintAllowed=1 + +[PatchCodes] +nop=90 +Zero=00 +jmpshort=EB +nopjmp=90E9 +CDefPolicy_Query_edx_ecx=BA000100008991200300005E90 +CDefPolicy_Query_eax_rcx_jmp=B80001000089813806000090EB +CDefPolicy_Query_eax_esi=B80001000089862003000090 +CDefPolicy_Query_eax_rdi=B80001000089873806000090 +CDefPolicy_Query_eax_ecx=B80001000089812003000090 +CDefPolicy_Query_eax_rcx=B80001000089813806000090 + +[6.0.6000.16386] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F320000 +; .text:6F3360B9 lea eax, [ebp+VersionInformation] +; .text:6F3360BF inc ebx <- nop +; .text:6F3360C0 push eax ; lpVersionInformation +; .text:6F3360C1 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F3360CB mov [esi], ebx +; .text:6F3360CD call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=160BF +SingleUserCode.x86=nop +; Imagebase: 7FF756E0000 +; .text:000007FF75745E38 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75745E3D mov ebx, 1 <- 0 +; .text:000007FF75745E42 mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75745E4A mov [rdi], ebx +; .text:000007FF75745E4C call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=65E3E +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F335CD8 cmp edx, [ecx+320h] +; .text:6F335CDE pop esi +; .text:6F335CDF jz loc_6F3426F1 +; Changed +; .text:6F335CD8 mov edx, 100h +; .text:6F335CDD mov [ecx+320h], edx +; .text:6F335CE3 pop esi +; .text:6F335CE4 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=15CD8 +DefPolicyCode.x86=CDefPolicy_Query_edx_ecx +; Original +; .text:000007FF7573C88F mov eax, [rcx+638h] +; .text:000007FF7573C895 cmp [rcx+63Ch], eax +; .text:000007FF7573C89B jnz short loc_7FF7573C8B3 +; Changed +; .text:000007FF7573C88F mov eax, 100h +; .text:000007FF7573C894 mov [rcx+638h], eax +; .text:000007FF7573C89A nop +; .text:000007FF7573C89B jmp short loc_7FF7573C8B3 +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=5C88F +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp + +[6.0.6001.18000] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6E800000 +; .text:6E8185DE lea eax, [ebp+VersionInformation] +; .text:6E8185E4 inc ebx <- nop +; .text:6E8185E5 push eax ; lpVersionInformation +; .text:6E8185E6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6E8185F0 mov [esi], ebx +; .text:6E8185F2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=185E4 +SingleUserCode.x86=nop +; Imagebase: 7FF76220000 +; .text:000007FF76290DB4 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF76290DB9 mov ebx, 1 <- 0 +; .text:000007FF76290DBE mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF76290DC6 mov [rdi], ebx +; .text:000007FF76290DC8 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=70DBA +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6E817FD8 cmp edx, [ecx+320h] +; .text:6E817FDE pop esi +; .text:6E817FDF jz loc_6E826F16 +; Changed +; .text:6E817FD8 mov edx, 100h +; .text:6E817FDD mov [ecx+320h], edx +; .text:6E817FE3 pop esi +; .text:6E817FE4 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=17FD8 +DefPolicyCode.x86=CDefPolicy_Query_edx_ecx +; Original +; .text:000007FF76285BD7 mov eax, [rcx+638h] +; .text:000007FF76285BDD cmp [rcx+63Ch], eax +; .text:000007FF76285BE3 jnz short loc_7FF76285BFB +; Changed +; .text:000007FF76285BD7 mov eax, 100h +; .text:000007FF76285BDC mov [rcx+638h], eax +; .text:000007FF76285BE2 nop +; .text:000007FF76285BE3 jmp short loc_7FF76285BFB +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=65BD7 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp + +[6.0.6002.18005] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F580000 +; .text:6F597FA2 lea eax, [ebp+VersionInformation] +; .text:6F597FA8 inc ebx <- nop +; .text:6F597FA9 push eax ; lpVersionInformation +; .text:6F597FAA mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F597FB4 mov [esi], ebx +; .text:6F597FB6 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=17FA8 +SingleUserCode.x86=nop +; Imagebase: 7FF766C0000 +; .text:000007FF76730FF0 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF76730FF5 mov ebx, 1 <- 0 +; .text:000007FF76730FFA mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF76731002 mov [rdi], ebx +; .text:000007FF76731004 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=70FF6 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F5979C0 cmp edx, [ecx+320h] +; .text:6F5979C6 pop esi +; .text:6F5979C7 jz loc_6F5A6F26 +; Changed +; .text:6F5979C0 mov edx, 100h +; .text:6F5979C5 mov [ecx+320h], edx +; .text:6F5979CB pop esi +; .text:6F5979CC nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=179C0 +DefPolicyCode.x86=CDefPolicy_Query_edx_ecx +; Original +; .text:000007FF76725E83 mov eax, [rcx+638h] +; .text:000007FF76725E89 cmp [rcx+63Ch], eax +; .text:000007FF76725E8F jz short loc_7FF76725EA7 +; Changed +; .text:000007FF76725E83 mov eax, 100h +; .text:000007FF76725E88 mov [rcx+638h], eax +; .text:000007FF76725E8E nop +; .text:000007FF76725E8F jmp short loc_7FF76725EA7 +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=65E83 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp + +[6.0.6002.19214] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F580000 +; .text:6F597FBE lea eax, [ebp+VersionInformation] +; .text:6F597FC4 inc ebx <- nop +; .text:6F597FC5 push eax ; lpVersionInformation +; .text:6F597FC6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F597FD0 mov [esi], ebx +; .text:6F597FD2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=17FC4 +SingleUserCode.x86=nop +; Imagebase: 7FF75AC0000 +; .text:000007FF75B312A4 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75B312A9 mov ebx, 1 <- 0 +; .text:000007FF75B312AE mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75B312B6 mov [rdi], ebx +; .text:000007FF75B312B8 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=712AA +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F5979B8 cmp edx, [ecx+320h] +; .text:6F5979BE pop esi +; .text:6F5979BF jz loc_6F5A6F3E +; Changed +; .text:6F5979B8 mov edx, 100h +; .text:6F5979BD mov [ecx+320h], edx +; .text:6F5979C3 pop esi +; .text:6F5979C4 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=179B8 +DefPolicyCode.x86=CDefPolicy_Query_edx_ecx +; Original +; .text:000007FF75B25FF7 mov eax, [rcx+638h] +; .text:000007FF75B25FFD cmp [rcx+63Ch], eax +; .text:000007FF75B26003 jnz short loc_7FF75B2601B +; Changed +; .text:000007FF75B25FF7 mov eax, 100h +; .text:000007FF75B25FFC mov [rcx+638h], eax +; .text:000007FF75B26002 nop +; .text:000007FF75B26003 jmp short loc_7FF75B2601B +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=65FF7 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp + +[6.0.6002.23521] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F580000 +; .text:6F597FAE lea eax, [ebp+VersionInformation] +; .text:6F597FB4 inc ebx <- nop +; .text:6F597FB5 push eax ; lpVersionInformation +; .text:6F597FB6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F597FC0 mov [esi], ebx +; .text:6F597FC2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=17FB4 +SingleUserCode.x86=nop +; Imagebase: 7FF75AC0000 +; .text:000007FF75B31EA4 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75B31EA9 mov ebx, 1 <- 0 +; .text:000007FF75B31EAE mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75B31EB6 mov [rdi], ebx +; .text:000007FF75B31EB8 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=71EAA +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F5979CC cmp edx, [ecx+320h] +; .text:6F5979D2 pop esi +; .text:6F5979D3 jz loc_6F5A6F2E +; Changed +; .text:6F5979CC mov edx, 100h +; .text:6F5979D1 mov [ecx+320h], edx +; .text:6F5979D7 pop esi +; .text:6F5979D8 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=179CC +DefPolicyCode.x86=CDefPolicy_Query_edx_ecx +; Original +; .text:000007FF75B269CB mov eax, [rcx+638h] +; .text:000007FF75B269D1 cmp [rcx+63Ch], eax +; .text:000007FF75B269D7 jnz short loc_7FF75B269EF +; Changed +; .text:000007FF75B269CB mov eax, 100h +; .text:000007FF75B269D0 mov [rcx+638h], eax +; .text:000007FF75B269D6 nop +; .text:000007FF75B269D7 jmp short loc_7FF75B269EF +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=669CB +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp + +[6.1.7600.16385] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F2E0000 +; .text:6F2F9E1F lea eax, [ebp+VersionInformation] +; .text:6F2F9E25 inc ebx <- nop +; .text:6F2F9E26 push eax ; lpVersionInformation +; .text:6F2F9E27 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F2F9E31 mov [esi], ebx +; .text:6F2F9E33 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=19E25 +SingleUserCode.x86=nop +; Imagebase: 7FF75A80000 +; .text:000007FF75A97D90 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75A97D95 mov ebx, 1 <- 0 +; .text:000007FF75A97D9A mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75A97DA2 mov [rdi], ebx +; .text:000007FF75A97DA4 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=17D96 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F2F96F3 cmp eax, [esi+320h] +; .text:6F2F96F9 jz loc_6F30E256 +; Changed +; .text:6F2F96F3 mov eax, 100h +; .text:6F2F96F8 mov [esi+320h], eax +; .text:6F2F96FE nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=196F3 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000007FF75A97AD2 cmp [rdi+63Ch], eax +; .text:000007FF75A97AD8 jz loc_7FF75AA4978 +; Changed +; .text:000007FF75A97AD2 mov eax, 100h +; .text:000007FF75A97AD7 mov [rdi+638h], eax +; .text:000007FF75A97ADD nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=17AD2 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi + +[6.1.7601.17514] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F2E0000 +; .text:6F2FA497 lea eax, [ebp+VersionInformation] +; .text:6F2FA49D inc ebx <- nop +; .text:6F2FA49E push eax ; lpVersionInformation +; .text:6F2FA49F mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F2FA4A9 mov [esi], ebx +; .text:6F2FA4AB call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=1A49D +SingleUserCode.x86=nop +; Imagebase: 7FF75A80000 +; .text:000007FF75A980DC lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75A980E1 mov ebx, 1 <- 0 +; .text:000007FF75A980E6 mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75A980EE mov [rdi], ebx +; .text:000007FF75A980F0 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=180E2 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F2F9D53 cmp eax, [esi+320h] +; .text:6F2F9D59 jz loc_6F30B25E +; Changed +; .text:6F2F9D53 mov eax, 100h +; .text:6F2F9D58 mov [esi+320h], eax +; .text:6F2F9D5E nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=19D53 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000007FF75A97D8A cmp [rdi+63Ch], eax +; .text:000007FF75A97D90 jz loc_7FF75AA40F4 +; Changed +; .text:000007FF75A97D8A mov eax, 100h +; .text:000007FF75A97D8F mov [rdi+638h], eax +; .text:000007FF75A97D95 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=17D8A +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi + +[6.1.7601.18540] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F2E0000 +; .text:6F2FA4DF lea eax, [ebp+VersionInformation] +; .text:6F2FA4E5 inc ebx <- nop +; .text:6F2FA4E6 push eax ; lpVersionInformation +; .text:6F2FA4E7 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F2FA4F1 mov [esi], ebx +; .text:6F2FA4F3 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=1A4E5 +SingleUserCode.x86=nop +; Imagebase: 7FF75A80000 +; .text:000007FF75A98000 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75A98005 mov ebx, 1 <- 0 +; .text:000007FF75A9800A mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75A98012 mov [rdi], ebx +; .text:000007FF75A98014 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=18006 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F2F9D9F cmp eax, [esi+320h] +; .text:6F2F9DA5 jz loc_6F30B2AE +; Changed +; .text:6F2F9D9F mov eax, 100h +; .text:6F2F9DA4 mov [esi+320h], eax +; .text:6F2F9DAA nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=19D9F +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000007FF75A97C82 cmp [rdi+63Ch], eax +; .text:000007FF75A97C88 jz loc_7FF75AA3FBD +; Changed +; .text:000007FF75A97C82 mov eax, 100h +; .text:000007FF75A97C87 mov [rdi+638h], eax +; .text:000007FF75A97C8D nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=17C82 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi + +[6.1.7601.22750] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F2E0000 +; .text:6F2FA64F lea eax, [ebp+VersionInformation] +; .text:6F2FA655 inc ebx <- nop +; .text:6F2FA656 push eax ; lpVersionInformation +; .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F2FA661 mov [esi], ebx +; .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=1A655 +SingleUserCode.x86=nop +; Imagebase: 7FF75A80000 +; .text:000007FF75A97E88 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75A97E8D mov ebx, 1 <- 0 +; .text:000007FF75A97E92 mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75A97E9A mov [rdi], ebx +; .text:000007FF75A97E9C call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=17E8E +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F2F9E21 cmp eax, [esi+320h] +; .text:6F2F9E27 jz loc_6F30B6CE +; Changed +; .text:6F2F9E21 mov eax, 100h +; .text:6F2F9E26 mov [esi+320h], eax +; .text:6F2F9E2C nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=19E21 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000007FF75A97C92 cmp [rdi+63Ch], eax +; .text:000007FF75A97C98 jz loc_7FF75AA40A2 +; Changed +; .text:000007FF75A97C92 mov eax, 100h +; .text:000007FF75A97C97 mov [rdi+638h], eax +; .text:000007FF75A97C9D nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=17C92 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi + +[6.1.7601.18637] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F2E0000 +; .text:6F2FA4D7 lea eax, [ebp+VersionInformation] +; .text:6F2FA4DD inc ebx <- nop +; .text:6F2FA4DE push eax ; lpVersionInformation +; .text:6F2FA4DF mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F2FA4E9 mov [esi], ebx +; .text:6F2FA4EB call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=1A4DD +SingleUserCode.x86=nop +; Imagebase: 7FF75A80000 +; .text:000007FF75A980F4 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75A980F9 mov ebx, 1 <- 0 +; .text:000007FF75A980FE mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75A98106 mov [rdi], ebx +; .text:000007FF75A98108 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=180FA +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F2F9DBB cmp eax, [esi+320h] +; .text:6F2F9DC1 jz loc_6F30B2A6 +; Changed +; .text:6F2F9DBB mov eax, 100h +; .text:6F2F9DC0 mov [esi+320h], eax +; .text:6F2F9DC6 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=19DBB +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000007FF75A97DC6 cmp [rdi+63Ch], eax +; .text:000007FF75A97DCC jz loc_7FF75AA40BD +; Changed +; .text:000007FF75A97DC6 mov eax, 100h +; .text:000007FF75A97DCB mov [rdi+638h], eax +; .text:000007FF75A97DD1 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=17DC6 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi + +[6.1.7601.22843] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F2E0000 +; .text:6F2FA64F lea eax, [ebp+VersionInformation] +; .text:6F2FA655 inc ebx <- nop +; .text:6F2FA656 push eax ; lpVersionInformation +; .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F2FA661 mov [esi], ebx +; .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=1A655 +SingleUserCode.x86=nop +; Imagebase: 7FF75A80000 +; .text:000007FF75A97F90 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75A97F95 mov ebx, 1 <- 0 +; .text:000007FF75A97F9A mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75A97FA2 mov [rdi], ebx +; .text:000007FF75A97FA4 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=17F96 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F2F9E25 cmp eax, [esi+320h] +; .text:6F2F9E2B jz loc_6F30B6D6 +; Changed +; .text:6F2F9E25 mov eax, 100h +; .text:6F2F9E2A mov [esi+320h], eax +; .text:6F2F9E30 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=19E25 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000007FF75A97D6E cmp [rdi+63Ch], eax +; .text:000007FF75A97D74 jz loc_7FF75AA4182 +; Changed +; .text:000007FF75A97D6E mov eax, 100h +; .text:000007FF75A97D73 mov [rdi+638h], eax +; .text:000007FF75A97D79 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=17D6E +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi + +[6.2.8102.0] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:1000F7E5 lea eax, [esp+150h+VersionInformation] +; .text:1000F7E9 inc esi <- nop +; .text:1000F7EA push eax ; lpVersionInformation +; .text:1000F7EB mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:1000F7F3 mov [edi], esi +; .text:1000F7F5 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=F7E9 +SingleUserCode.x86=nop +; .text:000000018000D83A lea rcx, [rsp+180h+VersionInformation] ; lpVersionInformation +; .text:000000018000D83F mov ebx, 1 <- 0 +; .text:000000018000D844 mov [rsp+180h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000000018000D84C mov [rdi], ebx +; .text:000000018000D84E call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=D840 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:1000E47C cmp eax, [esi+320h] +; .text:1000E482 jz loc_1002D775 +; Changed +; .text:1000E47C mov eax, 100h +; .text:1000E481 mov [esi+320h], eax +; .text:1000E487 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=E47C +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000000018000D3E6 cmp [rdi+63Ch], eax +; .text:000000018000D3EC jz loc_180027792 +; Changed +; .text:000000018000D3E6 mov eax, 100h +; .text:000000018000D3EB mov [rdi+638h], eax +; .text:000000018000D3F1 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=D3E6 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi +; Hook SLGetWindowsInformationDWORDWrapper +SLPolicyInternal.x86=1 +SLPolicyOffset.x86=1B909 +SLPolicyFunc.x86=New_Win8SL +SLPolicyInternal.x64=1 +SLPolicyOffset.x64=1A484 +SLPolicyFunc.x64=New_Win8SL + +[6.2.8250.0] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:100159C5 lea eax, [esp+150h+VersionInformation] +; .text:100159C9 inc esi <- nop +; .text:100159CA push eax ; lpVersionInformation +; .text:100159CB mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:100159D3 mov [edi], esi +; .text:100159D5 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=159C9 +SingleUserCode.x86=nop +; .text:0000000180011E6E lea rcx, [rsp+180h+VersionInformation] ; lpVersionInformation +; .text:0000000180011E73 mov ebx, 1 <- 0 +; .text:0000000180011E78 mov [rsp+180h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180011E80 mov [rdi], ebx +; .text:0000000180011E82 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=11E74 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:10013520 cmp eax, [esi+320h] +; .text:10013526 jz loc_1002DB85 +; Changed +; .text:10013520 mov eax, 100h +; .text:10013525 mov [esi+320h], eax +; .text:1001352B nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=13520 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000000018001187A cmp [rdi+63Ch], eax +; .text:0000000180011880 jz loc_1800273A2 +; Changed +; .text:000000018001187A mov eax, 100h +; .text:000000018001187F mov [rdi+638h], eax +; .text:0000000180011885 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=1187A +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi +; Hook SLGetWindowsInformationDWORDWrapper +SLPolicyInternal.x86=1 +SLPolicyOffset.x86=1A0A9 +SLPolicyFunc.x86=New_Win8SL_CP +SLPolicyInternal.x64=1 +SLPolicyOffset.x64=18FAC +SLPolicyFunc.x64=New_Win8SL + +[6.2.8400.0] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:1001547E lea eax, [esp+150h+VersionInformation] +; .text:10015482 inc esi <- nop +; .text:10015483 push eax ; lpVersionInformation +; .text:10015484 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:1001548C mov [edi], esi +; .text:1001548E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=15482 +SingleUserCode.x86=nop +; .text:000000018002081E lea rcx, [rsp+180h+VersionInformation] ; lpVersionInformation +; .text:0000000180020823 mov ebx, 1 <- 0 +; .text:0000000180020828 mov [rsp+180h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180020830 mov [rdi], ebx +; .text:0000000180020832 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=20824 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:10013E48 cmp eax, [esi+320h] +; .text:10013E4E jz loc_1002E079 +; Changed +; .text:10013E48 mov eax, 100h +; .text:10013E4D mov [esi+320h], eax +; .text:10013E53 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=13E48 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000000018001F102 cmp [rdi+63Ch], eax +; .text:000000018001F108 jz loc_18003A02E +; Changed +; .text:000000018001F102 mov eax, 100h +; .text:000000018001F107 mov [rdi+638h], eax +; .text:000000018001F10D nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=1F102 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi +; Hook SLGetWindowsInformationDWORDWrapper +SLPolicyInternal.x86=1 +SLPolicyOffset.x86=19629 +SLPolicyFunc.x86=New_Win8SL +SLPolicyInternal.x64=1 +SLPolicyOffset.x64=2492C +SLPolicyFunc.x64=New_Win8SL + +[6.2.9200.16384] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:1001554E lea eax, [esp+150h+VersionInformation] +; .text:10015552 inc esi <- nop +; .text:10015553 push eax ; lpVersionInformation +; .text:10015554 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:1001555C mov [edi], esi +; .text:1001555E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=15552 +SingleUserCode.x86=nop +; .text:000000018002BAA2 lea rcx, [rsp+180h+VersionInformation] ; lpVersionInformation +; .text:000000018002BAA7 mov ebx, 1 <- 0 +; .text:000000018002BAAC mov [rsp+180h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000000018002BAB4 mov [rdi], ebx +; .text:000000018002BAB6 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=2BAA8 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:10013F08 cmp eax, [esi+320h] +; .text:10013F0E jz loc_1002E161 +; Changed +; .text:10013F08 mov eax, 100h +; .text:10013F0D mov [esi+320h], eax +; .text:10013F13 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=13F08 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000000018002A31A cmp [rdi+63Ch], eax +; .text:000000018002A320 jz loc_18003A0F9 +; Changed +; .text:000000018002A31A mov eax, 100h +; .text:000000018002A31F mov [rdi+638h], eax +; .text:000000018002A325 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=2A31A +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi +; Hook SLGetWindowsInformationDWORDWrapper +SLPolicyInternal.x86=1 +SLPolicyOffset.x86=19559 +SLPolicyFunc.x86=New_Win8SL +SLPolicyInternal.x64=1 +SLPolicyOffset.x64=21FA8 +SLPolicyFunc.x64=New_Win8SL + +[6.2.9200.17048] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:1002058E lea eax, [esp+150h+VersionInformation] +; .text:10020592 inc esi <- nop +; .text:10020593 push eax ; lpVersionInformation +; .text:10020594 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:1002059C mov [edi], esi +; .text:1002059E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=20592 +SingleUserCode.x86=nop +; .text:0000000180020942 lea rcx, [rsp+180h+VersionInformation] ; lpVersionInformation +; .text:0000000180020947 mov ebx, 1 <- 0 +; .text:000000018002094C mov [rsp+180h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180020954 mov [rdi], ebx +; .text:0000000180020956 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=20948 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:1001F408 cmp eax, [esi+320h] +; .text:1001F40E jz loc_1002E201 +; Changed +; .text:1001F408 mov eax, 100h +; .text:1001F40D mov [esi+320h], eax +; .text:1001F413 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=1F408 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000000018001F206 cmp [rdi+63Ch], eax +; .text:000000018001F20C jz loc_18003A1B4 +; Changed +; .text:000000018001F206 mov eax, 100h +; .text:000000018001F20B mov [rdi+638h], eax +; .text:000000018001F211 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=1F206 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi +; Hook SLGetWindowsInformationDWORDWrapper +SLPolicyInternal.x86=1 +SLPolicyOffset.x86=17059 +SLPolicyFunc.x86=New_Win8SL +SLPolicyInternal.x64=1 +SLPolicyOffset.x64=24570 +SLPolicyFunc.x64=New_Win8SL + +[6.2.9200.21166] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:10015576 lea eax, [esp+150h+VersionInformation] +; .text:1001557A inc esi <- nop +; .text:1001557B push eax ; lpVersionInformation +; .text:1001557C mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:10015584 mov [edi], esi +; .text:10015586 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=1557A +SingleUserCode.x86=nop +; .text:000000018002BAF2 lea rcx, [rsp+180h+VersionInformation] ; lpVersionInformation +; .text:000000018002BAF7 mov ebx, 1 <- 0 +; .text:000000018002BAFC mov [rsp+180h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000000018002BB04 mov [rdi], ebx +; .text:000000018002BB06 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=2BAF8 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:10013F30 cmp eax, [esi+320h] +; .text:10013F36 jz loc_1002E189 +; Changed +; .text:10013F30 mov eax, 100h +; .text:10013F35 mov [esi+320h], eax +; .text:10013F3B nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=13F30 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000000018002A3B6 cmp [rdi+63Ch], eax +; .text:000000018002A3BC jz loc_18003A174 +; Changed +; .text:000000018002A3B6 mov eax, 100h +; .text:000000018002A3BB mov [rdi+638h], eax +; .text:000000018002A3C1 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=2A3B6 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi +; Hook SLGetWindowsInformationDWORDWrapper +SLPolicyInternal.x86=1 +SLPolicyOffset.x86=19581 +SLPolicyFunc.x86=New_Win8SL +SLPolicyInternal.x64=1 +SLPolicyOffset.x64=21FD0 +SLPolicyFunc.x64=New_Win8SL + +[6.3.9431.0] +; Patch CEnforcementCore::GetInstanceOfTSLicense +; .text:1008A604 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:1008A609 test eax, eax +; .text:1008A60B js short loc_1008A628 +; .text:1008A60D cmp [ebp+var_8], 0 +; .text:1008A611 jz short loc_1008A628 <- jmp +LocalOnlyPatch.x86=1 +LocalOnlyOffset.x86=8A611 +LocalOnlyCode.x86=jmpshort +; .text:000000018009F713 call ?IsLicenseTypeLocalOnly@CSLQuery@@SAJAEAU_GUID@@PEAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:000000018009F718 test eax, eax +; .text:000000018009F71A js short loc_18009F73B +; .text:000000018009F71C cmp [rsp+48h+arg_18], 0 +; .text:000000018009F721 jz short loc_18009F73B <- jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=9F721 +LocalOnlyCode.x64=jmpshort +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:100306A4 lea eax, [esp+150h+VersionInformation] +; .text:100306A8 inc ebx <- nop +; .text:100306A9 mov [edi], ebx +; .text:100306AB push eax ; lpVersionInformation +; .text:100306AC call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=306A8 +SingleUserCode.x86=nop +; .text:00000001800367F3 lea rcx, [rsp+190h+VersionInformation] ; lpVersionInformation +; .text:00000001800367F8 mov ebx, 1 <- 0 +; .text:00000001800367FD mov [rsp+190h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180036805 mov [rdi], ebx +; .text:0000000180036807 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=367F9 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:1002EA25 cmp eax, [ecx+320h] +; .text:1002EA2B jz loc_100348C1 +; Changed +; .text:1002EA25 mov eax, 100h +; .text:1002EA2A mov [ecx+320h], eax +; .text:1002EA30 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=2EA25 +DefPolicyCode.x86=CDefPolicy_Query_eax_ecx +; Original +; .text:00000001800350FD cmp [rcx+63Ch], eax +; .text:0000000180035103 jz loc_18004F6AE +; Changed +; .text:00000001800350FD mov eax, 100h +; .text:0000000180035102 mov [rcx+638h], eax +; .text:0000000180035108 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=350FD +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +; Hook CSLQuery::Initialize +SLInitHook.x86=1 +SLInitOffset.x86=196B0 +SLInitFunc.x86=New_CSLQuery_Initialize +SLInitHook.x64=1 +SLInitOffset.x64=2F9C0 +SLInitFunc.x64=New_CSLQuery_Initialize + +[6.3.9600.16384] +; Patch CEnforcementCore::GetInstanceOfTSLicense +; .text:100A271C call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:100A2721 test eax, eax +; .text:100A2723 js short loc_100A2740 +; .text:100A2725 cmp [ebp+var_8], 0 +; .text:100A2729 jz short loc_100A2740 <- jmp +LocalOnlyPatch.x86=1 +LocalOnlyOffset.x86=A2729 +LocalOnlyCode.x86=jmpshort +; .text:000000018008181F cmp [rsp+48h+arg_18], 0 +; .text:0000000180081824 jz loc_180031DEF <- nop + jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=81824 +LocalOnlyCode.x64=nopjmp +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:10018024 lea eax, [esp+150h+VersionInformation] +; .text:10018028 inc ebx <- nop +; .text:10018029 mov [edi], ebx +; .text:1001802B push eax ; lpVersionInformation +; .text:1001802C call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=18028 +SingleUserCode.x86=nop +; .text:000000018002023B lea rcx, [rsp+190h+VersionInformation] ; lpVersionInformation +; .text:0000000180020240 mov ebx, 1 <- 0 +; .text:0000000180020245 mov [rsp+190h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000000018002024D mov [rdi], ebx +; .text:000000018002024F call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=20241 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:10016115 cmp eax, [ecx+320h] +; .text:1001611B jz loc_10034DE1 +; Changed +; .text:10016115 mov eax, 100h +; .text:1001611A mov [ecx+320h], eax +; .text:10016120 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=16115 +DefPolicyCode.x86=CDefPolicy_Query_eax_ecx +; Original +; .text:0000000180057829 cmp [rcx+63Ch], eax +; .text:000000018005782F jz loc_18005E850 +; Changed +; .text:0000000180057829 mov eax, 100h +; .text:000000018005782E mov [rcx+638h], eax +; .text:0000000180057834 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=57829 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +; Hook CSLQuery::Initialize +SLInitHook.x86=1 +SLInitOffset.x86=1CEB0 +SLInitFunc.x86=New_CSLQuery_Initialize +SLInitHook.x64=1 +SLInitOffset.x64=554C0 +SLInitFunc.x64=New_CSLQuery_Initialize + +[6.3.9600.17095] +; Patch CEnforcementCore::GetInstanceOfTSLicense +; .text:100A36C4 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:100A36C9 test eax, eax +; .text:100A36CB js short loc_100A36E8 +; .text:100A36CD cmp [ebp+var_8], 0 +; .text:100A36D1 jz short loc_100A36E8 <- jmp +LocalOnlyPatch.x86=1 +LocalOnlyOffset.x86=A36D1 +LocalOnlyCode.x86=jmpshort +; .text:00000001800B914B call ?IsLicenseTypeLocalOnly@CSLQuery@@SAJAEAU_GUID@@PEAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:00000001800B9150 test eax, eax +; .text:00000001800B9152 js short loc_1800B9173 +; .text:00000001800B9154 cmp [rsp+48h+arg_18], 0 +; .text:00000001800B9159 jz short loc_1800B9173 <- jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=B9159 +LocalOnlyCode.x64=jmpshort +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:10036BA5 lea eax, [esp+150h+VersionInformation] +; .text:10036BA9 inc ebx <- nop +; .text:10036BAA mov [edi], ebx +; .text:10036BAC push eax ; lpVersionInformation +; .text:10036BAD call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=36BA9 +SingleUserCode.x86=nop +; .text:0000000180021823 lea rcx, [rsp+190h+VersionInformation] ; lpVersionInformation +; .text:0000000180021828 mov ebx, 1 <- 0 +; .text:000000018002182D mov [rsp+190h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180021835 mov [rdi], ebx +; .text:0000000180021837 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=21829 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:10037529 cmp eax, [ecx+320h] +; .text:1003752F jz loc_10043662 +; Changed +; .text:10037529 mov eax, 100h +; .text:1003752E mov [ecx+320h], eax +; .text:10037534 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=37529 +DefPolicyCode.x86=CDefPolicy_Query_eax_ecx +; Original +; .text:000000018001F6A1 cmp [rcx+63Ch], eax +; .text:000000018001F6A7 jz loc_18007284B +; Changed +; .text:000000018001F6A1 mov eax, 100h +; .text:000000018001F6A6 mov [rcx+638h], eax +; .text:000000018001F6AC nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=1F6A1 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +; Hook CSLQuery::Initialize +SLInitHook.x86=1 +SLInitOffset.x86=117F1 +SLInitFunc.x86=New_CSLQuery_Initialize +SLInitHook.x64=1 +SLInitOffset.x64=3B110 +SLInitFunc.x64=New_CSLQuery_Initialize + +[6.4.9841.0] +; Patch CEnforcementCore::GetInstanceOfTSLicense +; .text:1009569B call sub_100B7EE5 +; .text:100956A0 test eax, eax +; .text:100956A2 js short loc_100956BF +; .text:100956A4 cmp [ebp+var_C], 0 +; .text:100956A8 jz short loc_100956BF <- jmp +LocalOnlyPatch.x86=1 +LocalOnlyOffset.x86=956A8 +LocalOnlyCode.x86=jmpshort +; .text:0000000180081133 call sub_1800A9048 +; .text:0000000180081138 test eax, eax +; .text:000000018008113A js short loc_18008115B +; .text:000000018008113C cmp [rsp+58h+arg_18], 0 +; .text:0000000180081141 jz short loc_18008115B <- jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=81141 +LocalOnlyCode.x64=jmpshort +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:10030121 lea eax, [esp+150h+VersionInformation] +; .text:10030125 inc ebx <- nop +; .text:10030126 mov [edi], ebx +; .text:10030128 push eax ; lpVersionInformation +; .text:10030129 call ds:GetVersionExW +SingleUserPatch.x86=1 +SingleUserOffset.x86=30125 +SingleUserCode.x86=nop +; .text:0000000180012153 lea rcx, [rsp+190h+VersionInformation] ; lpVersionInformation +; .text:0000000180012158 mov ebx, 1 <- 0 +; .text:000000018001215D mov [rsp+190h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180012165 mov [rdi], ebx +; .text:0000000180012167 call cs:GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=12159 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:1003B989 cmp eax, [ecx+320h] +; .text:1003B98F jz loc_1005E809 +; Changed +; .text:1003B989 mov eax, 100h +; .text:1003B98E mov [ecx+320h], eax +; .text:1003B994 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=3B989 +DefPolicyCode.x86=CDefPolicy_Query_eax_ecx +; Original +; .text:000000018000C125 cmp [rcx+63Ch], eax +; .text:000000018000C12B jz sub_18003BABC +; Changed +; .text:000000018000C125 mov eax, 100h +; .text:000000018000C12A mov [rcx+638h], eax +; .text:000000018000C130 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=C125 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +; Hook CSLQuery::Initialize +SLInitHook.x86=1 +SLInitOffset.x86=46A68 +SLInitFunc.x86=New_CSLQuery_Initialize +SLInitHook.x64=1 +SLInitOffset.x64=1EA50 +SLInitFunc.x64=New_CSLQuery_Initialize + +[6.4.9860.0] +; Patch CEnforcementCore::GetInstanceOfTSLicense +; .text:100962BB call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:100962C0 test eax, eax +; .text:100962C2 js short loc_100962DF +; .text:100962C4 cmp [ebp+var_C], 0 +; .text:100962C8 jz short loc_100962DF <- jmp +LocalOnlyPatch.x86=1 +LocalOnlyOffset.x86=962C8 +LocalOnlyCode.x86=jmpshort +; .text:0000000180081083 call ?IsLicenseTypeLocalOnly@CSLQuery@@SAJAEAU_GUID@@PEAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:0000000180081088 test eax, eax +; .text:000000018008108A js short loc_1800810AB +; .text:000000018008108C cmp [rsp+58h+arg_18], 0 +; .text:0000000180081091 jz short loc_1800810AB <- jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=81091 +LocalOnlyCode.x64=jmpshort +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:10030841 lea eax, [esp+150h+VersionInformation] +; .text:10030845 inc ebx <- nop +; .text:10030846 mov [edi], ebx +; .text:10030848 push eax ; lpVersionInformation +; .text:10030849 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=30845 +SingleUserCode.x86=nop +; .text:0000000180011AA3 lea rcx, [rsp+190h+VersionInformation] ; lpVersionInformation +; .text:0000000180011AA8 mov ebx, 1 <- 0 +; .text:0000000180011AAD mov [rsp+190h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180011AB5 mov [rdi], ebx +; .text:0000000180011AB7 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=11AA9 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:1003BEC9 cmp eax, [ecx+320h] +; .text:1003BECF jz loc_1005EE1A +; Changed +; .text:1003BEC9 mov eax, 100h +; .text:1003BECE mov [ecx+320h], eax +; .text:1003BED4 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=3BEC9 +DefPolicyCode.x86=CDefPolicy_Query_eax_ecx +; Original +; .text:000000018000B9F5 cmp [rcx+63Ch], eax +; .text:000000018000B9FB jz sub_18003B9C8 +; Changed +; .text:000000018000B9F5 mov eax, 100h +; .text:000000018000B9FA mov [rcx+638h], eax +; .text:000000018000BA00 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=B9F5 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +; Hook CSLQuery::Initialize +SLInitHook.x86=1 +SLInitOffset.x86=46F18 +SLInitFunc.x86=New_CSLQuery_Initialize +SLInitHook.x64=1 +SLInitOffset.x64=1EB00 +SLInitFunc.x64=New_CSLQuery_Initialize + +[SLInit] +bServerSku=1 +bRemoteConnAllowed=1 +bFUSEnabled=1 +bAppServerAllowed=1 +bMultimonAllowed=1 +lMaxUserSessions=0 +ulMaxDebugSessions=0 +bInitialized=1 + +[6.3.9431.0-SLInit] +bFUSEnabled.x86 =A22A8 +lMaxUserSessions.x86 =A22AC +bAppServerAllowed.x86 =A22B0 +bInitialized.x86 =A22B4 +bMultimonAllowed.x86 =A22B8 +bServerSku.x86 =A22BC +ulMaxDebugSessions.x86=A22C0 +bRemoteConnAllowed.x86=A22C4 + +bFUSEnabled.x64 =C4490 +lMaxUserSessions.x64 =C4494 +bAppServerAllowed.x64 =C4498 +bInitialized.x64 =C449C +bMultimonAllowed.x64 =C44A0 +bServerSku.x64 =C44A4 +ulMaxDebugSessions.x64=C44A8 +bRemoteConnAllowed.x64=C44AC + +[6.3.9600.16384-SLInit] +bFUSEnabled.x86 =C02A8 +lMaxUserSessions.x86 =C02AC +bAppServerAllowed.x86 =C02B0 +bInitialized.x86 =C02B4 +bMultimonAllowed.x86 =C02B8 +bServerSku.x86 =C02BC +ulMaxDebugSessions.x86=C02C0 +bRemoteConnAllowed.x86=C02C4 + +bServerSku.x64 =E6494 +ulMaxDebugSessions.x64=E6498 +bRemoteConnAllowed.x64=E649C +bFUSEnabled.x64 =E64A0 +lMaxUserSessions.x64 =E64A4 +bAppServerAllowed.x64 =E64A8 +bInitialized.x64 =E64AC +bMultimonAllowed.x64 =E64B0 + +[6.3.9600.17095-SLInit] +bFUSEnabled.x86 =C12A8 +lMaxUserSessions.x86 =C12AC +bAppServerAllowed.x86 =C12B0 +bInitialized.x86 =C12B4 +bMultimonAllowed.x86 =C12B8 +bServerSku.x86 =C12BC +ulMaxDebugSessions.x86=C12C0 +bRemoteConnAllowed.x86=C12C4 + +bServerSku.x64 =E4494 +ulMaxDebugSessions.x64=E4498 +bRemoteConnAllowed.x64=E449C +bFUSEnabled.x64 =E44A0 +lMaxUserSessions.x64 =E44A4 +bAppServerAllowed.x64 =E44A8 +bInitialized.x64 =E44AC +bMultimonAllowed.x64 =E44B0 + +[6.4.9841.0-SLInit] +bFUSEnabled.x86 =BF9F0 +lMaxUserSessions.x86 =BF9F4 +bAppServerAllowed.x86 =BF9F8 +bInitialized.x86 =BF9FC +bMultimonAllowed.x86 =BFA00 +bServerSku.x86 =BFA04 +ulMaxDebugSessions.x86=BFA08 +bRemoteConnAllowed.x86=BFA0C + +bFUSEnabled.x64 =ECFF8 +lMaxUserSessions.x64 =ECFFC +bAppServerAllowed.x64 =ED000 +bInitialized.x64 =ED004 +bMultimonAllowed.x64 =ED008 +bServerSku.x64 =ED00C +ulMaxDebugSessions.x64=ED010 +bRemoteConnAllowed.x64=ED014 + +[6.4.9860.0-SLInit] +bFUSEnabled.x86 =BF7E0 +lMaxUserSessions.x86 =BF7E4 +bAppServerAllowed.x86 =BF7E8 +bInitialized.x86 =BF7EC +bMultimonAllowed.x86 =BF7F0 +bServerSku.x86 =BF7F4 +ulMaxDebugSessions.x86=BF7F8 +bRemoteConnAllowed.x86=BF7FC + +bFUSEnabled.x64 =ECBD8 +lMaxUserSessions.x64 =ECBDC +bAppServerAllowed.x64 =ECBE0 +bInitialized.x64 =ECBE4 +bMultimonAllowed.x64 =ECBE8 +bServerSku.x64 =ECBEC +ulMaxDebugSessions.x64=ECBF0 +bRemoteConnAllowed.x64=ECBF4