diff options
author | binarymaster <x86corez@gmail.com> | 2014-11-02 16:00:46 +0300 |
---|---|---|
committer | binarymaster <x86corez@gmail.com> | 2014-11-02 16:00:46 +0300 |
commit | 5f07396fad3b1e6992488495d9a2a23e98c254b8 (patch) | |
tree | db46d8cbbebfdbc633402fbfda6eaf5b0b4681b7 /src-x86-x64-Fusix | |
parent | de975423bd94130a01126b17b74a49ad37f1a709 (diff) |
Commit 2014.11.02
Added support for termsrv.dll 6.4.9860.0
Diffstat (limited to 'src-x86-x64-Fusix')
-rw-r--r-- | src-x86-x64-Fusix/rdpw32.dll | bin | 86016 -> 86016 bytes | |||
-rw-r--r-- | src-x86-x64-Fusix/rdpw64.dll | bin | 98304 -> 98816 bytes | |||
-rw-r--r-- | src-x86-x64-Fusix/src/RDPWrap.cpp | 119 |
3 files changed, 119 insertions, 0 deletions
diff --git a/src-x86-x64-Fusix/rdpw32.dll b/src-x86-x64-Fusix/rdpw32.dll Binary files differindex 306889d..426b52a 100644 --- a/src-x86-x64-Fusix/rdpw32.dll +++ b/src-x86-x64-Fusix/rdpw32.dll diff --git a/src-x86-x64-Fusix/rdpw64.dll b/src-x86-x64-Fusix/rdpw64.dll Binary files differindex 9fddf48..084c4fc 100644 --- a/src-x86-x64-Fusix/rdpw64.dll +++ b/src-x86-x64-Fusix/rdpw64.dll diff --git a/src-x86-x64-Fusix/src/RDPWrap.cpp b/src-x86-x64-Fusix/src/RDPWrap.cpp index 69df681..52ee4df 100644 --- a/src-x86-x64-Fusix/src/RDPWrap.cpp +++ b/src-x86-x64-Fusix/src/RDPWrap.cpp @@ -33,12 +33,17 @@ // 6.3.9600.16384 (Windows 8.1) [init hook + extended patch] // 6.3.9600.17095 (Windows 8.1 with KB2959626) [init hook + extended patch] // 6.4.9841.0 (Windows 10 Technical Preview) [init hook + extended patch] +// 6.4.9860.0 (Windows 10 Technical Preview 1) [init hook + extended patch] // Known failures // 6.0.6000.16386 (Windows Vista RTM x86, crashes on logon attempt) // Internal changelog: +// 2014.11.02 : +// - researching termsrv.dll 6.4.9860.0 +// - done + // 2014.10.19 : // - added support for version 6.0.6000.16386 (x64) // - added support for version 6.0.6001.18000 (x64) @@ -368,6 +373,19 @@ char CDefPolicy_Query_eax_rcx[] = {0xB8, 0x00, 0x01, 0x00, 0x00, 0x89, 0x81, 0x3 // .text:000000018000C130 nop // char CDefPolicy_Query_eax_rcx[] +// termsrv.dll build 6.4.9860.0 + +// Original +// .text:000000018000B9F5 cmp [rcx+63Ch], eax +// .text:000000018000B9FB jz sub_18003B9C8 +//_______________ +// +// Changed +// .text:000000018000B9F5 mov eax, 100h +// .text:000000018000B9FA mov [rcx+638h], eax +// .text:000000018000BA00 nop +// char CDefPolicy_Query_eax_rcx[] + #else typedef unsigned long PLATFORM_DWORD; struct FARJMP @@ -608,6 +626,19 @@ char CDefPolicy_Query_eax_ecx[] = {0xB8, 0x00, 0x01, 0x00, 0x00, 0x89, 0x81, 0x2 // .text:1003B994 nop // char CDefPolicy_Query_eax_ecx[] +// termsrv.dll build 6.4.9860.0 + +// Original +// .text:1003BEC9 cmp eax, [ecx+320h] +// .text:1003BECF jz loc_1005EE1A +//_______________ +// +// Changed +// .text:1003BEC9 mov eax, 100h +// .text:1003BECE mov [ecx+320h], eax +// .text:1003BED4 nop +// char CDefPolicy_Query_eax_ecx[] + #endif FARJMP Old_SLGetWindowsInformationDWORD, Stub_SLGetWindowsInformationDWORD; @@ -1061,6 +1092,28 @@ HRESULT WINAPI New_CSLQuery_Initialize() bRemoteConnAllowed = (DWORD*)(TermSrvBase + 0xBFA0C); #endif } + if (FV.Release == 9860 && FV.Build == 0) + { + #ifdef _WIN64 + bFUSEnabled = (DWORD*)(TermSrvBase + 0xECBD8); + lMaxUserSessions = (DWORD*)(TermSrvBase + 0xECBDC); + bAppServerAllowed = (DWORD*)(TermSrvBase + 0xECBE0); + bInitialized = (DWORD*)(TermSrvBase + 0xECBE4); + bMultimonAllowed = (DWORD*)(TermSrvBase + 0xECBE8); + bServerSku = (DWORD*)(TermSrvBase + 0xECBEC); + ulMaxDebugSessions = (DWORD*)(TermSrvBase + 0xECBF0); + bRemoteConnAllowed = (DWORD*)(TermSrvBase + 0xECBF4); + #else + bFUSEnabled = (DWORD*)(TermSrvBase + 0xBF7E0); + lMaxUserSessions = (DWORD*)(TermSrvBase + 0xBF7E4); + bAppServerAllowed = (DWORD*)(TermSrvBase + 0xBF7E8); + bInitialized = (DWORD*)(TermSrvBase + 0xBF7EC); + bMultimonAllowed = (DWORD*)(TermSrvBase + 0xBF7F0); + bServerSku = (DWORD*)(TermSrvBase + 0xBF7F4); + ulMaxDebugSessions = (DWORD*)(TermSrvBase + 0xBF7F8); + bRemoteConnAllowed = (DWORD*)(TermSrvBase + 0xBF7FC); + #endif + } if (bServerSku) { Log = new char[1024]; @@ -2142,6 +2195,72 @@ void Hook() #endif WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &Jump, sizeof(FARJMP), &bw); } + if (FV.Release == 9860 && FV.Build == 0) + { + WriteToLog("Patch CEnforcementCore::GetInstanceOfTSLicense\r\n"); + #ifdef _WIN64 + // .text:0000000180081083 call ?IsLicenseTypeLocalOnly@CSLQuery@@SAJAEAU_GUID@@PEAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) + // .text:0000000180081088 test eax, eax + // .text:000000018008108A js short loc_1800810AB + // .text:000000018008108C cmp [rsp+58h+arg_18], 0 + // .text:0000000180081091 jz short loc_1800810AB <- jmp + SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x81091); + #else + // .text:100962BB call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) + // .text:100962C0 test eax, eax + // .text:100962C2 js short loc_100962DF + // .text:100962C4 cmp [ebp+var_C], 0 + // .text:100962C8 jz short loc_100962DF <- jmp + SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x962C8); + #endif + b = 0xEB; + WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &b, sizeof(b), &bw); + + WriteToLog("Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled\r\n"); + #ifdef _WIN64 + // .text:0000000180011AA3 lea rcx, [rsp+190h+VersionInformation] ; lpVersionInformation + // .text:0000000180011AA8 mov ebx, 1 <- 0 + // .text:0000000180011AAD mov [rsp+190h+VersionInformation.dwOSVersionInfoSize], 11Ch + // .text:0000000180011AB5 mov [rdi], ebx + // .text:0000000180011AB7 call cs:__imp_GetVersionExW + SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x11AA9); + b = 0; + #else + // .text:10030841 lea eax, [esp+150h+VersionInformation] + // .text:10030845 inc ebx <- nop + // .text:10030846 mov [edi], ebx + // .text:10030848 push eax ; lpVersionInformation + // .text:10030849 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x30845); + b = 0x90; + #endif + WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &b, sizeof(b), &bw); + + WriteToLog("Patch CDefPolicy::Query\r\n"); + #ifdef _WIN64 + SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0xB9F5); + WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &CDefPolicy_Query_eax_rcx, sizeof(CDefPolicy_Query_eax_rcx), &bw); + #else + SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x3BEC9); + WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &CDefPolicy_Query_eax_ecx, sizeof(CDefPolicy_Query_eax_ecx), &bw); + #endif + + WriteToLog("Hook CSLQuery::Initialize\r\n"); + #ifdef _WIN64 + SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x1EB00); + Jump.MovOp = 0x48; + Jump.MovRegArg = 0xB8; + Jump.MovArg = (PLATFORM_DWORD)New_CSLQuery_Initialize; + Jump.PushRaxOp = 0x50; + Jump.RetOp = 0xC3; + #else + SignPtr = (PLATFORM_DWORD)(TermSrvBase + 0x46F18); + Jump.PushOp = 0x68; + Jump.PushArg = (PLATFORM_DWORD)New_CSLQuery_Initialize; + Jump.RetOp = 0xC3; + #endif + WriteProcessMemory(GetCurrentProcess(), (LPVOID)SignPtr, &Jump, sizeof(FARJMP), &bw); + } } } WriteToLog("resume\r\n"); |