llccd / rdpwrapoffsetfinder Goto Github PK

75.0 5.0 8.0 45 KB

Automatically find rdpwrap offsets

C++ 93.82% Batchfile 6.18%

rdpwrapoffsetfinder's Introduction

RDPWrapOffsetFinder

Automatically find offsets needed by RDPWrap and generate rdpwrap.ini

Usage

Pass the path of termsrv.dll as command line argument. If not provided, default to current system's termsrv.dll in System32 directory.

Compile

This project depends on zydis, you needed to build zydis first.

Use git submodule update --init --recursive to initialize the submodule
Open zydis\msvc\Zydis.sln and build DLL version of zydis
Open RDPWrapOffsetFinder.sln and start build
After build, copy dbghelp.dll symsrv.dll symsrv.yes (you can find them in Windows SDK) and Zydis.dll (also Zydis.pdb if you want to debug) to the same directory of the EXE file

Notes

Windows 8 Consumer Preview (SLPolicyFunc=New_Win8SL_CP) is currently not supported
32bit versions are not widely tested and may return wrong result
PDB symbol of termsrv.dll is needed. If the program outputs nothing, check your Internet connection to Microsoft symbol server. You can manually set environment variable _NT_SYMBOL_PATH to use a symbol proxy
If symbol is not available, you can try the _nosymbol version which manually search pattens. _nosymbol version only supports 64bit system

rdpwrapoffsetfinder's People

Contributors

Stargazers

Watchers

Forkers

xiaoshengduan wongsyrone loyejaotdiqr47123 cybort phuang0915 lamorais95 yifeimfd skyformat99

rdpwrapoffsetfinder's Issues

DefPolicyPatch error on 10.0.17063.1000 x64

[10.0.17063.1000]
SingleUserPatch.x64=1
SingleUserOffset.x64=31739
SingleUserCode.x64=Zero
ERROR: DefPolicyPatch not found
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=92671
LocalOnlyCode.x64=jmpshort
SLInitHook.x64=1
SLInitOffset.x64=2318C
SLInitFunc.x64=New_CSLQuery_Initialize

[10.0.17063.1000-SLInit]
bServerSku.x64=F1378
bRemoteConnAllowed.x64=F2434
bFUSEnabled.x64=F2440
bAppServerAllowed.x64=F1380
bMultimonAllowed.x64=F2438
lMaxUserSessions.x64=F137C
ulMaxDebugSessions.x64=F243C
bInitialized.x64=F2430

Windows 11_10.0.22621.3520 not working

Windows 11_10.0.22621.3520 not working
use RDPWrapOffsetFinder.exe > Error
use RDPWrapOffsetFinder_nosymbol.exe > The following parameters are generated, but putting them into rdpwrap.ini will cause Service & Listener Error and make it unable to operate.

[10.0.22621.3520]
SingleUserPatch.x64=1
SingleUserOffset.x64=C4D3
SingleUserCode.x64=Zero
DefPolicyPatch.x64=1
DefPolicyOffset.x64=1C3C5
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=9D741
LocalOnlyCode.x64=jmpshort
SLInitHook.x64=1
SLInitOffset.x64=29FB0
SLInitFunc.x64=New_CSLQuery_Initialize

[10.0.22621.3520-SLInit]
bServerSku.x64=12BF50
bRemoteConnAllowed.x64=12BF64
bFUSEnabled.x64=12BF74
bAppServerAllowed.x64=12BF5C
bMultimonAllowed.x64=12BF68
lMaxUserSessions.x64=12BF54
ulMaxDebugSessions.x64=12BF70
bInitialized.x64=12BF4C

SingleUserOffset.x64 is different

I found that one of the values obtained by your tool for termsrv.dll for Windows 10 (I only tested Windows 10) is SingleUserOffset.x64
Its value is different from the value in the rdpwrap.ini version of sebaxakerhtc.

Only the most recent versions of termsrv.dll (from 10.0.19041.4239 to 10.0.19041.4355) have exactly the same data.

Earlier than version 10.0.19041.4239, the value of SingleUserOffset.x64 is different from the sebaxakerhtc version.

For example, termsrv.dll version: 10.0.19041.3636 (Win10 22H2 03-2024), with your tool, I get: SingleUserOffset.x64=182FB
But sebaxakerhtc version: SingleUserOffset.x64=11E12

For example, termsrv.dll version: 10.0.19041.789 (Win10 21H1 10-2020), with your tool, I get: SingleUserOffset.x64=8107
But sebaxakerhtc version: SingleUserOffset.x64=0CA4C

I guess only one side is right. So which side is right?

sebaxakerhtc version: github.com/sebaxakerhtc/rdpwrap.ini

Problem:different sessions for the same user are created every time I login

See sebaxakerhtc/rdpwrap.ini#380 and stascorp/rdpwrap#2590

10.0.19041.4239 - not working

I've added the offsets, all is green now, even rebooted my PC. Still single user mode.

Virus found in executable. FakeFire

Windows Defender is reporting the latest RDPWrapOffsetFinder v0.5 as containing a virus called FakeFire.A

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus:Win32/Fakefire.A&threatId=-2147368047

doesn't find values for 10.0.22621.3593

Ran latest version RDPWrapOffsetFinder-0.5. Produces:

[10.0.22621.3593]
ERROR: CDefPolicy_Query not found
ERROR: GetInstanceOfTSLicense not found
ERROR: CSLQuery_Initialize not found

Can't find SLInit on 10.0.10240.20708

(only nosymbol mode error
termsrv_10.0.10240.20708.zip

ERROR: SingleUserPatch not found (10.0.17763.1)

10.0.17763.1.zip
C:\Users\bobo\Desktop\RDPWrapOffsetFinder\64bit>C:\Users\bobo\Desktop\RDPWrapOffsetFinder\64bit\RDPWrapOffsetFinder_nosymbol.exe C:\Users\bobo\Desktop\termsrv.dll
[10.0.17763.1]
ERROR: SingleUserPatch not found
DefPolicyPatch.x64=1
DefPolicyOffset.x64=17F45
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=77941
LocalOnlyCode.x64=jmpshort
SLInitHook.x64=1
SLInitOffset.x64=1ABFC
SLInitFunc.x64=New_CSLQuery_Initialize

[10.0.17763.1-SLInit]
bServerSku.x64=ECAB4
bRemoteConnAllowed.x64=ECAC4
bFUSEnabled.x64=ECAD0
bAppServerAllowed.x64=ECAC0
bMultimonAllowed.x64=ECAC8
lMaxUserSessions.x64=ECAB8
ulMaxDebugSessions.x64=ECACC
bInitialized.x64=ECAB0