From 95b6719cbcd44ad6e914a06d2a60800d50ee7d6a Mon Sep 17 00:00:00 2001 From: binarymaster Date: Fri, 21 Nov 2014 05:47:25 +0300 Subject: [PATCH] Great improvements Added support to store patch settings in INI file, so the code is more readable now. Library version support now can be extended without recompilation of the project, but C++ version needs to be updated. --- src-x86-binarymaster/src/LiteINI.pas | 375 +++++ src-x86-binarymaster/src/rdpwrap-old.dpr | 1648 ++++++++++++++++++++++ src-x86-binarymaster/src/rdpwrap.dpr | 1219 +++------------- src-x86-binarymaster/src/rdpwrap.ini | 1250 ++++++++++++++++ 4 files changed, 3433 insertions(+), 1059 deletions(-) create mode 100644 src-x86-binarymaster/src/LiteINI.pas create mode 100644 src-x86-binarymaster/src/rdpwrap-old.dpr create mode 100644 src-x86-binarymaster/src/rdpwrap.ini diff --git a/src-x86-binarymaster/src/LiteINI.pas b/src-x86-binarymaster/src/LiteINI.pas new file mode 100644 index 0000000..08d144d --- /dev/null +++ b/src-x86-binarymaster/src/LiteINI.pas @@ -0,0 +1,375 @@ +{ + Copyright 2014 Stas'M Corp. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +} + +unit LiteINI; + +interface + +uses + SysUtils; + +type + SList = Array of String; + INIValue = record + Name: String; + Value: String; + end; + INISection = record + Name: String; + Values: Array of INIValue; + end; + INIFile = Array of INISection; + +procedure SListClear(var List: SList); +function SListAppend(var List: SList; S: String): Integer; +function SListFind(List: SList; Value: String): Integer; +function INIFindSection(INI: INIFile; Section: String): Integer; +function INIFindValue(INI: INIFile; Section: Integer; Value: String): Integer; +function INIAddSection(var INI: INIFile; Section: String): Integer; +function INIAddValue(var INI: INIFile; Section: Integer; ValueName, Value: String): Integer; +procedure INIUnload(var INI: INIFile); +procedure INILoad(var INI: INIFile; FileName: String); +function INISectionExists(INI: INIFile; Section: String): Boolean; +function INIValueExists(INI: INIFile; Section: String; Value: String): Boolean; +function INIReadSectionLowAPI(INI: INIFile; Section: Integer; var List: SList): Boolean; +function INIReadSection(INI: INIFile; Section: String): SList; +function INIReadStringLowAPI(INI: INIFile; Section, Value: Integer; var Str: String): Boolean; +function INIReadString(INI: INIFile; Section, Value, Default: String): String; +function INIReadInt(INI: INIFile; Section, Value: String; Default: Integer): Integer; +function INIReadDWord(INI: INIFile; Section, Value: String; Default: Cardinal): Cardinal; +function INIReadIntHex(INI: INIFile; Section, Value: String; Default: Integer): Integer; +function INIReadDWordHex(INI: INIFile; Section, Value: String; Default: Cardinal): Cardinal; +function INIReadBool(INI: INIFile; Section, Value: String; Default: Boolean): Boolean; +function INIReadBytes(INI: INIFile; Section, Value: String): TBytes; +function INIReadBytesDef(INI: INIFile; Section, Value: String; Default: TBytes): TBytes; + +implementation + +procedure SListClear(var List: SList); +begin + SetLength(List, 0); +end; + +function SListAppend(var List: SList; S: String): Integer; +begin + SetLength(List, Length(List) + 1); + List[Length(List) - 1] := S; + Result := Length(List) - 1; +end; + +function SListFind(List: SList; Value: String): Integer; +var + I: Integer; +begin + Result := -1; + for I := 0 to Length(List) - 1 do + if List[I] = Value then begin + Result := I; + Break; + end; +end; + +function INIFindSection(INI: INIFile; Section: String): Integer; +var + I: Integer; +begin + Result := -1; + for I := 0 to Length(INI) - 1 do + if INI[I].Name = Section then begin + Result := I; + Exit; + end; +end; + +function INIFindValue(INI: INIFile; Section: Integer; Value: String): Integer; +var + I: Integer; +begin + Result := -1; + if (Section < 0) or (Section >= Length(INI)) then + Exit; + for I := 0 to Length(INI[Section].Values) - 1 do + if INI[Section].Values[I].Name = Value then begin + Result := I; + Exit; + end; +end; + +function INIAddSection(var INI: INIFile; Section: String): Integer; +begin + Result := INIFindSection(INI, Section); + if Result >= 0 then + Exit; + Result := Length(INI); + SetLength(INI, Result + 1); + INI[Result].Name := Section; + SetLength(INI[Result].Values, 0); +end; + +function INIAddValue(var INI: INIFile; Section: Integer; ValueName, Value: String): Integer; +var + I: Integer; +begin + Result := -1; + if (Section < 0) or (Section >= Length(INI)) then + Exit; + I := INIFindValue(INI, Section, ValueName); + if I = -1 then begin + Result := Length(INI[Section].Values); + SetLength(INI[Section].Values, Result + 1); + INI[Section].Values[Result].Name := ValueName; + INI[Section].Values[Result].Value := Value; + end else begin + INI[Section].Values[I].Value := Value; + Result := I; + end; +end; + +procedure INIUnload(var INI: INIFile); +begin + SetLength(INI, 0); +end; + +procedure INILoad(var INI: INIFile; FileName: String); +var + F: TextFile; + S, ValueName, Value: String; + INIList: SList; + I, Sect: Integer; +begin + INIUnload(INI); + if not FileExists(FileName) then + Exit; + AssignFile(F, FileName); + Reset(F); + // Read and filter lines + while not EOF(F) do begin + Readln(F, S); + if (Pos(';', S) <> 1) + and (Pos('#', S) <> 1) + and ( + ((Pos('[', S) > 0) and (Pos(']', S) > 0)) or + (Pos('=', S) > 0) + ) + then + SListAppend(INIList, S); + end; + CloseFile(F); + // Parse 2 (parse format) + Sect := -1; + for I := 0 to Length(INIList) - 1 do begin + S := Trim(INIList[I]); + if Length(S) >= 2 then + if (S[1] = '[') and (S[Length(S)] = ']') then begin + S := Trim(Copy(S, 2, Length(S) - 2)); + Sect := INIAddSection(INI, S); + Continue; + end; + S := INIList[I]; + if Pos('=', S) > 0 then begin + ValueName := Trim(Copy(S, 1, Pos('=', S) - 1)); + Value := Copy(S, Pos('=', S) + 1, Length(S) - Pos('=', S)); + if Sect = -1 then + Sect := INIAddSection(INI, ''); + INIAddValue(INI, Sect, ValueName, Value); + end; + end; +end; + +function INISectionExists(INI: INIFile; Section: String): Boolean; +begin + Result := INIFindSection(INI, Section) > -1; +end; + +function INIValueExists(INI: INIFile; Section: String; Value: String): Boolean; +var + Sect: Integer; +begin + Sect := INIFindSection(INI, Section); + Result := INIFindValue(INI, Sect, Value) > -1; +end; + +function INIReadSectionLowAPI(INI: INIFile; Section: Integer; var List: SList): Boolean; +var + I: Integer; +begin + Result := False; + SetLength(List, 0); + if (Section < 0) or (Section >= Length(INI)) then + Exit; + for I := 0 to Length(INI[Section].Values) - 1 do + SListAppend(List, INI[Section].Values[I].Name); + Result := True; +end; + +function INIReadSection(INI: INIFile; Section: String): SList; +var + Sect: Integer; +begin + Sect := INIFindSection(INI, Section); + INIReadSectionLowAPI(INI, Sect, Result); +end; + +function INIReadStringLowAPI(INI: INIFile; Section, Value: Integer; var Str: String): Boolean; +begin + Result := False; + if (Section < 0) or (Section >= Length(INI)) then + Exit; + if (Value < 0) or (Value >= Length(INI[Section].Values)) then + Exit; + Str := INI[Section].Values[Value].Value; + Result := True; +end; + +function INIReadString(INI: INIFile; Section, Value, Default: String): String; +var + Sect, Val: Integer; +begin + Sect := INIFindSection(INI, Section); + Val := INIFindValue(INI, Sect, Value); + if not INIReadStringLowAPI(INI, Sect, Val, Result) then + Result := Default; +end; + +function INIReadInt(INI: INIFile; Section, Value: String; Default: Integer): Integer; +var + S: String; + E: Integer; +begin + S := INIReadString(INI, Section, Value, ''); + Val(S, Result, E); + if E <> 0 then + Result := Default; +end; + +function INIReadDWord(INI: INIFile; Section, Value: String; Default: Cardinal): Cardinal; +var + S: String; + E: Integer; +begin + S := INIReadString(INI, Section, Value, ''); + Val(S, Result, E); + if E <> 0 then + Result := Default; +end; + +function INIReadIntHex(INI: INIFile; Section, Value: String; Default: Integer): Integer; +var + S: String; + E: Integer; +begin + S := INIReadString(INI, Section, Value, ''); + Val('$'+S, Result, E); + if E <> 0 then + Result := Default; +end; + +function INIReadDWordHex(INI: INIFile; Section, Value: String; Default: Cardinal): Cardinal; +var + S: String; + E: Integer; +begin + S := INIReadString(INI, Section, Value, ''); + Val('$'+S, Result, E); + if E <> 0 then + Result := Default; +end; + +function INIReadBool(INI: INIFile; Section, Value: String; Default: Boolean): Boolean; +var + S: String; + I: Cardinal; + E: Integer; +begin + S := INIReadString(INI, Section, Value, ''); + Val(S, I, E); + if E <> 0 then + Result := Default + else + Result := I > 0; +end; + +function StringToBytes(S: String; var B: TBytes): Boolean; +var + I: Integer; +begin + Result := False; + if Odd(Length(S)) then + Exit; + SetLength(B, Length(S) div 2); + for I := 0 to Length(B) - 1 do begin + B[I] := 0; + case S[(I*2)+2] of + '0': ; + '1': B[I] := B[I] or $1; + '2': B[I] := B[I] or $2; + '3': B[I] := B[I] or $3; + '4': B[I] := B[I] or $4; + '5': B[I] := B[I] or $5; + '6': B[I] := B[I] or $6; + '7': B[I] := B[I] or $7; + '8': B[I] := B[I] or $8; + '9': B[I] := B[I] or $9; + 'A','a': B[I] := B[I] or $A; + 'B','b': B[I] := B[I] or $B; + 'C','c': B[I] := B[I] or $C; + 'D','d': B[I] := B[I] or $D; + 'E','e': B[I] := B[I] or $E; + 'F','f': B[I] := B[I] or $F; + else Exit; + end; + case S[(I*2)+1] of + '0': ; + '1': B[I] := B[I] or $10; + '2': B[I] := B[I] or $20; + '3': B[I] := B[I] or $30; + '4': B[I] := B[I] or $40; + '5': B[I] := B[I] or $50; + '6': B[I] := B[I] or $60; + '7': B[I] := B[I] or $70; + '8': B[I] := B[I] or $80; + '9': B[I] := B[I] or $90; + 'A','a': B[I] := B[I] or $A0; + 'B','b': B[I] := B[I] or $B0; + 'C','c': B[I] := B[I] or $C0; + 'D','d': B[I] := B[I] or $D0; + 'E','e': B[I] := B[I] or $E0; + 'F','f': B[I] := B[I] or $F0; + else Exit; + end; + end; + Result := True; +end; + +function INIReadBytes(INI: INIFile; Section, Value: String): TBytes; +var + S: String; +begin + S := INIReadString(INI, Section, Value, ''); + if not StringToBytes(S, Result) then + SetLength(Result, 0); +end; + +function INIReadBytesDef(INI: INIFile; Section, Value: String; Default: TBytes): TBytes; +var + S: String; +begin + S := INIReadString(INI, Section, Value, ''); + if not StringToBytes(S, Result) then + Result := Default; +end; + +end. diff --git a/src-x86-binarymaster/src/rdpwrap-old.dpr b/src-x86-binarymaster/src/rdpwrap-old.dpr new file mode 100644 index 0000000..b4c8351 --- /dev/null +++ b/src-x86-binarymaster/src/rdpwrap-old.dpr @@ -0,0 +1,1648 @@ +{ + Copyright 2014 Stas'M Corp. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +} + +library rdpwrap; + +uses + SysUtils, + Windows, + TlHelp32; + +{$R rdpwrap.res} + +// Hook core definitions + +type + OldCode = packed record + One: DWORD; + two: Word; + end; + + far_jmp = packed record + PushOp: Byte; + PushArg: Pointer; + RetOp: Byte; + end; + + mov_far_jmp = packed record + MovOp: Byte; + MovArg: Byte; + PushOp: Byte; + PushArg: Pointer; + RetOp: Byte; + end; + + TTHREADENTRY32 = packed record + dwSize: DWORD; + cntUsage: DWORD; + th32ThreadID: DWORD; + th32OwnerProcessID: DWORD; + tpBasePri: LongInt; + tpDeltaPri: LongInt; + dwFlags: DWORD; + end; + IntArray = Array of Integer; + FILE_VERSION = record + Version: record case Boolean of + True: (dw: DWORD); + False: (w: record + Minor, Major: Word; + end;) + end; + Release, Build: Word; + bDebug, bPrerelease, bPrivate, bSpecial: Boolean; + end; + +const + THREAD_SUSPEND_RESUME = 2; + TH32CS_SNAPTHREAD = 4; +var + bw: DWORD; + IsHooked: Boolean = False; + FCount: Cardinal = 0; + +// Unhooked import + +function OpenThread(dwDesiredAccess: DWORD; bInheritHandle: BOOL; + dwThreadId: DWORD): DWORD; stdcall; external kernel32; + +function CreateToolhelp32Snapshot(dwFlags, th32ProcessID: DWORD): DWORD; + stdcall; external kernel32; + +function Thread32First(hSnapshot: THandle; var lpte: TTHREADENTRY32): bool; + stdcall; external kernel32; + +function Thread32Next(hSnapshot: THandle; var lpte: TTHREADENTRY32): bool; + stdcall; external kernel32; + +// Wrapped import + +var + TSMain: function(dwArgc: DWORD; lpszArgv: PWideChar): DWORD; stdcall; + TSGlobals: function(lpGlobalData: Pointer): DWORD; stdcall; + +// Hooked import and vars + +var + SLGetWindowsInformationDWORD: function(pwszValueName: PWideChar; + pdwValue: PDWORD): HRESULT; stdcall; + TermSrvBase: Pointer; + FV: FILE_VERSION; + +const + CDefPolicy_Query_edx_ecx: Array[0..12] of Byte = + ($BA,$00,$01,$00,$00,$89,$91,$20,$03,$00,$00,$5E,$90); + CDefPolicy_Query_eax_esi: Array[0..11] of Byte = + ($B8,$00,$01,$00,$00,$89,$86,$20,$03,$00,$00,$90); + CDefPolicy_Query_eax_ecx: Array[0..11] of Byte = + ($B8,$00,$01,$00,$00,$89,$81,$20,$03,$00,$00,$90); + +{ +termsrv.dll 6.0.6000.16386 + +Original +.text:6F335CD8 cmp edx, [ecx+320h] +.text:6F335CDE pop esi +.text:6F335CDF jz loc_6F3426F1 +_______________ + +Changed +.text:6F335CD8 mov edx, 100h +.text:6F335CDD mov [ecx+320h], edx +.text:6F335CE3 pop esi +.text:6F335CE4 nop +CDefPolicy_Query_edx_ecx + +termsrv.dll 6.0.6001.18000 + +Original +.text:6E817FD8 cmp edx, [ecx+320h] +.text:6E817FDE pop esi +.text:6E817FDF jz loc_6E826F16 +_______________ + +Changed +.text:6E817FD8 mov edx, 100h +.text:6E817FDD mov [ecx+320h], edx +.text:6E817FE3 pop esi +.text:6E817FE4 nop +CDefPolicy_Query_edx_ecx + +termsrv.dll 6.0.6002.18005 + +Original +.text:6F5979C0 cmp edx, [ecx+320h] +.text:6F5979C6 pop esi +.text:6F5979C7 jz loc_6F5A6F26 +_______________ + +Changed +.text:6F5979C0 mov edx, 100h +.text:6F5979C5 mov [ecx+320h], edx +.text:6F5979CB pop esi +.text:6F5979CC nop +CDefPolicy_Query_edx_ecx + +termsrv.dll 6.0.6002.19214 + +Original +.text:6F5979B8 cmp edx, [ecx+320h] +.text:6F5979BE pop esi +.text:6F5979BF jz loc_6F5A6F3E +_______________ + +Changed +.text:6F5979B8 mov edx, 100h +.text:6F5979BD mov [ecx+320h], edx +.text:6F5979C3 pop esi +.text:6F5979C4 nop +CDefPolicy_Query_edx_ecx + +termsrv.dll 6.0.6002.23521 + +Original +.text:6F5979CC cmp edx, [ecx+320h] +.text:6F5979D2 pop esi +.text:6F5979D3 jz loc_6F5A6F2E +_______________ + +Changed +.text:6F5979CC mov edx, 100h +.text:6F5979D1 mov [ecx+320h], edx +.text:6F5979D7 pop esi +.text:6F5979D8 nop +CDefPolicy_Query_edx_ecx + +termsrv.dll 6.1.7600.16385 + +Original +.text:6F2F96F3 cmp eax, [esi+320h] +.text:6F2F96F9 jz loc_6F30E256 +_______________ + +Changed +.text:6F2F96F3 mov eax, 100h +.text:6F2F96F8 mov [esi+320h], eax +.text:6F2F96FE nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.1.7601.17514 + +Original +.text:6F2F9D53 cmp eax, [esi+320h] +.text:6F2F9D59 jz loc_6F30B25E +_______________ + +Changed +.text:6F2F9D53 mov eax, 100h +.text:6F2F9D58 mov [esi+320h], eax +.text:6F2F9D5E nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.1.7601.18540 + +Original +.text:6F2F9D9F cmp eax, [esi+320h] +.text:6F2F9DA5 jz loc_6F30B2AE +_______________ + +Changed +.text:6F2F9D9F mov eax, 100h +.text:6F2F9DA4 mov [esi+320h], eax +.text:6F2F9DAA nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.1.7601.22750 + +Original +.text:6F2F9E21 cmp eax, [esi+320h] +.text:6F2F9E27 jz loc_6F30B6CE +_______________ + +Changed +.text:6F2F9E21 mov eax, 100h +.text:6F2F9E26 mov [esi+320h], eax +.text:6F2F9E2C nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.1.7601.18637 + +Original +.text:6F2F9DBB cmp eax, [esi+320h] +.text:6F2F9DC1 jz loc_6F30B2A6 +_______________ + +Changed +.text:6F2F9DBB mov eax, 100h +.text:6F2F9DC0 mov [esi+320h], eax +.text:6F2F9DC6 nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.1.7601.22843 + +Original +.text:6F2F9E25 cmp eax, [esi+320h] +.text:6F2F9E2B jz loc_6F30B6D6 +_______________ + +Changed +.text:6F2F9E25 mov eax, 100h +.text:6F2F9E2A mov [esi+320h], eax +.text:6F2F9E30 nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.2.8102.0 + +Original +.text:1000E47C cmp eax, [esi+320h] +.text:1000E482 jz loc_1002D775 +_______________ + +Changed +.text:1000E47C mov eax, 100h +.text:1000E481 mov [esi+320h], eax +.text:1000E487 nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.2.8250.0 + +Original +.text:10013520 cmp eax, [esi+320h] +.text:10013526 jz loc_1002DB85 +_______________ + +Changed +.text:10013520 mov eax, 100h +.text:10013525 mov [esi+320h], eax +.text:1001352B nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.2.8400.0 + +Original +.text:10013E48 cmp eax, [esi+320h] +.text:10013E4E jz loc_1002E079 +_______________ + +Changed +.text:10013E48 mov eax, 100h +.text:10013E4D mov [esi+320h], eax +.text:10013E53 nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.2.9200.16384 + +Original +.text:10013F08 cmp eax, [esi+320h] +.text:10013F0E jz loc_1002E161 +_______________ + +Changed +.text:10013F08 mov eax, 100h +.text:10013F0D mov [esi+320h], eax +.text:10013F13 nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.2.9200.17048 + +Original +.text:1001F408 cmp eax, [esi+320h] +.text:1001F40E jz loc_1002E201 +_______________ + +Changed +.text:1001F408 mov eax, 100h +.text:1001F40D mov [esi+320h], eax +.text:1001F413 nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.2.9200.21166 + +Original +.text:10013F30 cmp eax, [esi+320h] +.text:10013F36 jz loc_1002E189 +_______________ + +Changed +.text:10013F30 mov eax, 100h +.text:10013F35 mov [esi+320h], eax +.text:10013F3B nop +CDefPolicy_Query_eax_esi + +termsrv.dll 6.3.9431.0 + +Original +.text:1002EA25 cmp eax, [ecx+320h] +.text:1002EA2B jz loc_100348C1 +_______________ + +Changed +.text:1002EA25 mov eax, 100h +.text:1002EA2A mov [ecx+320h], eax +.text:1002EA30 nop +CDefPolicy_Query_eax_ecx + +termsrv.dll 6.3.9600.16384 + +Original +.text:10016115 cmp eax, [ecx+320h] +.text:1001611B jz loc_10034DE1 +_______________ + +Changed +.text:10016115 mov eax, 100h +.text:1001611A mov [ecx+320h], eax +.text:10016120 nop +CDefPolicy_Query_eax_ecx + +termsrv.dll 6.3.9600.17095 + +Original +.text:10037529 cmp eax, [ecx+320h] +.text:1003752F jz loc_10043662 +_______________ + +Changed +.text:10037529 mov eax, 100h +.text:1003752E mov [ecx+320h], eax +.text:10037534 nop +CDefPolicy_Query_eax_ecx + +termsrv.dll 6.4.9841.0 + +Original +.text:1003B989 cmp eax, [ecx+320h] +.text:1003B98F jz loc_1005E809 +_______________ + +Changed +.text:1003B989 mov eax, 100h +.text:1003B98E mov [ecx+320h], eax +.text:1003B994 nop +CDefPolicy_Query_eax_ecx + +termsrv.dll 6.4.9860.0 + +Original +.text:1003BEC9 cmp eax, [ecx+320h] +.text:1003BECF jz loc_1005EE1A +_______________ + +Changed +.text:1003BEC9 mov eax, 100h +.text:1003BECE mov [ecx+320h], eax +.text:1003BED4 nop +CDefPolicy_Query_eax_ecx +} + +var + Stub_SLGetWindowsInformationDWORD: far_jmp; + Old_SLGetWindowsInformationDWORD: OldCode; + +// Main code + +procedure WriteLog(S: AnsiString); +const + LogFile = '\rdpwrap.txt'; +var + F: TextFile; +begin + if not FileExists(LogFile) then + Exit; + AssignFile(F, LogFile); + Append(F); + Write(F, S+#13#10); + CloseFile(F); +end; + +procedure StopThreads; +var + h, CurrTh, ThrHandle, CurrPr: DWORD; + Thread: TTHREADENTRY32; +begin + CurrTh := GetCurrentThreadId; + CurrPr := GetCurrentProcessId; + h := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); + if h <> INVALID_HANDLE_VALUE then + begin + Thread.dwSize := SizeOf(TTHREADENTRY32); + if Thread32First(h, Thread) then + repeat + if (Thread.th32ThreadID <> CurrTh) and + (Thread.th32OwnerProcessID = CurrPr) then + begin + ThrHandle := OpenThread(THREAD_SUSPEND_RESUME, false, + Thread.th32ThreadID); + if ThrHandle > 0 then + begin + SuspendThread(ThrHandle); + CloseHandle(ThrHandle); + end; + end; + until not Thread32Next(h, Thread); + CloseHandle(h); + end; +end; + +procedure RunThreads; +var + h, CurrTh, ThrHandle, CurrPr: DWORD; + Thread: TTHREADENTRY32; +begin + CurrTh := GetCurrentThreadId; + CurrPr := GetCurrentProcessId; + h := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); + if h <> INVALID_HANDLE_VALUE then + begin + Thread.dwSize := SizeOf(TTHREADENTRY32); + if Thread32First(h, Thread) then + repeat + if (Thread.th32ThreadID <> CurrTh) and + (Thread.th32OwnerProcessID = CurrPr) then + begin + ThrHandle := OpenThread(THREAD_SUSPEND_RESUME, false, + Thread.th32ThreadID); + if ThrHandle > 0 then + begin + ResumeThread(ThrHandle); + CloseHandle(ThrHandle); + end; + end; + until not Thread32Next(h, Thread); + CloseHandle(h); + end; +end; + +function GetModuleAddress(ModuleName: String; ProcessId: DWORD; var BaseAddr: Pointer; var BaseSize: DWORD): Boolean; +var + hSnap: THandle; + md: MODULEENTRY32; +begin + Result := False; + hSnap := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessId); + if hSnap = INVALID_HANDLE_VALUE Then + Exit; + md.dwSize := SizeOf(MODULEENTRY32); + if Module32First(hSnap, md) then + begin + if LowerCase(ExtractFileName(md.szExePath)) = LowerCase(ModuleName) then + begin + Result := True; + BaseAddr := Pointer(md.modBaseAddr); + BaseSize := md.modBaseSize; + CloseHandle(hSnap); + Exit; + end; + while Module32Next(hSnap, md) Do + begin + if LowerCase(ExtractFileName(md.szExePath)) = LowerCase(ModuleName) then + begin + Result := True; + BaseAddr := Pointer(md.modBaseAddr); + BaseSize := md.modBaseSize; + Break; + end; + end; + end; + CloseHandle(hSnap); +end; + +{procedure FindMem(Mem: Pointer; MemSz: DWORD; Buf: Pointer; BufSz: DWORD; + From: DWORD; var A: IntArray); +var + I: Integer; +begin + SetLength(A, 0); + I:=From; + if From>0 then + Inc(PByte(Mem), From); + while I < MemSz - BufSz + 1 do + begin + if (not IsBadReadPtr(Mem, BufSz)) and (CompareMem(Mem, Buf, BufSz)) then + begin + SetLength(A, Length(A)+1); + A[Length(A)-1] := I; + end; + Inc(I); + Inc(PByte(Mem)); + end; +end;} + +function GetModuleVersion(const ModuleName: TFileName; var FileVersion: FILE_VERSION): Boolean; +type + VS_VERSIONINFO = record + wLength, wValueLength, wType: Word; + szKey: Array[1..16] of WideChar; + Padding1: Word; + Value: VS_FIXEDFILEINFO; + Padding2, Children: Word; + end; + PVS_VERSIONINFO = ^VS_VERSIONINFO; +const + VFF_DEBUG = 1; + VFF_PRERELEASE = 2; + VFF_PRIVATE = 8; + VFF_SPECIAL = 32; +var + hMod: HMODULE; + hResourceInfo: HRSRC; + VersionInfo: PVS_VERSIONINFO; +begin + Result := False; + + if ModuleName = '' then + hMod := GetModuleHandle(nil) + else + hMod := GetModuleHandle(PWideChar(ModuleName)); + if hMod = 0 then + Exit; + + hResourceInfo := FindResource(hMod, PWideChar(1), PWideChar($10)); + if hResourceInfo = 0 then + Exit; + + VersionInfo := Pointer(LoadResource(hMod, hResourceInfo)); + if VersionInfo = nil then + Exit; + + FileVersion.Version.dw := VersionInfo.Value.dwFileVersionMS; + FileVersion.Release := Word(VersionInfo.Value.dwFileVersionLS shr 16); + FileVersion.Build := Word(VersionInfo.Value.dwFileVersionLS); + FileVersion.bDebug := (VersionInfo.Value.dwFileFlags and VFF_DEBUG) = VFF_DEBUG; + FileVersion.bPrerelease := (VersionInfo.Value.dwFileFlags and VFF_PRERELEASE) = VFF_PRERELEASE; + FileVersion.bPrivate := (VersionInfo.Value.dwFileFlags and VFF_PRIVATE) = VFF_PRIVATE; + FileVersion.bSpecial := (VersionInfo.Value.dwFileFlags and VFF_SPECIAL) = VFF_SPECIAL; + + Result := True; +end; + +function GetFileVersion(const FileName: TFileName; var FileVersion: FILE_VERSION): Boolean; +type + VS_VERSIONINFO = record + wLength, wValueLength, wType: Word; + szKey: Array[1..16] of WideChar; + Padding1: Word; + Value: VS_FIXEDFILEINFO; + Padding2, Children: Word; + end; + PVS_VERSIONINFO = ^VS_VERSIONINFO; +const + VFF_DEBUG = 1; + VFF_PRERELEASE = 2; + VFF_PRIVATE = 8; + VFF_SPECIAL = 32; +var + hFile: HMODULE; + hResourceInfo: HRSRC; + VersionInfo: PVS_VERSIONINFO; +begin + Result := False; + + hFile := LoadLibraryEx(PWideChar(FileName), 0, LOAD_LIBRARY_AS_DATAFILE); + if hFile = 0 then + Exit; + + hResourceInfo := FindResource(hFile, PWideChar(1), PWideChar($10)); + if hResourceInfo = 0 then + Exit; + + VersionInfo := Pointer(LoadResource(hFile, hResourceInfo)); + if VersionInfo = nil then + Exit; + + FileVersion.Version.dw := VersionInfo.Value.dwFileVersionMS; + FileVersion.Release := Word(VersionInfo.Value.dwFileVersionLS shr 16); + FileVersion.Build := Word(VersionInfo.Value.dwFileVersionLS); + FileVersion.bDebug := (VersionInfo.Value.dwFileFlags and VFF_DEBUG) = VFF_DEBUG; + FileVersion.bPrerelease := (VersionInfo.Value.dwFileFlags and VFF_PRERELEASE) = VFF_PRERELEASE; + FileVersion.bPrivate := (VersionInfo.Value.dwFileFlags and VFF_PRIVATE) = VFF_PRIVATE; + FileVersion.bSpecial := (VersionInfo.Value.dwFileFlags and VFF_SPECIAL) = VFF_SPECIAL; + + Result := True; +end; + +function OverrideSL(ValueName: String; var Value: DWORD): Boolean; +begin + Result := True; + // Allow Remote Connections + if ValueName = 'TerminalServices-RemoteConnectionManager-AllowRemoteConnections' then begin + Value := 1; + Exit; + end; + // Allow Multiple Sessions + if ValueName = 'TerminalServices-RemoteConnectionManager-AllowMultipleSessions' then begin + Value := 1; + Exit; + end; + // Allow Multiple Sessions (Application Server Mode) + if ValueName = 'TerminalServices-RemoteConnectionManager-AllowAppServerMode' then begin + Value := 1; + Exit; + end; + // Allow Multiple Monitors + if ValueName = 'TerminalServices-RemoteConnectionManager-AllowMultimon' then begin + Value := 1; + Exit; + end; + // Max User Sessions (0 = unlimited) + if ValueName = 'TerminalServices-RemoteConnectionManager-MaxUserSessions' then begin + Value := 0; + Exit; + end; + // Max Debug Sessions (Win 8, 0 = unlimited) + if ValueName = 'TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions' then begin + Value := 0; + Exit; + end; + // Max Sessions + // 0 - logon not possible even from console + // 1 - only one active user (console or remote) + // 2 - allow concurrent sessions + if ValueName = 'TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions' then begin + Value := 2; + Exit; + end; + // Allow Advanced Compression with RDP 7 Protocol + if ValueName = 'TerminalServices-RDP-7-Advanced-Compression-Allowed' then begin + Value := 1; + Exit; + end; + // IsTerminalTypeLocalOnly = 0 + if ValueName = 'TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly' then begin + Value := 0; + Exit; + end; + // Max Sessions (hard limit) + if ValueName = 'TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions' then begin + Value := 1000; + Exit; + end; + // Allow Easy Print + if ValueName = 'TerminalServices-DeviceRedirection-Licenses-TSEasyPrintAllowed' then begin + Value := 1; + Exit; + end; + Result := False; +end; + +function New_SLGetWindowsInformationDWORD(pwszValueName: PWideChar; + pdwValue: PDWORD): HRESULT; stdcall; +var + dw: DWORD; +begin + // wrapped SLGetWindowsInformationDWORD function + // termsrv.dll will call this function instead of original SLC.dll + + // Override SL Policy + + WriteLog('Policy query: ' + pwszValueName); + if OverrideSL(pwszValueName, dw) then begin + pdwValue^ := dw; + Result := S_OK; + WriteLog('Rewrite: ' + IntToStr(pdwValue^)); + Exit; + end; + + // If the requested value name is not defined above + + // revert to original SL Policy function + WriteProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, + @Old_SLGetWindowsInformationDWORD, SizeOf(OldCode), bw); + + // get result + Result := SLGetWindowsInformationDWORD(pwszValueName, pdwValue); + if Result = S_OK then + WriteLog('Result: ' + IntToStr(pdwValue^)) + else + WriteLog('Failed'); + // wrap it back + WriteProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, + @Stub_SLGetWindowsInformationDWORD, SizeOf(far_jmp), bw); +end; + +function New_Win8SL(pwszValueName: PWideChar; pdwValue: PDWORD): HRESULT; register; +var + dw: DWORD; +begin + // wrapped unexported function SLGetWindowsInformationDWORDWrapper in termsrv.dll + // for Windows 8 support + + // Override SL Policy + + WriteLog('Policy query: ' + pwszValueName); + if OverrideSL(pwszValueName, dw) then begin + pdwValue^ := dw; + Result := S_OK; + WriteLog('Rewrite: ' + IntToStr(pdwValue^)); + Exit; + end; + + // If the requested value name is not defined above + // use function from SLC.dll + + Result := SLGetWindowsInformationDWORD(pwszValueName, pdwValue); + if Result = S_OK then + WriteLog('Result: ' + IntToStr(pdwValue^)) + else + WriteLog('Failed'); +end; + +function New_Win8SL_CP(eax: DWORD; pdwValue: PDWORD; ecx: DWORD; pwszValueName: PWideChar): HRESULT; register; +begin + // wrapped unexported function SLGetWindowsInformationDWORDWrapper in termsrv.dll + // for Windows 8 Consumer Preview support + + Result := New_Win8SL(pwszValueName, pdwValue); +end; + +function New_CSLQuery_Initialize: HRESULT; stdcall; +var + bServerSku, + bRemoteConnAllowed, + bFUSEnabled, + bAppServerAllowed, + bMultimonAllowed, + lMaxUserSessions, + ulMaxDebugSessions, + bInitialized: PDWORD; +begin + bServerSku := nil; + bRemoteConnAllowed := nil; + bFUSEnabled := nil; + bAppServerAllowed := nil; + bMultimonAllowed := nil; + lMaxUserSessions := nil; + ulMaxDebugSessions := nil; + bInitialized := nil; + WriteLog('> CSLQuery::Initialize'); + if (FV.Release = 9431) and (FV.Build = 0) then begin + bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $A22A8); + lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $A22AC); + bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $A22B0); + bInitialized := Pointer(Cardinal(TermSrvBase) + $A22B4); + bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $A22B8); + bServerSku := Pointer(Cardinal(TermSrvBase) + $A22BC); + ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $A22C0); + bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $A22C4); + end; + if (FV.Release = 9600) and (FV.Build = 16384) then begin + bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $C02A8); + lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $C02AC); + bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $C02B0); + bInitialized := Pointer(Cardinal(TermSrvBase) + $C02B4); + bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $C02B8); + bServerSku := Pointer(Cardinal(TermSrvBase) + $C02BC); + ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $C02C0); + bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $C02C4); + end; + if (FV.Release = 9600) and (FV.Build = 17095) then begin + bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $C12A8); + lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $C12AC); + bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $C12B0); + bInitialized := Pointer(Cardinal(TermSrvBase) + $C12B4); + bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $C12B8); + bServerSku := Pointer(Cardinal(TermSrvBase) + $C12BC); + ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $C12C0); + bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $C12C4); + end; + if (FV.Release = 9841) and (FV.Build = 0) then begin + bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $BF9F0); + lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $BF9F4); + bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $BF9F8); + bInitialized := Pointer(Cardinal(TermSrvBase) + $BF9FC); + bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $BFA00); + bServerSku := Pointer(Cardinal(TermSrvBase) + $BFA04); + ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $BFA08); + bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $BFA0C); + end; + if (FV.Release = 9860) and (FV.Build = 0) then begin + bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $BF7E0); + lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $BF7E4); + bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $BF7E8); + bInitialized := Pointer(Cardinal(TermSrvBase) + $BF7EC); + bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $BF7F0); + bServerSku := Pointer(Cardinal(TermSrvBase) + $BF7F4); + ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $BF7F8); + bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $BF7FC); + end; + if bServerSku <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(bServerSku), 1)+'] bServerSku = 1'); + bServerSku^ := 1; + end; + if bRemoteConnAllowed <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(bRemoteConnAllowed), 1)+'] bRemoteConnAllowed = 1'); + bRemoteConnAllowed^ := 1; + end; + if bFUSEnabled <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(bFUSEnabled), 1)+'] bFUSEnabled = 1'); + bFUSEnabled^ := 1; + end; + if bAppServerAllowed <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(bAppServerAllowed), 1)+'] bAppServerAllowed = 1'); + bAppServerAllowed^ := 1; + end; + if bMultimonAllowed <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(bMultimonAllowed), 1)+'] bMultimonAllowed = 1'); + bMultimonAllowed^ := 1; + end; + if lMaxUserSessions <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(lMaxUserSessions), 1)+'] lMaxUserSessions = 0'); + lMaxUserSessions^ := 0; + end; + if ulMaxDebugSessions <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(ulMaxDebugSessions), 1)+'] ulMaxDebugSessions = 0'); + ulMaxDebugSessions^ := 0; + end; + if bInitialized <> nil then begin + WriteLog('[0x'+IntToHex(DWORD(bInitialized), 1)+'] bInitialized = 1'); + bInitialized^ := 1; + end; + Result := S_OK; +end; + +procedure HookFunctions; +var + V: DWORD; + TS_Handle, SLC_Handle: THandle; + TermSrvSize: DWORD; + SignPtr: Pointer; + Results: IntArray; + Jump: far_jmp; + MovJump: mov_far_jmp; + nop: DWORD; + b: Byte; +begin + { hook function ^^ + (called once) } + IsHooked := True; + nop := $90909090; + TSMain := nil; + TSGlobals := nil; + SLGetWindowsInformationDWORD := nil; + WriteLog('init'); + + // load termsrv.dll and get functions + TS_Handle := LoadLibrary('termsrv.dll'); + if TS_Handle = 0 then begin + WriteLog('Error: Failed to load Terminal Services library'); + Exit; + end; + WriteLog('Base addr: 0x'+IntToHex(TS_Handle, 8)); + TSMain := GetProcAddress(TS_Handle, 'ServiceMain'); + WriteLog('SvcMain: termsrv.dll+0x'+IntToHex(Cardinal(@TSMain) - TS_Handle, 1)); + TSGlobals := GetProcAddress(TS_Handle, 'SvchostPushServiceGlobals'); + WriteLog('SvcGlobals: termsrv.dll+0x'+IntToHex(Cardinal(@TSGlobals) - TS_Handle, 1)); + + V := 0; + // check termsrv version + if GetModuleVersion('termsrv.dll', FV) then + V := Byte(FV.Version.w.Minor) or (Byte(FV.Version.w.Major) shl 8) + else begin + // check NT version + // V := GetVersion; // deprecated + // V := ((V and $FF) shl 8) or ((V and $FF00) shr 8); + end; + if V = 0 then begin + WriteLog('Error: Failed to detect Terminal Services version'); + Exit; + end; + + WriteLog('Version: '+IntToStr(FV.Version.w.Major)+'.'+IntToStr(FV.Version.w.Minor)); + WriteLog('Release: '+IntToStr(FV.Release)); + WriteLog('Build: '+IntToStr(FV.Build)); + + // temporarily freeze threads + WriteLog('freeze'); + StopThreads(); + + if (V = $0600) then begin + // Windows Vista + // uses SL Policy API (slc.dll) + + // load slc.dll and hook function + SLC_Handle := LoadLibrary('slc.dll'); + SLGetWindowsInformationDWORD := GetProcAddress(SLC_Handle, 'SLGetWindowsInformationDWORD'); + + if @SLGetWindowsInformationDWORD <> nil then + begin + // rewrite original function to call our function (make hook) + + WriteLog('Hook SLGetWindowsInformationDWORD'); + Stub_SLGetWindowsInformationDWORD.PushOp := $68; + Stub_SLGetWindowsInformationDWORD.PushArg := @New_SLGetWindowsInformationDWORD; + Stub_SLGetWindowsInformationDWORD.RetOp := $C3; + ReadProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, + @Old_SLGetWindowsInformationDWORD, SizeOf(OldCode), bw); + WriteProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, + @Stub_SLGetWindowsInformationDWORD, SizeOf(far_jmp), bw); + end; + + if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin + // Patch functions: + // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled + // CDefPolicy::Query + + if (FV.Release = 6000) and (FV.Build = 16386) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F320000 + .text:6F3360B9 lea eax, [ebp+VersionInformation] + .text:6F3360BF inc ebx <- nop + .text:6F3360C0 push eax ; lpVersionInformation + .text:6F3360C1 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F3360CB mov [esi], ebx + .text:6F3360CD call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $160BF); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $15CD8); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_edx_ecx[0], + SizeOf(CDefPolicy_Query_edx_ecx), bw); + end; + if (FV.Release = 6001) and (FV.Build = 18000) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6E800000 + .text:6E8185DE lea eax, [ebp+VersionInformation] + .text:6E8185E4 inc ebx <- nop + .text:6E8185E5 push eax ; lpVersionInformation + .text:6E8185E6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6E8185F0 mov [esi], ebx + .text:6E8185F2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $185E4); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $17FD8); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_edx_ecx[0], + SizeOf(CDefPolicy_Query_edx_ecx), bw); + end; + if (FV.Release = 6002) and (FV.Build = 18005) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F580000 + .text:6F597FA2 lea eax, [ebp+VersionInformation] + .text:6F597FA8 inc ebx <- nop + .text:6F597FA9 push eax ; lpVersionInformation + .text:6F597FAA mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F597FB4 mov [esi], ebx + .text:6F597FB6 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $17FA8); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $179C0); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_edx_ecx[0], + SizeOf(CDefPolicy_Query_edx_ecx), bw); + end; + if (FV.Release = 6002) and (FV.Build = 19214) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F580000 + .text:6F597FBE lea eax, [ebp+VersionInformation] + .text:6F597FC4 inc ebx <- nop + .text:6F597FC5 push eax ; lpVersionInformation + .text:6F597FC6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F597FD0 mov [esi], ebx + .text:6F597FD2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $17FC4); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $179B8); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_edx_ecx[0], + SizeOf(CDefPolicy_Query_edx_ecx), bw); + end; + if (FV.Release = 6002) and (FV.Build = 23521) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F580000 + .text:6F597FAE lea eax, [ebp+VersionInformation] + .text:6F597FB4 inc ebx <- nop + .text:6F597FB5 push eax ; lpVersionInformation + .text:6F597FB6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F597FC0 mov [esi], ebx + .text:6F597FC2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $17FB4); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $179CC); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_edx_ecx[0], + SizeOf(CDefPolicy_Query_edx_ecx), bw); + end; + end; + end; + if (V = $0601) then begin + // Windows 7 + // uses SL Policy API (slc.dll) + + // load slc.dll and hook function + SLC_Handle := LoadLibrary('slc.dll'); + SLGetWindowsInformationDWORD := GetProcAddress(SLC_Handle, 'SLGetWindowsInformationDWORD'); + + if @SLGetWindowsInformationDWORD <> nil then + begin + // rewrite original function to call our function (make hook) + + WriteLog('Hook SLGetWindowsInformationDWORD'); + Stub_SLGetWindowsInformationDWORD.PushOp := $68; + Stub_SLGetWindowsInformationDWORD.PushArg := @New_SLGetWindowsInformationDWORD; + Stub_SLGetWindowsInformationDWORD.RetOp := $C3; + ReadProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, + @Old_SLGetWindowsInformationDWORD, SizeOf(OldCode), bw); + WriteProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, + @Stub_SLGetWindowsInformationDWORD, SizeOf(far_jmp), bw); + end; + + if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin + // Patch functions: + // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled + // CDefPolicy::Query + + if (FV.Release = 7600) and (FV.Build = 16385) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F2E0000 + .text:6F2F9E1F lea eax, [ebp+VersionInformation] + .text:6F2F9E25 inc ebx <- nop + .text:6F2F9E26 push eax ; lpVersionInformation + .text:6F2F9E27 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F2F9E31 mov [esi], ebx + .text:6F2F9E33 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $19E25); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $196F3); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + end; + if (FV.Release = 7601) and (FV.Build = 17514) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F2E0000 + .text:6F2FA497 lea eax, [ebp+VersionInformation] + .text:6F2FA49D inc ebx <- nop + .text:6F2FA49E push eax ; lpVersionInformation + .text:6F2FA49F mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F2FA4A9 mov [esi], ebx + .text:6F2FA4AB call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $1A49D); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19D53); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + end; + if (FV.Release = 7601) and (FV.Build = 18540) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F2E0000 + .text:6F2FA4DF lea eax, [ebp+VersionInformation] + .text:6F2FA4E5 inc ebx <- nop + .text:6F2FA4E6 push eax ; lpVersionInformation + .text:6F2FA4E7 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F2FA4F1 mov [esi], ebx + .text:6F2FA4F3 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $1A4E5); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19D9F); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + end; + if (FV.Release = 7601) and (FV.Build = 22750) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F2E0000 + .text:6F2FA64F lea eax, [ebp+VersionInformation] + .text:6F2FA655 inc ebx <- nop + .text:6F2FA656 push eax ; lpVersionInformation + .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F2FA661 mov [esi], ebx + .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $1A655); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19E21); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + end; + if (FV.Release = 7601) and (FV.Build = 18637) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F2E0000 + .text:6F2FA4D7 lea eax, [ebp+VersionInformation] + .text:6F2FA4DD inc ebx <- nop + .text:6F2FA4DE push eax ; lpVersionInformation + .text:6F2FA4DF mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F2FA4E9 mov [esi], ebx + .text:6F2FA4EB call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $1A4DD); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19DBB); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + end; + if (FV.Release = 7601) and (FV.Build = 22843) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { Imagebase: 6F2E0000 + .text:6F2FA64F lea eax, [ebp+VersionInformation] + .text:6F2FA655 inc ebx <- nop + .text:6F2FA656 push eax ; lpVersionInformation + .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:6F2FA661 mov [esi], ebx + .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $1A655); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19E25); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + end; + end; + end; + if V = $0602 then begin + // Windows 8 + // uses SL Policy internal unexported function + + // load slc.dll and get function + // (will be used on intercepting undefined values) + SLC_Handle := LoadLibrary('slc.dll'); + SLGetWindowsInformationDWORD := GetProcAddress(SLC_Handle, 'SLGetWindowsInformationDWORD'); + + if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin + // Patch functions: + // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled + // CDefPolicy::Query + // Hook function: + // SLGetWindowsInformationDWORDWrapper + + if (FV.Release = 8102) and (FV.Build = 0) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:1000F7E5 lea eax, [esp+150h+VersionInformation] + .text:1000F7E9 inc esi <- nop + .text:1000F7EA push eax ; lpVersionInformation + .text:1000F7EB mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:1000F7F3 mov [edi], esi + .text:1000F7F5 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $F7E9); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $E47C); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $1B909); + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := @New_Win8SL; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + if (FV.Release = 8250) and (FV.Build = 0) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:100159C5 lea eax, [esp+150h+VersionInformation] + .text:100159C9 inc esi <- nop + .text:100159CA push eax ; lpVersionInformation + .text:100159CB mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:100159D3 mov [edi], esi + .text:100159D5 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $159C9); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $13520); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $1A0A9); + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := @New_Win8SL_CP; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + if (FV.Release = 8400) and (FV.Build = 0) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:1001547E lea eax, [esp+150h+VersionInformation] + .text:10015482 inc esi <- nop + .text:10015483 push eax ; lpVersionInformation + .text:10015484 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:1001548C mov [edi], esi + .text:1001548E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $15482); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $13E48); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19629); + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := @New_Win8SL; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + if (FV.Release = 9200) and (FV.Build = 16384) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:1001554E lea eax, [esp+150h+VersionInformation] + .text:10015552 inc esi <- nop + .text:10015553 push eax ; lpVersionInformation + .text:10015554 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:1001555C mov [edi], esi + .text:1001555E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $15552); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $13F08); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19559); + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := @New_Win8SL; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + if (FV.Release = 9200) and (FV.Build = 17048) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:1002058E lea eax, [esp+150h+VersionInformation] + .text:10020592 inc esi <- nop + .text:10020593 push eax ; lpVersionInformation + .text:10020594 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:1002059C mov [edi], esi + .text:1002059E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $20592); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $1F408); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $17059); + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := @New_Win8SL; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + if (FV.Release = 9200) and (FV.Build = 21166) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:10015576 lea eax, [esp+150h+VersionInformation] + .text:1001557A inc esi <- nop + .text:1001557B push eax ; lpVersionInformation + .text:1001557C mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch + .text:10015584 mov [edi], esi + .text:10015586 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $1557A); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $13F30); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_esi[0], + SizeOf(CDefPolicy_Query_eax_esi), bw); + + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $19581); + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := @New_Win8SL; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + end; + end; + if V = $0603 then begin + // Windows 8.1 + // uses SL Policy internal inline code + + if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin + // Patch functions: + // CEnforcementCore::GetInstanceOfTSLicense + // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled + // CDefPolicy::Query + // Hook function: + // CSLQuery::Initialize + + if (FV.Release = 9431) and (FV.Build = 0) then begin + WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); + { + .text:1008A604 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) + .text:1008A609 test eax, eax + .text:1008A60B js short loc_1008A628 + .text:1008A60D cmp [ebp+var_8], 0 + .text:1008A611 jz short loc_1008A628 <- jmp + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $8A611); + b := $EB; + WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); + + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:100306A4 lea eax, [esp+150h+VersionInformation] + .text:100306A8 inc ebx <- nop + .text:100306A9 mov [edi], ebx + .text:100306AB push eax ; lpVersionInformation + .text:100306AC call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $306A8); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $2EA25); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_ecx[0], + SizeOf(CDefPolicy_Query_eax_ecx), bw); + + WriteLog('Hook CSLQuery::Initialize'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $196B0); + Jump.PushOp := $68; + Jump.PushArg := @New_CSLQuery_Initialize; + Jump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @Jump, SizeOf(far_jmp), bw); + end; + if (FV.Release = 9600) and (FV.Build = 16384) then begin + WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); + { + .text:100A271C call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) + .text:100A2721 test eax, eax + .text:100A2723 js short loc_100A2740 + .text:100A2725 cmp [ebp+var_8], 0 + .text:100A2729 jz short loc_100A2740 <- jmp + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $A2729); + b := $EB; + WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); + + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:10018024 lea eax, [esp+150h+VersionInformation] + .text:10018028 inc ebx <- nop + .text:10018029 mov [edi], ebx + .text:1001802B push eax ; lpVersionInformation + .text:1001802C call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $18028); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $16115); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_ecx[0], + SizeOf(CDefPolicy_Query_eax_ecx), bw); + + WriteLog('Hook CSLQuery::Initialize'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $1CEB0); + Jump.PushOp := $68; + Jump.PushArg := @New_CSLQuery_Initialize; + Jump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @Jump, SizeOf(far_jmp), bw); + end; + if (FV.Release = 9600) and (FV.Build = 17095) then begin + WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); + { + .text:100A36C4 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) + .text:100A36C9 test eax, eax + .text:100A36CB js short loc_100A36E8 + .text:100A36CD cmp [ebp+var_8], 0 + .text:100A36D1 jz short loc_100A36E8 <- jmp + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $A36D1); + b := $EB; + WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); + + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:10036BA5 lea eax, [esp+150h+VersionInformation] + .text:10036BA9 inc ebx <- nop + .text:10036BAA mov [edi], ebx + .text:10036BAC push eax ; lpVersionInformation + .text:10036BAD call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $36BA9); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $37529); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_ecx[0], + SizeOf(CDefPolicy_Query_eax_ecx), bw); + + WriteLog('Hook CSLQuery::Initialize'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $117F1); + Jump.PushOp := $68; + Jump.PushArg := @New_CSLQuery_Initialize; + Jump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @Jump, SizeOf(far_jmp), bw); + end; + + end; + end; + if V = $0604 then begin + // Windows 10 + // uses SL Policy internal inline code + + if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin + // Patch functions: + // CEnforcementCore::GetInstanceOfTSLicense + // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled + // CDefPolicy::Query + // Hook function: + // CSLQuery::Initialize + + if (FV.Release = 9841) and (FV.Build = 0) then begin + WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); + { + .text:1009569B call sub_100B7EE5 + .text:100956A0 test eax, eax + .text:100956A2 js short loc_100956BF + .text:100956A4 cmp [ebp+var_C], 0 + .text:100956A8 jz short loc_100956BF <- jmp + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $956A8); + b := $EB; + WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); + + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:10030121 lea eax, [esp+150h+VersionInformation] + .text:10030125 inc ebx <- nop + .text:10030126 mov [edi], ebx + .text:10030128 push eax ; lpVersionInformation + .text:10030129 call ds:GetVersionExW + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $30125); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $3B989); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_ecx[0], + SizeOf(CDefPolicy_Query_eax_ecx), bw); + + WriteLog('Hook CSLQuery::Initialize'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $46A68); + Jump.PushOp := $68; + Jump.PushArg := @New_CSLQuery_Initialize; + Jump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @Jump, SizeOf(far_jmp), bw); + end; + + if (FV.Release = 9860) and (FV.Build = 0) then begin + WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); + { + .text:100962BB call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) + .text:100962C0 test eax, eax + .text:100962C2 js short loc_100962DF + .text:100962C4 cmp [ebp+var_C], 0 + .text:100962C8 jz short loc_100962DF <- jmp + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $962C8); + b := $EB; + WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); + + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + { + .text:10030841 lea eax, [esp+150h+VersionInformation] + .text:10030845 inc ebx <- nop + .text:10030846 mov [edi], ebx + .text:10030848 push eax ; lpVersionInformation + .text:10030849 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) + } + SignPtr := Pointer(Cardinal(TermSrvBase) + $30845); + WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); + + WriteLog('Patch CDefPolicy::Query'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $3BEC9); + WriteProcessMemory(GetCurrentProcess, SignPtr, + @CDefPolicy_Query_eax_ecx[0], + SizeOf(CDefPolicy_Query_eax_ecx), bw); + + WriteLog('Hook CSLQuery::Initialize'); + SignPtr := Pointer(Cardinal(TermSrvBase) + $46F18); + Jump.PushOp := $68; + Jump.PushArg := @New_CSLQuery_Initialize; + Jump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @Jump, SizeOf(far_jmp), bw); + end; + + end; + end; + + // unfreeze threads + WriteLog('resume'); + RunThreads(); +end; + +function TermServiceMain(dwArgc: DWORD; lpszArgv: PWideChar): DWORD; stdcall; +begin + // wrap ServiceMain function + WriteLog('> ServiceMain'); + if not IsHooked then + HookFunctions; + Result := 0; + if @TSMain <> nil then + Result := TSMain(dwArgc, lpszArgv); +end; + +function TermServiceGlobals(lpGlobalData: Pointer): DWORD; stdcall; +begin + // wrap SvchostPushServiceGlobals function + WriteLog('> SvchostPushServiceGlobals'); + if not IsHooked then + HookFunctions; + Result := 0; + if @TSGlobals <> nil then + Result := TSGlobals(lpGlobalData); +end; + +// export section + +exports + TermServiceMain index 1 name 'ServiceMain'; +exports + TermServiceGlobals index 2 name 'SvchostPushServiceGlobals'; + +begin + // DllMain procedure is not used +end. \ No newline at end of file diff --git a/src-x86-binarymaster/src/rdpwrap.dpr b/src-x86-binarymaster/src/rdpwrap.dpr index b4c8351..7878a43 100644 --- a/src-x86-binarymaster/src/rdpwrap.dpr +++ b/src-x86-binarymaster/src/rdpwrap.dpr @@ -19,7 +19,8 @@ library rdpwrap; uses SysUtils, Windows, - TlHelp32; + TlHelp32, + LiteINI; {$R rdpwrap.res} @@ -54,7 +55,7 @@ type tpDeltaPri: LongInt; dwFlags: DWORD; end; - IntArray = Array of Integer; + //IntArray = Array of Integer; FILE_VERSION = record Version: record case Boolean of True: (dw: DWORD); @@ -70,9 +71,10 @@ const THREAD_SUSPEND_RESUME = 2; TH32CS_SNAPTHREAD = 4; var + INI: INIFile; + LogFile: String = '\rdpwrap.txt'; bw: DWORD; IsHooked: Boolean = False; - FCount: Cardinal = 0; // Unhooked import @@ -102,312 +104,6 @@ var TermSrvBase: Pointer; FV: FILE_VERSION; -const - CDefPolicy_Query_edx_ecx: Array[0..12] of Byte = - ($BA,$00,$01,$00,$00,$89,$91,$20,$03,$00,$00,$5E,$90); - CDefPolicy_Query_eax_esi: Array[0..11] of Byte = - ($B8,$00,$01,$00,$00,$89,$86,$20,$03,$00,$00,$90); - CDefPolicy_Query_eax_ecx: Array[0..11] of Byte = - ($B8,$00,$01,$00,$00,$89,$81,$20,$03,$00,$00,$90); - -{ -termsrv.dll 6.0.6000.16386 - -Original -.text:6F335CD8 cmp edx, [ecx+320h] -.text:6F335CDE pop esi -.text:6F335CDF jz loc_6F3426F1 -_______________ - -Changed -.text:6F335CD8 mov edx, 100h -.text:6F335CDD mov [ecx+320h], edx -.text:6F335CE3 pop esi -.text:6F335CE4 nop -CDefPolicy_Query_edx_ecx - -termsrv.dll 6.0.6001.18000 - -Original -.text:6E817FD8 cmp edx, [ecx+320h] -.text:6E817FDE pop esi -.text:6E817FDF jz loc_6E826F16 -_______________ - -Changed -.text:6E817FD8 mov edx, 100h -.text:6E817FDD mov [ecx+320h], edx -.text:6E817FE3 pop esi -.text:6E817FE4 nop -CDefPolicy_Query_edx_ecx - -termsrv.dll 6.0.6002.18005 - -Original -.text:6F5979C0 cmp edx, [ecx+320h] -.text:6F5979C6 pop esi -.text:6F5979C7 jz loc_6F5A6F26 -_______________ - -Changed -.text:6F5979C0 mov edx, 100h -.text:6F5979C5 mov [ecx+320h], edx -.text:6F5979CB pop esi -.text:6F5979CC nop -CDefPolicy_Query_edx_ecx - -termsrv.dll 6.0.6002.19214 - -Original -.text:6F5979B8 cmp edx, [ecx+320h] -.text:6F5979BE pop esi -.text:6F5979BF jz loc_6F5A6F3E -_______________ - -Changed -.text:6F5979B8 mov edx, 100h -.text:6F5979BD mov [ecx+320h], edx -.text:6F5979C3 pop esi -.text:6F5979C4 nop -CDefPolicy_Query_edx_ecx - -termsrv.dll 6.0.6002.23521 - -Original -.text:6F5979CC cmp edx, [ecx+320h] -.text:6F5979D2 pop esi -.text:6F5979D3 jz loc_6F5A6F2E -_______________ - -Changed -.text:6F5979CC mov edx, 100h -.text:6F5979D1 mov [ecx+320h], edx -.text:6F5979D7 pop esi -.text:6F5979D8 nop -CDefPolicy_Query_edx_ecx - -termsrv.dll 6.1.7600.16385 - -Original -.text:6F2F96F3 cmp eax, [esi+320h] -.text:6F2F96F9 jz loc_6F30E256 -_______________ - -Changed -.text:6F2F96F3 mov eax, 100h -.text:6F2F96F8 mov [esi+320h], eax -.text:6F2F96FE nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.1.7601.17514 - -Original -.text:6F2F9D53 cmp eax, [esi+320h] -.text:6F2F9D59 jz loc_6F30B25E -_______________ - -Changed -.text:6F2F9D53 mov eax, 100h -.text:6F2F9D58 mov [esi+320h], eax -.text:6F2F9D5E nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.1.7601.18540 - -Original -.text:6F2F9D9F cmp eax, [esi+320h] -.text:6F2F9DA5 jz loc_6F30B2AE -_______________ - -Changed -.text:6F2F9D9F mov eax, 100h -.text:6F2F9DA4 mov [esi+320h], eax -.text:6F2F9DAA nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.1.7601.22750 - -Original -.text:6F2F9E21 cmp eax, [esi+320h] -.text:6F2F9E27 jz loc_6F30B6CE -_______________ - -Changed -.text:6F2F9E21 mov eax, 100h -.text:6F2F9E26 mov [esi+320h], eax -.text:6F2F9E2C nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.1.7601.18637 - -Original -.text:6F2F9DBB cmp eax, [esi+320h] -.text:6F2F9DC1 jz loc_6F30B2A6 -_______________ - -Changed -.text:6F2F9DBB mov eax, 100h -.text:6F2F9DC0 mov [esi+320h], eax -.text:6F2F9DC6 nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.1.7601.22843 - -Original -.text:6F2F9E25 cmp eax, [esi+320h] -.text:6F2F9E2B jz loc_6F30B6D6 -_______________ - -Changed -.text:6F2F9E25 mov eax, 100h -.text:6F2F9E2A mov [esi+320h], eax -.text:6F2F9E30 nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.2.8102.0 - -Original -.text:1000E47C cmp eax, [esi+320h] -.text:1000E482 jz loc_1002D775 -_______________ - -Changed -.text:1000E47C mov eax, 100h -.text:1000E481 mov [esi+320h], eax -.text:1000E487 nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.2.8250.0 - -Original -.text:10013520 cmp eax, [esi+320h] -.text:10013526 jz loc_1002DB85 -_______________ - -Changed -.text:10013520 mov eax, 100h -.text:10013525 mov [esi+320h], eax -.text:1001352B nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.2.8400.0 - -Original -.text:10013E48 cmp eax, [esi+320h] -.text:10013E4E jz loc_1002E079 -_______________ - -Changed -.text:10013E48 mov eax, 100h -.text:10013E4D mov [esi+320h], eax -.text:10013E53 nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.2.9200.16384 - -Original -.text:10013F08 cmp eax, [esi+320h] -.text:10013F0E jz loc_1002E161 -_______________ - -Changed -.text:10013F08 mov eax, 100h -.text:10013F0D mov [esi+320h], eax -.text:10013F13 nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.2.9200.17048 - -Original -.text:1001F408 cmp eax, [esi+320h] -.text:1001F40E jz loc_1002E201 -_______________ - -Changed -.text:1001F408 mov eax, 100h -.text:1001F40D mov [esi+320h], eax -.text:1001F413 nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.2.9200.21166 - -Original -.text:10013F30 cmp eax, [esi+320h] -.text:10013F36 jz loc_1002E189 -_______________ - -Changed -.text:10013F30 mov eax, 100h -.text:10013F35 mov [esi+320h], eax -.text:10013F3B nop -CDefPolicy_Query_eax_esi - -termsrv.dll 6.3.9431.0 - -Original -.text:1002EA25 cmp eax, [ecx+320h] -.text:1002EA2B jz loc_100348C1 -_______________ - -Changed -.text:1002EA25 mov eax, 100h -.text:1002EA2A mov [ecx+320h], eax -.text:1002EA30 nop -CDefPolicy_Query_eax_ecx - -termsrv.dll 6.3.9600.16384 - -Original -.text:10016115 cmp eax, [ecx+320h] -.text:1001611B jz loc_10034DE1 -_______________ - -Changed -.text:10016115 mov eax, 100h -.text:1001611A mov [ecx+320h], eax -.text:10016120 nop -CDefPolicy_Query_eax_ecx - -termsrv.dll 6.3.9600.17095 - -Original -.text:10037529 cmp eax, [ecx+320h] -.text:1003752F jz loc_10043662 -_______________ - -Changed -.text:10037529 mov eax, 100h -.text:1003752E mov [ecx+320h], eax -.text:10037534 nop -CDefPolicy_Query_eax_ecx - -termsrv.dll 6.4.9841.0 - -Original -.text:1003B989 cmp eax, [ecx+320h] -.text:1003B98F jz loc_1005E809 -_______________ - -Changed -.text:1003B989 mov eax, 100h -.text:1003B98E mov [ecx+320h], eax -.text:1003B994 nop -CDefPolicy_Query_eax_ecx - -termsrv.dll 6.4.9860.0 - -Original -.text:1003BEC9 cmp eax, [ecx+320h] -.text:1003BECF jz loc_1005EE1A -_______________ - -Changed -.text:1003BEC9 mov eax, 100h -.text:1003BECE mov [ecx+320h], eax -.text:1003BED4 nop -CDefPolicy_Query_eax_ecx -} - var Stub_SLGetWindowsInformationDWORD: far_jmp; Old_SLGetWindowsInformationDWORD: OldCode; @@ -415,8 +111,6 @@ var // Main code procedure WriteLog(S: AnsiString); -const - LogFile = '\rdpwrap.txt'; var F: TextFile; begin @@ -428,6 +122,28 @@ begin CloseFile(F); end; +function GetModuleHandleEx(dwFlags: DWORD; lpModuleName: PWideChar; + var phModule: HMODULE): BOOL; stdcall; external kernel32 name 'GetModuleHandleExW'; + +function GetCurrentModule: HMODULE; +const + GET_MODULE_HANDLE_EX_FLAG_PIN = 1; + GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT = 2; + GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS = 4; +begin + Result := 0; + GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, @GetCurrentModule, Result); +end; + +function GetBinaryPath: String; +var + Buf: Array[0..511] of Byte; +begin + ZeroMemory(@Buf[0], Length(Buf)); + GetModuleFileName(GetCurrentModule, PWideChar(@Buf[0]), Length(Buf)); + Result := PWideChar(@Buf[0]); +end; + procedure StopThreads; var h, CurrTh, ThrHandle, CurrPr: DWORD; @@ -541,7 +257,7 @@ begin end; end;} -function GetModuleVersion(const ModuleName: TFileName; var FileVersion: FILE_VERSION): Boolean; +function GetModuleVersion(const ModuleName: String; var FileVersion: FILE_VERSION): Boolean; type VS_VERSIONINFO = record wLength, wValueLength, wType: Word; @@ -589,7 +305,7 @@ begin Result := True; end; -function GetFileVersion(const FileName: TFileName; var FileVersion: FILE_VERSION): Boolean; +function GetFileVersion(const FileName: String; var FileVersion: FILE_VERSION): Boolean; type VS_VERSIONINFO = record wLength, wValueLength, wType: Word; @@ -637,62 +353,8 @@ end; function OverrideSL(ValueName: String; var Value: DWORD): Boolean; begin Result := True; - // Allow Remote Connections - if ValueName = 'TerminalServices-RemoteConnectionManager-AllowRemoteConnections' then begin - Value := 1; - Exit; - end; - // Allow Multiple Sessions - if ValueName = 'TerminalServices-RemoteConnectionManager-AllowMultipleSessions' then begin - Value := 1; - Exit; - end; - // Allow Multiple Sessions (Application Server Mode) - if ValueName = 'TerminalServices-RemoteConnectionManager-AllowAppServerMode' then begin - Value := 1; - Exit; - end; - // Allow Multiple Monitors - if ValueName = 'TerminalServices-RemoteConnectionManager-AllowMultimon' then begin - Value := 1; - Exit; - end; - // Max User Sessions (0 = unlimited) - if ValueName = 'TerminalServices-RemoteConnectionManager-MaxUserSessions' then begin - Value := 0; - Exit; - end; - // Max Debug Sessions (Win 8, 0 = unlimited) - if ValueName = 'TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions' then begin - Value := 0; - Exit; - end; - // Max Sessions - // 0 - logon not possible even from console - // 1 - only one active user (console or remote) - // 2 - allow concurrent sessions - if ValueName = 'TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions' then begin - Value := 2; - Exit; - end; - // Allow Advanced Compression with RDP 7 Protocol - if ValueName = 'TerminalServices-RDP-7-Advanced-Compression-Allowed' then begin - Value := 1; - Exit; - end; - // IsTerminalTypeLocalOnly = 0 - if ValueName = 'TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly' then begin - Value := 0; - Exit; - end; - // Max Sessions (hard limit) - if ValueName = 'TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions' then begin - Value := 1000; - Exit; - end; - // Allow Easy Print - if ValueName = 'TerminalServices-DeviceRedirection-Licenses-TSEasyPrintAllowed' then begin - Value := 1; + if INIValueExists(INI, 'SLPolicy', ValueName) then begin + Value := INIReadDWord(INI, 'SLPolicy', ValueName, 0); Exit; end; Result := False; @@ -770,6 +432,7 @@ end; function New_CSLQuery_Initialize: HRESULT; stdcall; var + Sect: String; bServerSku, bRemoteConnAllowed, bFUSEnabled, @@ -788,110 +451,82 @@ begin ulMaxDebugSessions := nil; bInitialized := nil; WriteLog('> CSLQuery::Initialize'); - if (FV.Release = 9431) and (FV.Build = 0) then begin - bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $A22A8); - lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $A22AC); - bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $A22B0); - bInitialized := Pointer(Cardinal(TermSrvBase) + $A22B4); - bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $A22B8); - bServerSku := Pointer(Cardinal(TermSrvBase) + $A22BC); - ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $A22C0); - bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $A22C4); - end; - if (FV.Release = 9600) and (FV.Build = 16384) then begin - bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $C02A8); - lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $C02AC); - bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $C02B0); - bInitialized := Pointer(Cardinal(TermSrvBase) + $C02B4); - bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $C02B8); - bServerSku := Pointer(Cardinal(TermSrvBase) + $C02BC); - ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $C02C0); - bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $C02C4); - end; - if (FV.Release = 9600) and (FV.Build = 17095) then begin - bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $C12A8); - lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $C12AC); - bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $C12B0); - bInitialized := Pointer(Cardinal(TermSrvBase) + $C12B4); - bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $C12B8); - bServerSku := Pointer(Cardinal(TermSrvBase) + $C12BC); - ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $C12C0); - bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $C12C4); - end; - if (FV.Release = 9841) and (FV.Build = 0) then begin - bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $BF9F0); - lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $BF9F4); - bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $BF9F8); - bInitialized := Pointer(Cardinal(TermSrvBase) + $BF9FC); - bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $BFA00); - bServerSku := Pointer(Cardinal(TermSrvBase) + $BFA04); - ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $BFA08); - bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $BFA0C); - end; - if (FV.Release = 9860) and (FV.Build = 0) then begin - bFUSEnabled := Pointer(Cardinal(TermSrvBase) + $BF7E0); - lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + $BF7E4); - bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + $BF7E8); - bInitialized := Pointer(Cardinal(TermSrvBase) + $BF7EC); - bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + $BF7F0); - bServerSku := Pointer(Cardinal(TermSrvBase) + $BF7F4); - ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + $BF7F8); - bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + $BF7FC); + Sect := IntToStr(FV.Version.w.Major)+'.'+IntToStr(FV.Version.w.Minor)+'.'+ + IntToStr(FV.Release)+'.'+IntToStr(FV.Build)+'-SLInit'; + if INISectionExists(INI, Sect) then begin + bServerSku := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'bServerSku.x86', 0)); + bRemoteConnAllowed := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'bRemoteConnAllowed.x86', 0)); + bFUSEnabled := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'bFUSEnabled.x86', 0)); + bAppServerAllowed := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'bAppServerAllowed.x86', 0)); + bMultimonAllowed := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'bMultimonAllowed.x86', 0)); + lMaxUserSessions := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'lMaxUserSessions.x86', 0)); + ulMaxDebugSessions := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'ulMaxDebugSessions.x86', 0)); + bInitialized := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'bInitialized.x86', 0)); end; + if bServerSku <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(bServerSku), 1)+'] bServerSku = 1'); - bServerSku^ := 1; + bServerSku^ := INIReadDWord(INI, 'SLInit', 'bServerSku', 1); + WriteLog('[0x'+IntToHex(DWORD(bServerSku), 1)+'] bServerSku = ' + IntToStr(bServerSku^)); end; if bRemoteConnAllowed <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(bRemoteConnAllowed), 1)+'] bRemoteConnAllowed = 1'); - bRemoteConnAllowed^ := 1; + bRemoteConnAllowed^ := INIReadDWord(INI, 'SLInit', 'bRemoteConnAllowed', 1); + WriteLog('[0x'+IntToHex(DWORD(bRemoteConnAllowed), 1)+'] bRemoteConnAllowed = ' + IntToStr(bRemoteConnAllowed^)); end; if bFUSEnabled <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(bFUSEnabled), 1)+'] bFUSEnabled = 1'); - bFUSEnabled^ := 1; + bFUSEnabled^ := INIReadDWord(INI, 'SLInit', 'bFUSEnabled', 1); + WriteLog('[0x'+IntToHex(DWORD(bFUSEnabled), 1)+'] bFUSEnabled = ' + IntToStr(bFUSEnabled^)); end; if bAppServerAllowed <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(bAppServerAllowed), 1)+'] bAppServerAllowed = 1'); - bAppServerAllowed^ := 1; + bAppServerAllowed^ := INIReadDWord(INI, 'SLInit', 'bAppServerAllowed', 1); + WriteLog('[0x'+IntToHex(DWORD(bAppServerAllowed), 1)+'] bAppServerAllowed = ' + IntToStr(bAppServerAllowed^)); end; if bMultimonAllowed <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(bMultimonAllowed), 1)+'] bMultimonAllowed = 1'); - bMultimonAllowed^ := 1; + bMultimonAllowed^ := INIReadDWord(INI, 'SLInit', 'bMultimonAllowed', 1); + WriteLog('[0x'+IntToHex(DWORD(bMultimonAllowed), 1)+'] bMultimonAllowed = ' + IntToStr(bMultimonAllowed^)); end; if lMaxUserSessions <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(lMaxUserSessions), 1)+'] lMaxUserSessions = 0'); - lMaxUserSessions^ := 0; + lMaxUserSessions^ := INIReadDWord(INI, 'SLInit', 'lMaxUserSessions', 0); + WriteLog('[0x'+IntToHex(DWORD(lMaxUserSessions), 1)+'] lMaxUserSessions = ' + IntToStr(lMaxUserSessions^)); end; if ulMaxDebugSessions <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(ulMaxDebugSessions), 1)+'] ulMaxDebugSessions = 0'); - ulMaxDebugSessions^ := 0; + ulMaxDebugSessions^ := INIReadDWord(INI, 'SLInit', 'ulMaxDebugSessions', 0); + WriteLog('[0x'+IntToHex(DWORD(ulMaxDebugSessions), 1)+'] ulMaxDebugSessions = ' + IntToStr(ulMaxDebugSessions^)); end; if bInitialized <> nil then begin - WriteLog('[0x'+IntToHex(DWORD(bInitialized), 1)+'] bInitialized = 1'); - bInitialized^ := 1; + bInitialized^ := INIReadDWord(INI, 'SLInit', 'bInitialized', 1); + WriteLog('[0x'+IntToHex(DWORD(bInitialized), 1)+'] bInitialized = ' + IntToStr(bInitialized^)); end; Result := S_OK; end; procedure HookFunctions; var + Sect, FuncName: String; V: DWORD; TS_Handle, SLC_Handle: THandle; TermSrvSize: DWORD; SignPtr: Pointer; - Results: IntArray; + I: Integer; + PatchList: SList; + Patch: Array of TBytes; Jump: far_jmp; MovJump: mov_far_jmp; - nop: DWORD; - b: Byte; begin { hook function ^^ (called once) } IsHooked := True; - nop := $90909090; TSMain := nil; TSGlobals := nil; SLGetWindowsInformationDWORD := nil; + + WriteLog('Loading configuration...'); + INILoad(INI, ExtractFilePath(GetBinaryPath) + 'rdpwrap.ini'); + if Length(INI) = 0 then begin + WriteLog('Error: Failed to load configuration'); + Exit; + end; + + LogFile := INIReadString(INI, 'Main', 'LogFile', ExtractFilePath(GetBinaryPath) + 'rdpwrap.txt'); WriteLog('init'); // load termsrv.dll and get functions @@ -928,7 +563,16 @@ begin WriteLog('freeze'); StopThreads(); - if (V = $0600) then begin + WriteLog('Loading patch codes...'); + PatchList := INIReadSection(INI, 'PatchCodes'); + SetLength(Patch, Length(PatchList)); + for I := 0 to Length(Patch) - 1 do begin + Patch[I] := INIReadBytes(INI, 'PatchCodes', PatchList[I]); + if Length(Patch[I]) > 16 then // for security reasons + SetLength(Patch[I], 16); // not more than 16 bytes + end; + + if (V = $0600) and (INIReadBool(INI, 'Main', 'SLPolicyHookNT60', True)) then begin // Windows Vista // uses SL Policy API (slc.dll) @@ -949,110 +593,8 @@ begin WriteProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, @Stub_SLGetWindowsInformationDWORD, SizeOf(far_jmp), bw); end; - - if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin - // Patch functions: - // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled - // CDefPolicy::Query - - if (FV.Release = 6000) and (FV.Build = 16386) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F320000 - .text:6F3360B9 lea eax, [ebp+VersionInformation] - .text:6F3360BF inc ebx <- nop - .text:6F3360C0 push eax ; lpVersionInformation - .text:6F3360C1 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F3360CB mov [esi], ebx - .text:6F3360CD call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $160BF); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $15CD8); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_edx_ecx[0], - SizeOf(CDefPolicy_Query_edx_ecx), bw); - end; - if (FV.Release = 6001) and (FV.Build = 18000) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6E800000 - .text:6E8185DE lea eax, [ebp+VersionInformation] - .text:6E8185E4 inc ebx <- nop - .text:6E8185E5 push eax ; lpVersionInformation - .text:6E8185E6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6E8185F0 mov [esi], ebx - .text:6E8185F2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $185E4); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $17FD8); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_edx_ecx[0], - SizeOf(CDefPolicy_Query_edx_ecx), bw); - end; - if (FV.Release = 6002) and (FV.Build = 18005) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F580000 - .text:6F597FA2 lea eax, [ebp+VersionInformation] - .text:6F597FA8 inc ebx <- nop - .text:6F597FA9 push eax ; lpVersionInformation - .text:6F597FAA mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F597FB4 mov [esi], ebx - .text:6F597FB6 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $17FA8); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $179C0); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_edx_ecx[0], - SizeOf(CDefPolicy_Query_edx_ecx), bw); - end; - if (FV.Release = 6002) and (FV.Build = 19214) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F580000 - .text:6F597FBE lea eax, [ebp+VersionInformation] - .text:6F597FC4 inc ebx <- nop - .text:6F597FC5 push eax ; lpVersionInformation - .text:6F597FC6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F597FD0 mov [esi], ebx - .text:6F597FD2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $17FC4); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $179B8); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_edx_ecx[0], - SizeOf(CDefPolicy_Query_edx_ecx), bw); - end; - if (FV.Release = 6002) and (FV.Build = 23521) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F580000 - .text:6F597FAE lea eax, [ebp+VersionInformation] - .text:6F597FB4 inc ebx <- nop - .text:6F597FB5 push eax ; lpVersionInformation - .text:6F597FB6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F597FC0 mov [esi], ebx - .text:6F597FC2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $17FB4); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $179CC); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_edx_ecx[0], - SizeOf(CDefPolicy_Query_edx_ecx), bw); - end; - end; end; - if (V = $0601) then begin + if (V = $0601) and (INIReadBool(INI, 'Main', 'SLPolicyHookNT61', True)) then begin // Windows 7 // uses SL Policy API (slc.dll) @@ -1073,127 +615,6 @@ begin WriteProcessMemory(GetCurrentProcess, @SLGetWindowsInformationDWORD, @Stub_SLGetWindowsInformationDWORD, SizeOf(far_jmp), bw); end; - - if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin - // Patch functions: - // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled - // CDefPolicy::Query - - if (FV.Release = 7600) and (FV.Build = 16385) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F2E0000 - .text:6F2F9E1F lea eax, [ebp+VersionInformation] - .text:6F2F9E25 inc ebx <- nop - .text:6F2F9E26 push eax ; lpVersionInformation - .text:6F2F9E27 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F2F9E31 mov [esi], ebx - .text:6F2F9E33 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $19E25); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $196F3); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - end; - if (FV.Release = 7601) and (FV.Build = 17514) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F2E0000 - .text:6F2FA497 lea eax, [ebp+VersionInformation] - .text:6F2FA49D inc ebx <- nop - .text:6F2FA49E push eax ; lpVersionInformation - .text:6F2FA49F mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F2FA4A9 mov [esi], ebx - .text:6F2FA4AB call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $1A49D); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19D53); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - end; - if (FV.Release = 7601) and (FV.Build = 18540) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F2E0000 - .text:6F2FA4DF lea eax, [ebp+VersionInformation] - .text:6F2FA4E5 inc ebx <- nop - .text:6F2FA4E6 push eax ; lpVersionInformation - .text:6F2FA4E7 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F2FA4F1 mov [esi], ebx - .text:6F2FA4F3 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $1A4E5); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19D9F); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - end; - if (FV.Release = 7601) and (FV.Build = 22750) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F2E0000 - .text:6F2FA64F lea eax, [ebp+VersionInformation] - .text:6F2FA655 inc ebx <- nop - .text:6F2FA656 push eax ; lpVersionInformation - .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F2FA661 mov [esi], ebx - .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $1A655); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19E21); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - end; - if (FV.Release = 7601) and (FV.Build = 18637) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F2E0000 - .text:6F2FA4D7 lea eax, [ebp+VersionInformation] - .text:6F2FA4DD inc ebx <- nop - .text:6F2FA4DE push eax ; lpVersionInformation - .text:6F2FA4DF mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F2FA4E9 mov [esi], ebx - .text:6F2FA4EB call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $1A4DD); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19DBB); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - end; - if (FV.Release = 7601) and (FV.Build = 22843) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { Imagebase: 6F2E0000 - .text:6F2FA64F lea eax, [ebp+VersionInformation] - .text:6F2FA655 inc ebx <- nop - .text:6F2FA656 push eax ; lpVersionInformation - .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:6F2FA661 mov [esi], ebx - .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $1A655); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19E25); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - end; - end; end; if V = $0602 then begin // Windows 8 @@ -1203,412 +624,92 @@ begin // (will be used on intercepting undefined values) SLC_Handle := LoadLibrary('slc.dll'); SLGetWindowsInformationDWORD := GetProcAddress(SLC_Handle, 'SLGetWindowsInformationDWORD'); - - if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin - // Patch functions: - // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled - // CDefPolicy::Query - // Hook function: - // SLGetWindowsInformationDWORDWrapper - - if (FV.Release = 8102) and (FV.Build = 0) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:1000F7E5 lea eax, [esp+150h+VersionInformation] - .text:1000F7E9 inc esi <- nop - .text:1000F7EA push eax ; lpVersionInformation - .text:1000F7EB mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:1000F7F3 mov [edi], esi - .text:1000F7F5 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $F7E9); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $E47C); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - - WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $1B909); - MovJump.MovOp := $89; // mov eax, ecx - MovJump.MovArg := $C8; // __msfastcall compatibility - MovJump.PushOp := $68; - MovJump.PushArg := @New_Win8SL; - MovJump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @MovJump, SizeOf(mov_far_jmp), bw); - end; - if (FV.Release = 8250) and (FV.Build = 0) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:100159C5 lea eax, [esp+150h+VersionInformation] - .text:100159C9 inc esi <- nop - .text:100159CA push eax ; lpVersionInformation - .text:100159CB mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:100159D3 mov [edi], esi - .text:100159D5 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $159C9); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $13520); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - - WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $1A0A9); - MovJump.MovOp := $89; // mov eax, ecx - MovJump.MovArg := $C8; // __msfastcall compatibility - MovJump.PushOp := $68; - MovJump.PushArg := @New_Win8SL_CP; - MovJump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @MovJump, SizeOf(mov_far_jmp), bw); - end; - if (FV.Release = 8400) and (FV.Build = 0) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:1001547E lea eax, [esp+150h+VersionInformation] - .text:10015482 inc esi <- nop - .text:10015483 push eax ; lpVersionInformation - .text:10015484 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:1001548C mov [edi], esi - .text:1001548E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $15482); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $13E48); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - - WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19629); - MovJump.MovOp := $89; // mov eax, ecx - MovJump.MovArg := $C8; // __msfastcall compatibility - MovJump.PushOp := $68; - MovJump.PushArg := @New_Win8SL; - MovJump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @MovJump, SizeOf(mov_far_jmp), bw); - end; - if (FV.Release = 9200) and (FV.Build = 16384) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:1001554E lea eax, [esp+150h+VersionInformation] - .text:10015552 inc esi <- nop - .text:10015553 push eax ; lpVersionInformation - .text:10015554 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:1001555C mov [edi], esi - .text:1001555E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $15552); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $13F08); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - - WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19559); - MovJump.MovOp := $89; // mov eax, ecx - MovJump.MovArg := $C8; // __msfastcall compatibility - MovJump.PushOp := $68; - MovJump.PushArg := @New_Win8SL; - MovJump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @MovJump, SizeOf(mov_far_jmp), bw); - end; - if (FV.Release = 9200) and (FV.Build = 17048) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:1002058E lea eax, [esp+150h+VersionInformation] - .text:10020592 inc esi <- nop - .text:10020593 push eax ; lpVersionInformation - .text:10020594 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:1002059C mov [edi], esi - .text:1002059E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $20592); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $1F408); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - - WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $17059); - MovJump.MovOp := $89; // mov eax, ecx - MovJump.MovArg := $C8; // __msfastcall compatibility - MovJump.PushOp := $68; - MovJump.PushArg := @New_Win8SL; - MovJump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @MovJump, SizeOf(mov_far_jmp), bw); - end; - if (FV.Release = 9200) and (FV.Build = 21166) then begin - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:10015576 lea eax, [esp+150h+VersionInformation] - .text:1001557A inc esi <- nop - .text:1001557B push eax ; lpVersionInformation - .text:1001557C mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch - .text:10015584 mov [edi], esi - .text:10015586 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $1557A); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $13F30); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_esi[0], - SizeOf(CDefPolicy_Query_eax_esi), bw); - - WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $19581); - MovJump.MovOp := $89; // mov eax, ecx - MovJump.MovArg := $C8; // __msfastcall compatibility - MovJump.PushOp := $68; - MovJump.PushArg := @New_Win8SL; - MovJump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @MovJump, SizeOf(mov_far_jmp), bw); - end; - end; end; if V = $0603 then begin // Windows 8.1 // uses SL Policy internal inline code - - if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin - // Patch functions: - // CEnforcementCore::GetInstanceOfTSLicense - // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled - // CDefPolicy::Query - // Hook function: - // CSLQuery::Initialize - - if (FV.Release = 9431) and (FV.Build = 0) then begin - WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); - { - .text:1008A604 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) - .text:1008A609 test eax, eax - .text:1008A60B js short loc_1008A628 - .text:1008A60D cmp [ebp+var_8], 0 - .text:1008A611 jz short loc_1008A628 <- jmp - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $8A611); - b := $EB; - WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); - - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:100306A4 lea eax, [esp+150h+VersionInformation] - .text:100306A8 inc ebx <- nop - .text:100306A9 mov [edi], ebx - .text:100306AB push eax ; lpVersionInformation - .text:100306AC call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $306A8); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $2EA25); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_ecx[0], - SizeOf(CDefPolicy_Query_eax_ecx), bw); - - WriteLog('Hook CSLQuery::Initialize'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $196B0); - Jump.PushOp := $68; - Jump.PushArg := @New_CSLQuery_Initialize; - Jump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @Jump, SizeOf(far_jmp), bw); - end; - if (FV.Release = 9600) and (FV.Build = 16384) then begin - WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); - { - .text:100A271C call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) - .text:100A2721 test eax, eax - .text:100A2723 js short loc_100A2740 - .text:100A2725 cmp [ebp+var_8], 0 - .text:100A2729 jz short loc_100A2740 <- jmp - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $A2729); - b := $EB; - WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); - - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:10018024 lea eax, [esp+150h+VersionInformation] - .text:10018028 inc ebx <- nop - .text:10018029 mov [edi], ebx - .text:1001802B push eax ; lpVersionInformation - .text:1001802C call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $18028); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $16115); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_ecx[0], - SizeOf(CDefPolicy_Query_eax_ecx), bw); - - WriteLog('Hook CSLQuery::Initialize'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $1CEB0); - Jump.PushOp := $68; - Jump.PushArg := @New_CSLQuery_Initialize; - Jump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @Jump, SizeOf(far_jmp), bw); - end; - if (FV.Release = 9600) and (FV.Build = 17095) then begin - WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); - { - .text:100A36C4 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) - .text:100A36C9 test eax, eax - .text:100A36CB js short loc_100A36E8 - .text:100A36CD cmp [ebp+var_8], 0 - .text:100A36D1 jz short loc_100A36E8 <- jmp - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $A36D1); - b := $EB; - WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); - - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:10036BA5 lea eax, [esp+150h+VersionInformation] - .text:10036BA9 inc ebx <- nop - .text:10036BAA mov [edi], ebx - .text:10036BAC push eax ; lpVersionInformation - .text:10036BAD call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $36BA9); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $37529); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_ecx[0], - SizeOf(CDefPolicy_Query_eax_ecx), bw); - - WriteLog('Hook CSLQuery::Initialize'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $117F1); - Jump.PushOp := $68; - Jump.PushArg := @New_CSLQuery_Initialize; - Jump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @Jump, SizeOf(far_jmp), bw); - end; - - end; end; if V = $0604 then begin // Windows 10 // uses SL Policy internal inline code - - if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin - // Patch functions: - // CEnforcementCore::GetInstanceOfTSLicense - // CSessionArbitrationHelper::IsSingleSessionPerUserEnabled - // CDefPolicy::Query - // Hook function: - // CSLQuery::Initialize - - if (FV.Release = 9841) and (FV.Build = 0) then begin - WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); - { - .text:1009569B call sub_100B7EE5 - .text:100956A0 test eax, eax - .text:100956A2 js short loc_100956BF - .text:100956A4 cmp [ebp+var_C], 0 - .text:100956A8 jz short loc_100956BF <- jmp - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $956A8); - b := $EB; - WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); - - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:10030121 lea eax, [esp+150h+VersionInformation] - .text:10030125 inc ebx <- nop - .text:10030126 mov [edi], ebx - .text:10030128 push eax ; lpVersionInformation - .text:10030129 call ds:GetVersionExW - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $30125); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $3B989); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_ecx[0], - SizeOf(CDefPolicy_Query_eax_ecx), bw); - - WriteLog('Hook CSLQuery::Initialize'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $46A68); - Jump.PushOp := $68; - Jump.PushArg := @New_CSLQuery_Initialize; - Jump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @Jump, SizeOf(far_jmp), bw); - end; - - if (FV.Release = 9860) and (FV.Build = 0) then begin - WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); - { - .text:100962BB call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) - .text:100962C0 test eax, eax - .text:100962C2 js short loc_100962DF - .text:100962C4 cmp [ebp+var_C], 0 - .text:100962C8 jz short loc_100962DF <- jmp - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $962C8); - b := $EB; - WriteProcessMemory(GetCurrentProcess, SignPtr, @b, 1, bw); - - WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); - { - .text:10030841 lea eax, [esp+150h+VersionInformation] - .text:10030845 inc ebx <- nop - .text:10030846 mov [edi], ebx - .text:10030848 push eax ; lpVersionInformation - .text:10030849 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) - } - SignPtr := Pointer(Cardinal(TermSrvBase) + $30845); - WriteProcessMemory(GetCurrentProcess, SignPtr, @nop, 1, bw); - - WriteLog('Patch CDefPolicy::Query'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $3BEC9); - WriteProcessMemory(GetCurrentProcess, SignPtr, - @CDefPolicy_Query_eax_ecx[0], - SizeOf(CDefPolicy_Query_eax_ecx), bw); - - WriteLog('Hook CSLQuery::Initialize'); - SignPtr := Pointer(Cardinal(TermSrvBase) + $46F18); - Jump.PushOp := $68; - Jump.PushArg := @New_CSLQuery_Initialize; - Jump.RetOp := $C3; - WriteProcessMemory(GetCurrentProcess, SignPtr, - @Jump, SizeOf(far_jmp), bw); - end; - - end; end; + Sect := IntToStr(FV.Version.w.Major)+'.'+IntToStr(FV.Version.w.Minor)+'.'+ + IntToStr(FV.Release)+'.'+IntToStr(FV.Build); + + if INISectionExists(INI, Sect) then + if GetModuleAddress('termsrv.dll', GetCurrentProcessId, TermSrvBase, TermSrvSize) then begin + if INIReadBool(INI, Sect, 'LocalOnlyPatch.x86', False) then begin + WriteLog('Patch CEnforcementCore::GetInstanceOfTSLicense'); + try + SignPtr := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'LocalOnlyOffset.x86', 0)); + I := SListFind(PatchList, INIReadString(INI, Sect, 'LocalOnlyCode.x86', '')); + if I >= 0 then + WriteProcessMemory(GetCurrentProcess, SignPtr, @Patch[I][0], Length(Patch[I]), bw); + except + + end; + end; + if INIReadBool(INI, Sect, 'SingleUserPatch.x86', False) then begin + WriteLog('Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled'); + try + SignPtr := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'SingleUserOffset.x86', 0)); + I := SListFind(PatchList, INIReadString(INI, Sect, 'SingleUserCode.x86', '')); + if I >= 0 then + WriteProcessMemory(GetCurrentProcess, SignPtr, @Patch[I][0], Length(Patch[I]), bw); + except + + end; + end; + if INIReadBool(INI, Sect, 'DefPolicyPatch.x86', False) then begin + WriteLog('Patch CDefPolicy::Query'); + try + SignPtr := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'DefPolicyOffset.x86', 0)); + I := SListFind(PatchList, INIReadString(INI, Sect, 'DefPolicyCode.x86', '')); + if I >= 0 then + WriteProcessMemory(GetCurrentProcess, SignPtr, @Patch[I][0], Length(Patch[I]), bw); + except + + end; + end; + if INIReadBool(INI, Sect, 'SLPolicyInternal.x86', False) then begin + WriteLog('Hook SLGetWindowsInformationDWORDWrapper'); + try + SignPtr := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'SLPolicyOffset.x86', 0)); + except + SignPtr := nil; + end; + MovJump.MovOp := $89; // mov eax, ecx + MovJump.MovArg := $C8; // __msfastcall compatibility + MovJump.PushOp := $68; + MovJump.PushArg := nil; + FuncName := INIReadString(INI, Sect, 'SLPolicyFunc.x86', 'New_Win8SL'); + if FuncName = 'New_Win8SL' then + MovJump.PushArg := @New_Win8SL; + if FuncName = 'New_Win8SL_CP' then + MovJump.PushArg := @New_Win8SL_CP; + MovJump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @MovJump, SizeOf(mov_far_jmp), bw); + end; + if INIReadBool(INI, Sect, 'SLInitHook.x86', False) then begin + WriteLog('Hook CSLQuery::Initialize'); + try + SignPtr := Pointer(Cardinal(TermSrvBase) + INIReadDWordHex(INI, Sect, 'SLInitOffset.x86', 0)); + except + SignPtr := nil; + end; + Jump.PushOp := $68; + Jump.PushArg := nil; + FuncName := INIReadString(INI, Sect, 'SLInitFunc.x86', 'New_CSLQuery_Initialize'); + if FuncName = 'New_CSLQuery_Initialize' then + Jump.PushArg := @New_CSLQuery_Initialize; + Jump.RetOp := $C3; + WriteProcessMemory(GetCurrentProcess, SignPtr, + @Jump, SizeOf(far_jmp), bw); + end; + end; + // unfreeze threads WriteLog('resume'); RunThreads(); diff --git a/src-x86-binarymaster/src/rdpwrap.ini b/src-x86-binarymaster/src/rdpwrap.ini new file mode 100644 index 0000000..6b44968 --- /dev/null +++ b/src-x86-binarymaster/src/rdpwrap.ini @@ -0,0 +1,1250 @@ +; RDP Wrapper Library configuration +; Do not modify without special knowledge + +[Main] +Updated=2014-11-20 +LogFile=\rdpwrap.txt +SLPolicyHookNT60=1 +SLPolicyHookNT61=1 + +[SLPolicy] +; Allow Remote Connections +TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1 +; Allow Multiple Sessions +TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1 +; Allow Multiple Sessions (Application Server Mode) +TerminalServices-RemoteConnectionManager-AllowAppServerMode=1 +; Allow Multiple Monitors +TerminalServices-RemoteConnectionManager-AllowMultimon=1 +; Max User Sessions (0 = unlimited) +TerminalServices-RemoteConnectionManager-MaxUserSessions=0 +; Max Debug Sessions (Windows 8, 0 = unlimited) +TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0 +; Max Sessions +; 0 - logon not possible even from console +; 1 - only one active user (console or remote) +; 2 - allow concurrent sessions +TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2 +; Allow Advanced Compression with RDP 7 Protocol +TerminalServices-RDP-7-Advanced-Compression-Allowed=1 +; IsTerminalTypeLocalOnly = 0 +TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0 +; Max Sessions (hard limit) +TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000 +; EasyPrint +TerminalServices-DeviceRedirection-Licenses-TSEasyPrintAllowed=1 + +[PatchCodes] +nop=90 +Zero=00 +jmpshort=EB +nopjmp=90E9 +CDefPolicy_Query_edx_ecx=BA000100008991200300005E90 +CDefPolicy_Query_eax_rcx_jmp=B80001000089813806000090EB +CDefPolicy_Query_eax_esi=B80001000089862003000090 +CDefPolicy_Query_eax_rdi=B80001000089873806000090 +CDefPolicy_Query_eax_ecx=B80001000089812003000090 +CDefPolicy_Query_eax_rcx=B80001000089813806000090 + +[6.0.6000.16386] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F320000 +; .text:6F3360B9 lea eax, [ebp+VersionInformation] +; .text:6F3360BF inc ebx <- nop +; .text:6F3360C0 push eax ; lpVersionInformation +; .text:6F3360C1 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F3360CB mov [esi], ebx +; .text:6F3360CD call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=160BF +SingleUserCode.x86=nop +; Imagebase: 7FF756E0000 +; .text:000007FF75745E38 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75745E3D mov ebx, 1 <- 0 +; .text:000007FF75745E42 mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75745E4A mov [rdi], ebx +; .text:000007FF75745E4C call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=65E3E +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F335CD8 cmp edx, [ecx+320h] +; .text:6F335CDE pop esi +; .text:6F335CDF jz loc_6F3426F1 +; Changed +; .text:6F335CD8 mov edx, 100h +; .text:6F335CDD mov [ecx+320h], edx +; .text:6F335CE3 pop esi +; .text:6F335CE4 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=15CD8 +DefPolicyCode.x86=CDefPolicy_Query_edx_ecx +; Original +; .text:000007FF7573C88F mov eax, [rcx+638h] +; .text:000007FF7573C895 cmp [rcx+63Ch], eax +; .text:000007FF7573C89B jnz short loc_7FF7573C8B3 +; Changed +; .text:000007FF7573C88F mov eax, 100h +; .text:000007FF7573C894 mov [rcx+638h], eax +; .text:000007FF7573C89A nop +; .text:000007FF7573C89B jmp short loc_7FF7573C8B3 +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=5C88F +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp + +[6.0.6001.18000] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6E800000 +; .text:6E8185DE lea eax, [ebp+VersionInformation] +; .text:6E8185E4 inc ebx <- nop +; .text:6E8185E5 push eax ; lpVersionInformation +; .text:6E8185E6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6E8185F0 mov [esi], ebx +; .text:6E8185F2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=185E4 +SingleUserCode.x86=nop +; Imagebase: 7FF76220000 +; .text:000007FF76290DB4 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF76290DB9 mov ebx, 1 <- 0 +; .text:000007FF76290DBE mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF76290DC6 mov [rdi], ebx +; .text:000007FF76290DC8 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=70DBA +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6E817FD8 cmp edx, [ecx+320h] +; .text:6E817FDE pop esi +; .text:6E817FDF jz loc_6E826F16 +; Changed +; .text:6E817FD8 mov edx, 100h +; .text:6E817FDD mov [ecx+320h], edx +; .text:6E817FE3 pop esi +; .text:6E817FE4 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=17FD8 +DefPolicyCode.x86=CDefPolicy_Query_edx_ecx +; Original +; .text:000007FF76285BD7 mov eax, [rcx+638h] +; .text:000007FF76285BDD cmp [rcx+63Ch], eax +; .text:000007FF76285BE3 jnz short loc_7FF76285BFB +; Changed +; .text:000007FF76285BD7 mov eax, 100h +; .text:000007FF76285BDC mov [rcx+638h], eax +; .text:000007FF76285BE2 nop +; .text:000007FF76285BE3 jmp short loc_7FF76285BFB +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=65BD7 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp + +[6.0.6002.18005] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F580000 +; .text:6F597FA2 lea eax, [ebp+VersionInformation] +; .text:6F597FA8 inc ebx <- nop +; .text:6F597FA9 push eax ; lpVersionInformation +; .text:6F597FAA mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F597FB4 mov [esi], ebx +; .text:6F597FB6 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=17FA8 +SingleUserCode.x86=nop +; Imagebase: 7FF766C0000 +; .text:000007FF76730FF0 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF76730FF5 mov ebx, 1 <- 0 +; .text:000007FF76730FFA mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF76731002 mov [rdi], ebx +; .text:000007FF76731004 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=70FF6 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F5979C0 cmp edx, [ecx+320h] +; .text:6F5979C6 pop esi +; .text:6F5979C7 jz loc_6F5A6F26 +; Changed +; .text:6F5979C0 mov edx, 100h +; .text:6F5979C5 mov [ecx+320h], edx +; .text:6F5979CB pop esi +; .text:6F5979CC nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=179C0 +DefPolicyCode.x86=CDefPolicy_Query_edx_ecx +; Original +; .text:000007FF76725E83 mov eax, [rcx+638h] +; .text:000007FF76725E89 cmp [rcx+63Ch], eax +; .text:000007FF76725E8F jz short loc_7FF76725EA7 +; Changed +; .text:000007FF76725E83 mov eax, 100h +; .text:000007FF76725E88 mov [rcx+638h], eax +; .text:000007FF76725E8E nop +; .text:000007FF76725E8F jmp short loc_7FF76725EA7 +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=65E83 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp + +[6.0.6002.19214] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F580000 +; .text:6F597FBE lea eax, [ebp+VersionInformation] +; .text:6F597FC4 inc ebx <- nop +; .text:6F597FC5 push eax ; lpVersionInformation +; .text:6F597FC6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F597FD0 mov [esi], ebx +; .text:6F597FD2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=17FC4 +SingleUserCode.x86=nop +; Imagebase: 7FF75AC0000 +; .text:000007FF75B312A4 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75B312A9 mov ebx, 1 <- 0 +; .text:000007FF75B312AE mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75B312B6 mov [rdi], ebx +; .text:000007FF75B312B8 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=712AA +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F5979B8 cmp edx, [ecx+320h] +; .text:6F5979BE pop esi +; .text:6F5979BF jz loc_6F5A6F3E +; Changed +; .text:6F5979B8 mov edx, 100h +; .text:6F5979BD mov [ecx+320h], edx +; .text:6F5979C3 pop esi +; .text:6F5979C4 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=179B8 +DefPolicyCode.x86=CDefPolicy_Query_edx_ecx +; Original +; .text:000007FF75B25FF7 mov eax, [rcx+638h] +; .text:000007FF75B25FFD cmp [rcx+63Ch], eax +; .text:000007FF75B26003 jnz short loc_7FF75B2601B +; Changed +; .text:000007FF75B25FF7 mov eax, 100h +; .text:000007FF75B25FFC mov [rcx+638h], eax +; .text:000007FF75B26002 nop +; .text:000007FF75B26003 jmp short loc_7FF75B2601B +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=65FF7 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp + +[6.0.6002.23521] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F580000 +; .text:6F597FAE lea eax, [ebp+VersionInformation] +; .text:6F597FB4 inc ebx <- nop +; .text:6F597FB5 push eax ; lpVersionInformation +; .text:6F597FB6 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F597FC0 mov [esi], ebx +; .text:6F597FC2 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=17FB4 +SingleUserCode.x86=nop +; Imagebase: 7FF75AC0000 +; .text:000007FF75B31EA4 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75B31EA9 mov ebx, 1 <- 0 +; .text:000007FF75B31EAE mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75B31EB6 mov [rdi], ebx +; .text:000007FF75B31EB8 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=71EAA +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F5979CC cmp edx, [ecx+320h] +; .text:6F5979D2 pop esi +; .text:6F5979D3 jz loc_6F5A6F2E +; Changed +; .text:6F5979CC mov edx, 100h +; .text:6F5979D1 mov [ecx+320h], edx +; .text:6F5979D7 pop esi +; .text:6F5979D8 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=179CC +DefPolicyCode.x86=CDefPolicy_Query_edx_ecx +; Original +; .text:000007FF75B269CB mov eax, [rcx+638h] +; .text:000007FF75B269D1 cmp [rcx+63Ch], eax +; .text:000007FF75B269D7 jnz short loc_7FF75B269EF +; Changed +; .text:000007FF75B269CB mov eax, 100h +; .text:000007FF75B269D0 mov [rcx+638h], eax +; .text:000007FF75B269D6 nop +; .text:000007FF75B269D7 jmp short loc_7FF75B269EF +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=669CB +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp + +[6.1.7600.16385] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F2E0000 +; .text:6F2F9E1F lea eax, [ebp+VersionInformation] +; .text:6F2F9E25 inc ebx <- nop +; .text:6F2F9E26 push eax ; lpVersionInformation +; .text:6F2F9E27 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F2F9E31 mov [esi], ebx +; .text:6F2F9E33 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=19E25 +SingleUserCode.x86=nop +; Imagebase: 7FF75A80000 +; .text:000007FF75A97D90 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75A97D95 mov ebx, 1 <- 0 +; .text:000007FF75A97D9A mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75A97DA2 mov [rdi], ebx +; .text:000007FF75A97DA4 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=17D96 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F2F96F3 cmp eax, [esi+320h] +; .text:6F2F96F9 jz loc_6F30E256 +; Changed +; .text:6F2F96F3 mov eax, 100h +; .text:6F2F96F8 mov [esi+320h], eax +; .text:6F2F96FE nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=196F3 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000007FF75A97AD2 cmp [rdi+63Ch], eax +; .text:000007FF75A97AD8 jz loc_7FF75AA4978 +; Changed +; .text:000007FF75A97AD2 mov eax, 100h +; .text:000007FF75A97AD7 mov [rdi+638h], eax +; .text:000007FF75A97ADD nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=17AD2 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi + +[6.1.7601.17514] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F2E0000 +; .text:6F2FA497 lea eax, [ebp+VersionInformation] +; .text:6F2FA49D inc ebx <- nop +; .text:6F2FA49E push eax ; lpVersionInformation +; .text:6F2FA49F mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F2FA4A9 mov [esi], ebx +; .text:6F2FA4AB call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=1A49D +SingleUserCode.x86=nop +; Imagebase: 7FF75A80000 +; .text:000007FF75A980DC lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75A980E1 mov ebx, 1 <- 0 +; .text:000007FF75A980E6 mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75A980EE mov [rdi], ebx +; .text:000007FF75A980F0 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=180E2 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F2F9D53 cmp eax, [esi+320h] +; .text:6F2F9D59 jz loc_6F30B25E +; Changed +; .text:6F2F9D53 mov eax, 100h +; .text:6F2F9D58 mov [esi+320h], eax +; .text:6F2F9D5E nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=19D53 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000007FF75A97D8A cmp [rdi+63Ch], eax +; .text:000007FF75A97D90 jz loc_7FF75AA40F4 +; Changed +; .text:000007FF75A97D8A mov eax, 100h +; .text:000007FF75A97D8F mov [rdi+638h], eax +; .text:000007FF75A97D95 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=17D8A +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi + +[6.1.7601.18540] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F2E0000 +; .text:6F2FA4DF lea eax, [ebp+VersionInformation] +; .text:6F2FA4E5 inc ebx <- nop +; .text:6F2FA4E6 push eax ; lpVersionInformation +; .text:6F2FA4E7 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F2FA4F1 mov [esi], ebx +; .text:6F2FA4F3 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=1A4E5 +SingleUserCode.x86=nop +; Imagebase: 7FF75A80000 +; .text:000007FF75A98000 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75A98005 mov ebx, 1 <- 0 +; .text:000007FF75A9800A mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75A98012 mov [rdi], ebx +; .text:000007FF75A98014 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=18006 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F2F9D9F cmp eax, [esi+320h] +; .text:6F2F9DA5 jz loc_6F30B2AE +; Changed +; .text:6F2F9D9F mov eax, 100h +; .text:6F2F9DA4 mov [esi+320h], eax +; .text:6F2F9DAA nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=19D9F +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000007FF75A97C82 cmp [rdi+63Ch], eax +; .text:000007FF75A97C88 jz loc_7FF75AA3FBD +; Changed +; .text:000007FF75A97C82 mov eax, 100h +; .text:000007FF75A97C87 mov [rdi+638h], eax +; .text:000007FF75A97C8D nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=17C82 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi + +[6.1.7601.22750] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F2E0000 +; .text:6F2FA64F lea eax, [ebp+VersionInformation] +; .text:6F2FA655 inc ebx <- nop +; .text:6F2FA656 push eax ; lpVersionInformation +; .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F2FA661 mov [esi], ebx +; .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=1A655 +SingleUserCode.x86=nop +; Imagebase: 7FF75A80000 +; .text:000007FF75A97E88 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75A97E8D mov ebx, 1 <- 0 +; .text:000007FF75A97E92 mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75A97E9A mov [rdi], ebx +; .text:000007FF75A97E9C call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=17E8E +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F2F9E21 cmp eax, [esi+320h] +; .text:6F2F9E27 jz loc_6F30B6CE +; Changed +; .text:6F2F9E21 mov eax, 100h +; .text:6F2F9E26 mov [esi+320h], eax +; .text:6F2F9E2C nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=19E21 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000007FF75A97C92 cmp [rdi+63Ch], eax +; .text:000007FF75A97C98 jz loc_7FF75AA40A2 +; Changed +; .text:000007FF75A97C92 mov eax, 100h +; .text:000007FF75A97C97 mov [rdi+638h], eax +; .text:000007FF75A97C9D nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=17C92 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi + +[6.1.7601.18637] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F2E0000 +; .text:6F2FA4D7 lea eax, [ebp+VersionInformation] +; .text:6F2FA4DD inc ebx <- nop +; .text:6F2FA4DE push eax ; lpVersionInformation +; .text:6F2FA4DF mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F2FA4E9 mov [esi], ebx +; .text:6F2FA4EB call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=1A4DD +SingleUserCode.x86=nop +; Imagebase: 7FF75A80000 +; .text:000007FF75A980F4 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75A980F9 mov ebx, 1 <- 0 +; .text:000007FF75A980FE mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75A98106 mov [rdi], ebx +; .text:000007FF75A98108 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=180FA +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F2F9DBB cmp eax, [esi+320h] +; .text:6F2F9DC1 jz loc_6F30B2A6 +; Changed +; .text:6F2F9DBB mov eax, 100h +; .text:6F2F9DC0 mov [esi+320h], eax +; .text:6F2F9DC6 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=19DBB +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000007FF75A97DC6 cmp [rdi+63Ch], eax +; .text:000007FF75A97DCC jz loc_7FF75AA40BD +; Changed +; .text:000007FF75A97DC6 mov eax, 100h +; .text:000007FF75A97DCB mov [rdi+638h], eax +; .text:000007FF75A97DD1 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=17DC6 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi + +[6.1.7601.22843] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; Imagebase: 6F2E0000 +; .text:6F2FA64F lea eax, [ebp+VersionInformation] +; .text:6F2FA655 inc ebx <- nop +; .text:6F2FA656 push eax ; lpVersionInformation +; .text:6F2FA657 mov [ebp+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:6F2FA661 mov [esi], ebx +; .text:6F2FA663 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=1A655 +SingleUserCode.x86=nop +; Imagebase: 7FF75A80000 +; .text:000007FF75A97F90 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation +; .text:000007FF75A97F95 mov ebx, 1 <- 0 +; .text:000007FF75A97F9A mov [rsp+198h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000007FF75A97FA2 mov [rdi], ebx +; .text:000007FF75A97FA4 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=17F96 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:6F2F9E25 cmp eax, [esi+320h] +; .text:6F2F9E2B jz loc_6F30B6D6 +; Changed +; .text:6F2F9E25 mov eax, 100h +; .text:6F2F9E2A mov [esi+320h], eax +; .text:6F2F9E30 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=19E25 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000007FF75A97D6E cmp [rdi+63Ch], eax +; .text:000007FF75A97D74 jz loc_7FF75AA4182 +; Changed +; .text:000007FF75A97D6E mov eax, 100h +; .text:000007FF75A97D73 mov [rdi+638h], eax +; .text:000007FF75A97D79 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=17D6E +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi + +[6.2.8102.0] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:1000F7E5 lea eax, [esp+150h+VersionInformation] +; .text:1000F7E9 inc esi <- nop +; .text:1000F7EA push eax ; lpVersionInformation +; .text:1000F7EB mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:1000F7F3 mov [edi], esi +; .text:1000F7F5 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=F7E9 +SingleUserCode.x86=nop +; .text:000000018000D83A lea rcx, [rsp+180h+VersionInformation] ; lpVersionInformation +; .text:000000018000D83F mov ebx, 1 <- 0 +; .text:000000018000D844 mov [rsp+180h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000000018000D84C mov [rdi], ebx +; .text:000000018000D84E call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=D840 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:1000E47C cmp eax, [esi+320h] +; .text:1000E482 jz loc_1002D775 +; Changed +; .text:1000E47C mov eax, 100h +; .text:1000E481 mov [esi+320h], eax +; .text:1000E487 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=E47C +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000000018000D3E6 cmp [rdi+63Ch], eax +; .text:000000018000D3EC jz loc_180027792 +; Changed +; .text:000000018000D3E6 mov eax, 100h +; .text:000000018000D3EB mov [rdi+638h], eax +; .text:000000018000D3F1 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=D3E6 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi +; Hook SLGetWindowsInformationDWORDWrapper +SLPolicyInternal.x86=1 +SLPolicyOffset.x86=1B909 +SLPolicyFunc.x86=New_Win8SL +SLPolicyInternal.x64=1 +SLPolicyOffset.x64=1A484 +SLPolicyFunc.x64=New_Win8SL + +[6.2.8250.0] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:100159C5 lea eax, [esp+150h+VersionInformation] +; .text:100159C9 inc esi <- nop +; .text:100159CA push eax ; lpVersionInformation +; .text:100159CB mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:100159D3 mov [edi], esi +; .text:100159D5 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=159C9 +SingleUserCode.x86=nop +; .text:0000000180011E6E lea rcx, [rsp+180h+VersionInformation] ; lpVersionInformation +; .text:0000000180011E73 mov ebx, 1 <- 0 +; .text:0000000180011E78 mov [rsp+180h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180011E80 mov [rdi], ebx +; .text:0000000180011E82 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=11E74 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:10013520 cmp eax, [esi+320h] +; .text:10013526 jz loc_1002DB85 +; Changed +; .text:10013520 mov eax, 100h +; .text:10013525 mov [esi+320h], eax +; .text:1001352B nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=13520 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000000018001187A cmp [rdi+63Ch], eax +; .text:0000000180011880 jz loc_1800273A2 +; Changed +; .text:000000018001187A mov eax, 100h +; .text:000000018001187F mov [rdi+638h], eax +; .text:0000000180011885 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=1187A +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi +; Hook SLGetWindowsInformationDWORDWrapper +SLPolicyInternal.x86=1 +SLPolicyOffset.x86=1A0A9 +SLPolicyFunc.x86=New_Win8SL_CP +SLPolicyInternal.x64=1 +SLPolicyOffset.x64=18FAC +SLPolicyFunc.x64=New_Win8SL + +[6.2.8400.0] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:1001547E lea eax, [esp+150h+VersionInformation] +; .text:10015482 inc esi <- nop +; .text:10015483 push eax ; lpVersionInformation +; .text:10015484 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:1001548C mov [edi], esi +; .text:1001548E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=15482 +SingleUserCode.x86=nop +; .text:000000018002081E lea rcx, [rsp+180h+VersionInformation] ; lpVersionInformation +; .text:0000000180020823 mov ebx, 1 <- 0 +; .text:0000000180020828 mov [rsp+180h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180020830 mov [rdi], ebx +; .text:0000000180020832 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=20824 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:10013E48 cmp eax, [esi+320h] +; .text:10013E4E jz loc_1002E079 +; Changed +; .text:10013E48 mov eax, 100h +; .text:10013E4D mov [esi+320h], eax +; .text:10013E53 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=13E48 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000000018001F102 cmp [rdi+63Ch], eax +; .text:000000018001F108 jz loc_18003A02E +; Changed +; .text:000000018001F102 mov eax, 100h +; .text:000000018001F107 mov [rdi+638h], eax +; .text:000000018001F10D nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=1F102 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi +; Hook SLGetWindowsInformationDWORDWrapper +SLPolicyInternal.x86=1 +SLPolicyOffset.x86=19629 +SLPolicyFunc.x86=New_Win8SL +SLPolicyInternal.x64=1 +SLPolicyOffset.x64=2492C +SLPolicyFunc.x64=New_Win8SL + +[6.2.9200.16384] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:1001554E lea eax, [esp+150h+VersionInformation] +; .text:10015552 inc esi <- nop +; .text:10015553 push eax ; lpVersionInformation +; .text:10015554 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:1001555C mov [edi], esi +; .text:1001555E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=15552 +SingleUserCode.x86=nop +; .text:000000018002BAA2 lea rcx, [rsp+180h+VersionInformation] ; lpVersionInformation +; .text:000000018002BAA7 mov ebx, 1 <- 0 +; .text:000000018002BAAC mov [rsp+180h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000000018002BAB4 mov [rdi], ebx +; .text:000000018002BAB6 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=2BAA8 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:10013F08 cmp eax, [esi+320h] +; .text:10013F0E jz loc_1002E161 +; Changed +; .text:10013F08 mov eax, 100h +; .text:10013F0D mov [esi+320h], eax +; .text:10013F13 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=13F08 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000000018002A31A cmp [rdi+63Ch], eax +; .text:000000018002A320 jz loc_18003A0F9 +; Changed +; .text:000000018002A31A mov eax, 100h +; .text:000000018002A31F mov [rdi+638h], eax +; .text:000000018002A325 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=2A31A +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi +; Hook SLGetWindowsInformationDWORDWrapper +SLPolicyInternal.x86=1 +SLPolicyOffset.x86=19559 +SLPolicyFunc.x86=New_Win8SL +SLPolicyInternal.x64=1 +SLPolicyOffset.x64=21FA8 +SLPolicyFunc.x64=New_Win8SL + +[6.2.9200.17048] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:1002058E lea eax, [esp+150h+VersionInformation] +; .text:10020592 inc esi <- nop +; .text:10020593 push eax ; lpVersionInformation +; .text:10020594 mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:1002059C mov [edi], esi +; .text:1002059E call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=20592 +SingleUserCode.x86=nop +; .text:0000000180020942 lea rcx, [rsp+180h+VersionInformation] ; lpVersionInformation +; .text:0000000180020947 mov ebx, 1 <- 0 +; .text:000000018002094C mov [rsp+180h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180020954 mov [rdi], ebx +; .text:0000000180020956 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=20948 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:1001F408 cmp eax, [esi+320h] +; .text:1001F40E jz loc_1002E201 +; Changed +; .text:1001F408 mov eax, 100h +; .text:1001F40D mov [esi+320h], eax +; .text:1001F413 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=1F408 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000000018001F206 cmp [rdi+63Ch], eax +; .text:000000018001F20C jz loc_18003A1B4 +; Changed +; .text:000000018001F206 mov eax, 100h +; .text:000000018001F20B mov [rdi+638h], eax +; .text:000000018001F211 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=1F206 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi +; Hook SLGetWindowsInformationDWORDWrapper +SLPolicyInternal.x86=1 +SLPolicyOffset.x86=17059 +SLPolicyFunc.x86=New_Win8SL +SLPolicyInternal.x64=1 +SLPolicyOffset.x64=24570 +SLPolicyFunc.x64=New_Win8SL + +[6.2.9200.21166] +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:10015576 lea eax, [esp+150h+VersionInformation] +; .text:1001557A inc esi <- nop +; .text:1001557B push eax ; lpVersionInformation +; .text:1001557C mov [esp+154h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:10015584 mov [edi], esi +; .text:10015586 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=1557A +SingleUserCode.x86=nop +; .text:000000018002BAF2 lea rcx, [rsp+180h+VersionInformation] ; lpVersionInformation +; .text:000000018002BAF7 mov ebx, 1 <- 0 +; .text:000000018002BAFC mov [rsp+180h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000000018002BB04 mov [rdi], ebx +; .text:000000018002BB06 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=2BAF8 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:10013F30 cmp eax, [esi+320h] +; .text:10013F36 jz loc_1002E189 +; Changed +; .text:10013F30 mov eax, 100h +; .text:10013F35 mov [esi+320h], eax +; .text:10013F3B nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=13F30 +DefPolicyCode.x86=CDefPolicy_Query_eax_esi +; Original +; .text:000000018002A3B6 cmp [rdi+63Ch], eax +; .text:000000018002A3BC jz loc_18003A174 +; Changed +; .text:000000018002A3B6 mov eax, 100h +; .text:000000018002A3BB mov [rdi+638h], eax +; .text:000000018002A3C1 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=2A3B6 +DefPolicyCode.x64=CDefPolicy_Query_eax_rdi +; Hook SLGetWindowsInformationDWORDWrapper +SLPolicyInternal.x86=1 +SLPolicyOffset.x86=19581 +SLPolicyFunc.x86=New_Win8SL +SLPolicyInternal.x64=1 +SLPolicyOffset.x64=21FD0 +SLPolicyFunc.x64=New_Win8SL + +[6.3.9431.0] +; Patch CEnforcementCore::GetInstanceOfTSLicense +; .text:1008A604 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:1008A609 test eax, eax +; .text:1008A60B js short loc_1008A628 +; .text:1008A60D cmp [ebp+var_8], 0 +; .text:1008A611 jz short loc_1008A628 <- jmp +LocalOnlyPatch.x86=1 +LocalOnlyOffset.x86=8A611 +LocalOnlyCode.x86=jmpshort +; .text:000000018009F713 call ?IsLicenseTypeLocalOnly@CSLQuery@@SAJAEAU_GUID@@PEAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:000000018009F718 test eax, eax +; .text:000000018009F71A js short loc_18009F73B +; .text:000000018009F71C cmp [rsp+48h+arg_18], 0 +; .text:000000018009F721 jz short loc_18009F73B <- jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=9F721 +LocalOnlyCode.x64=jmpshort +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:100306A4 lea eax, [esp+150h+VersionInformation] +; .text:100306A8 inc ebx <- nop +; .text:100306A9 mov [edi], ebx +; .text:100306AB push eax ; lpVersionInformation +; .text:100306AC call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=306A8 +SingleUserCode.x86=nop +; .text:00000001800367F3 lea rcx, [rsp+190h+VersionInformation] ; lpVersionInformation +; .text:00000001800367F8 mov ebx, 1 <- 0 +; .text:00000001800367FD mov [rsp+190h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180036805 mov [rdi], ebx +; .text:0000000180036807 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=367F9 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:1002EA25 cmp eax, [ecx+320h] +; .text:1002EA2B jz loc_100348C1 +; Changed +; .text:1002EA25 mov eax, 100h +; .text:1002EA2A mov [ecx+320h], eax +; .text:1002EA30 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=2EA25 +DefPolicyCode.x86=CDefPolicy_Query_eax_ecx +; Original +; .text:00000001800350FD cmp [rcx+63Ch], eax +; .text:0000000180035103 jz loc_18004F6AE +; Changed +; .text:00000001800350FD mov eax, 100h +; .text:0000000180035102 mov [rcx+638h], eax +; .text:0000000180035108 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=350FD +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +; Hook CSLQuery::Initialize +SLInitHook.x86=1 +SLInitOffset.x86=196B0 +SLInitFunc.x86=New_CSLQuery_Initialize +SLInitHook.x64=1 +SLInitOffset.x64=2F9C0 +SLInitFunc.x64=New_CSLQuery_Initialize + +[6.3.9600.16384] +; Patch CEnforcementCore::GetInstanceOfTSLicense +; .text:100A271C call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:100A2721 test eax, eax +; .text:100A2723 js short loc_100A2740 +; .text:100A2725 cmp [ebp+var_8], 0 +; .text:100A2729 jz short loc_100A2740 <- jmp +LocalOnlyPatch.x86=1 +LocalOnlyOffset.x86=A2729 +LocalOnlyCode.x86=jmpshort +; .text:000000018008181F cmp [rsp+48h+arg_18], 0 +; .text:0000000180081824 jz loc_180031DEF <- nop + jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=81824 +LocalOnlyCode.x64=nopjmp +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:10018024 lea eax, [esp+150h+VersionInformation] +; .text:10018028 inc ebx <- nop +; .text:10018029 mov [edi], ebx +; .text:1001802B push eax ; lpVersionInformation +; .text:1001802C call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=18028 +SingleUserCode.x86=nop +; .text:000000018002023B lea rcx, [rsp+190h+VersionInformation] ; lpVersionInformation +; .text:0000000180020240 mov ebx, 1 <- 0 +; .text:0000000180020245 mov [rsp+190h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:000000018002024D mov [rdi], ebx +; .text:000000018002024F call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=20241 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:10016115 cmp eax, [ecx+320h] +; .text:1001611B jz loc_10034DE1 +; Changed +; .text:10016115 mov eax, 100h +; .text:1001611A mov [ecx+320h], eax +; .text:10016120 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=16115 +DefPolicyCode.x86=CDefPolicy_Query_eax_ecx +; Original +; .text:0000000180057829 cmp [rcx+63Ch], eax +; .text:000000018005782F jz loc_18005E850 +; Changed +; .text:0000000180057829 mov eax, 100h +; .text:000000018005782E mov [rcx+638h], eax +; .text:0000000180057834 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=57829 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +; Hook CSLQuery::Initialize +SLInitHook.x86=1 +SLInitOffset.x86=1CEB0 +SLInitFunc.x86=New_CSLQuery_Initialize +SLInitHook.x64=1 +SLInitOffset.x64=554C0 +SLInitFunc.x64=New_CSLQuery_Initialize + +[6.3.9600.17095] +; Patch CEnforcementCore::GetInstanceOfTSLicense +; .text:100A36C4 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:100A36C9 test eax, eax +; .text:100A36CB js short loc_100A36E8 +; .text:100A36CD cmp [ebp+var_8], 0 +; .text:100A36D1 jz short loc_100A36E8 <- jmp +LocalOnlyPatch.x86=1 +LocalOnlyOffset.x86=A36D1 +LocalOnlyCode.x86=jmpshort +; .text:00000001800B914B call ?IsLicenseTypeLocalOnly@CSLQuery@@SAJAEAU_GUID@@PEAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:00000001800B9150 test eax, eax +; .text:00000001800B9152 js short loc_1800B9173 +; .text:00000001800B9154 cmp [rsp+48h+arg_18], 0 +; .text:00000001800B9159 jz short loc_1800B9173 <- jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=B9159 +LocalOnlyCode.x64=jmpshort +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:10036BA5 lea eax, [esp+150h+VersionInformation] +; .text:10036BA9 inc ebx <- nop +; .text:10036BAA mov [edi], ebx +; .text:10036BAC push eax ; lpVersionInformation +; .text:10036BAD call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=36BA9 +SingleUserCode.x86=nop +; .text:0000000180021823 lea rcx, [rsp+190h+VersionInformation] ; lpVersionInformation +; .text:0000000180021828 mov ebx, 1 <- 0 +; .text:000000018002182D mov [rsp+190h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180021835 mov [rdi], ebx +; .text:0000000180021837 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=21829 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:10037529 cmp eax, [ecx+320h] +; .text:1003752F jz loc_10043662 +; Changed +; .text:10037529 mov eax, 100h +; .text:1003752E mov [ecx+320h], eax +; .text:10037534 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=37529 +DefPolicyCode.x86=CDefPolicy_Query_eax_ecx +; Original +; .text:000000018001F6A1 cmp [rcx+63Ch], eax +; .text:000000018001F6A7 jz loc_18007284B +; Changed +; .text:000000018001F6A1 mov eax, 100h +; .text:000000018001F6A6 mov [rcx+638h], eax +; .text:000000018001F6AC nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=1F6A1 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +; Hook CSLQuery::Initialize +SLInitHook.x86=1 +SLInitOffset.x86=117F1 +SLInitFunc.x86=New_CSLQuery_Initialize +SLInitHook.x64=1 +SLInitOffset.x64=3B110 +SLInitFunc.x64=New_CSLQuery_Initialize + +[6.4.9841.0] +; Patch CEnforcementCore::GetInstanceOfTSLicense +; .text:1009569B call sub_100B7EE5 +; .text:100956A0 test eax, eax +; .text:100956A2 js short loc_100956BF +; .text:100956A4 cmp [ebp+var_C], 0 +; .text:100956A8 jz short loc_100956BF <- jmp +LocalOnlyPatch.x86=1 +LocalOnlyOffset.x86=956A8 +LocalOnlyCode.x86=jmpshort +; .text:0000000180081133 call sub_1800A9048 +; .text:0000000180081138 test eax, eax +; .text:000000018008113A js short loc_18008115B +; .text:000000018008113C cmp [rsp+58h+arg_18], 0 +; .text:0000000180081141 jz short loc_18008115B <- jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=81141 +LocalOnlyCode.x64=jmpshort +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:10030121 lea eax, [esp+150h+VersionInformation] +; .text:10030125 inc ebx <- nop +; .text:10030126 mov [edi], ebx +; .text:10030128 push eax ; lpVersionInformation +; .text:10030129 call ds:GetVersionExW +SingleUserPatch.x86=1 +SingleUserOffset.x86=30125 +SingleUserCode.x86=nop +; .text:0000000180012153 lea rcx, [rsp+190h+VersionInformation] ; lpVersionInformation +; .text:0000000180012158 mov ebx, 1 <- 0 +; .text:000000018001215D mov [rsp+190h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180012165 mov [rdi], ebx +; .text:0000000180012167 call cs:GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=12159 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:1003B989 cmp eax, [ecx+320h] +; .text:1003B98F jz loc_1005E809 +; Changed +; .text:1003B989 mov eax, 100h +; .text:1003B98E mov [ecx+320h], eax +; .text:1003B994 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=3B989 +DefPolicyCode.x86=CDefPolicy_Query_eax_ecx +; Original +; .text:000000018000C125 cmp [rcx+63Ch], eax +; .text:000000018000C12B jz sub_18003BABC +; Changed +; .text:000000018000C125 mov eax, 100h +; .text:000000018000C12A mov [rcx+638h], eax +; .text:000000018000C130 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=C125 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +; Hook CSLQuery::Initialize +SLInitHook.x86=1 +SLInitOffset.x86=46A68 +SLInitFunc.x86=New_CSLQuery_Initialize +SLInitHook.x64=1 +SLInitOffset.x64=1EA50 +SLInitFunc.x64=New_CSLQuery_Initialize + +[6.4.9860.0] +; Patch CEnforcementCore::GetInstanceOfTSLicense +; .text:100962BB call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:100962C0 test eax, eax +; .text:100962C2 js short loc_100962DF +; .text:100962C4 cmp [ebp+var_C], 0 +; .text:100962C8 jz short loc_100962DF <- jmp +LocalOnlyPatch.x86=1 +LocalOnlyOffset.x86=962C8 +LocalOnlyCode.x86=jmpshort +; .text:0000000180081083 call ?IsLicenseTypeLocalOnly@CSLQuery@@SAJAEAU_GUID@@PEAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *) +; .text:0000000180081088 test eax, eax +; .text:000000018008108A js short loc_1800810AB +; .text:000000018008108C cmp [rsp+58h+arg_18], 0 +; .text:0000000180081091 jz short loc_1800810AB <- jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=81091 +LocalOnlyCode.x64=jmpshort +; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled +; .text:10030841 lea eax, [esp+150h+VersionInformation] +; .text:10030845 inc ebx <- nop +; .text:10030846 mov [edi], ebx +; .text:10030848 push eax ; lpVersionInformation +; .text:10030849 call ds:__imp__GetVersionExW@4 ; GetVersionExW(x) +SingleUserPatch.x86=1 +SingleUserOffset.x86=30845 +SingleUserCode.x86=nop +; .text:0000000180011AA3 lea rcx, [rsp+190h+VersionInformation] ; lpVersionInformation +; .text:0000000180011AA8 mov ebx, 1 <- 0 +; .text:0000000180011AAD mov [rsp+190h+VersionInformation.dwOSVersionInfoSize], 11Ch +; .text:0000000180011AB5 mov [rdi], ebx +; .text:0000000180011AB7 call cs:__imp_GetVersionExW +SingleUserPatch.x64=1 +SingleUserOffset.x64=11AA9 +SingleUserCode.x64=Zero +; Patch CDefPolicy::Query +; Original +; .text:1003BEC9 cmp eax, [ecx+320h] +; .text:1003BECF jz loc_1005EE1A +; Changed +; .text:1003BEC9 mov eax, 100h +; .text:1003BECE mov [ecx+320h], eax +; .text:1003BED4 nop +DefPolicyPatch.x86=1 +DefPolicyOffset.x86=3BEC9 +DefPolicyCode.x86=CDefPolicy_Query_eax_ecx +; Original +; .text:000000018000B9F5 cmp [rcx+63Ch], eax +; .text:000000018000B9FB jz sub_18003B9C8 +; Changed +; .text:000000018000B9F5 mov eax, 100h +; .text:000000018000B9FA mov [rcx+638h], eax +; .text:000000018000BA00 nop +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=B9F5 +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx +; Hook CSLQuery::Initialize +SLInitHook.x86=1 +SLInitOffset.x86=46F18 +SLInitFunc.x86=New_CSLQuery_Initialize +SLInitHook.x64=1 +SLInitOffset.x64=1EB00 +SLInitFunc.x64=New_CSLQuery_Initialize + +[SLInit] +bServerSku=1 +bRemoteConnAllowed=1 +bFUSEnabled=1 +bAppServerAllowed=1 +bMultimonAllowed=1 +lMaxUserSessions=0 +ulMaxDebugSessions=0 +bInitialized=1 + +[6.3.9431.0-SLInit] +bFUSEnabled.x86 =A22A8 +lMaxUserSessions.x86 =A22AC +bAppServerAllowed.x86 =A22B0 +bInitialized.x86 =A22B4 +bMultimonAllowed.x86 =A22B8 +bServerSku.x86 =A22BC +ulMaxDebugSessions.x86=A22C0 +bRemoteConnAllowed.x86=A22C4 + +bFUSEnabled.x64 =C4490 +lMaxUserSessions.x64 =C4494 +bAppServerAllowed.x64 =C4498 +bInitialized.x64 =C449C +bMultimonAllowed.x64 =C44A0 +bServerSku.x64 =C44A4 +ulMaxDebugSessions.x64=C44A8 +bRemoteConnAllowed.x64=C44AC + +[6.3.9600.16384-SLInit] +bFUSEnabled.x86 =C02A8 +lMaxUserSessions.x86 =C02AC +bAppServerAllowed.x86 =C02B0 +bInitialized.x86 =C02B4 +bMultimonAllowed.x86 =C02B8 +bServerSku.x86 =C02BC +ulMaxDebugSessions.x86=C02C0 +bRemoteConnAllowed.x86=C02C4 + +bServerSku.x64 =E6494 +ulMaxDebugSessions.x64=E6498 +bRemoteConnAllowed.x64=E649C +bFUSEnabled.x64 =E64A0 +lMaxUserSessions.x64 =E64A4 +bAppServerAllowed.x64 =E64A8 +bInitialized.x64 =E64AC +bMultimonAllowed.x64 =E64B0 + +[6.3.9600.17095-SLInit] +bFUSEnabled.x86 =C12A8 +lMaxUserSessions.x86 =C12AC +bAppServerAllowed.x86 =C12B0 +bInitialized.x86 =C12B4 +bMultimonAllowed.x86 =C12B8 +bServerSku.x86 =C12BC +ulMaxDebugSessions.x86=C12C0 +bRemoteConnAllowed.x86=C12C4 + +bServerSku.x64 =E4494 +ulMaxDebugSessions.x64=E4498 +bRemoteConnAllowed.x64=E449C +bFUSEnabled.x64 =E44A0 +lMaxUserSessions.x64 =E44A4 +bAppServerAllowed.x64 =E44A8 +bInitialized.x64 =E44AC +bMultimonAllowed.x64 =E44B0 + +[6.4.9841.0-SLInit] +bFUSEnabled.x86 =BF9F0 +lMaxUserSessions.x86 =BF9F4 +bAppServerAllowed.x86 =BF9F8 +bInitialized.x86 =BF9FC +bMultimonAllowed.x86 =BFA00 +bServerSku.x86 =BFA04 +ulMaxDebugSessions.x86=BFA08 +bRemoteConnAllowed.x86=BFA0C + +bFUSEnabled.x64 =ECFF8 +lMaxUserSessions.x64 =ECFFC +bAppServerAllowed.x64 =ED000 +bInitialized.x64 =ED004 +bMultimonAllowed.x64 =ED008 +bServerSku.x64 =ED00C +ulMaxDebugSessions.x64=ED010 +bRemoteConnAllowed.x64=ED014 + +[6.4.9860.0-SLInit] +bFUSEnabled.x86 =BF7E0 +lMaxUserSessions.x86 =BF7E4 +bAppServerAllowed.x86 =BF7E8 +bInitialized.x86 =BF7EC +bMultimonAllowed.x86 =BF7F0 +bServerSku.x86 =BF7F4 +ulMaxDebugSessions.x86=BF7F8 +bRemoteConnAllowed.x86=BF7FC + +bFUSEnabled.x64 =ECBD8 +lMaxUserSessions.x64 =ECBDC +bAppServerAllowed.x64 =ECBE0 +bInitialized.x64 =ECBE4 +bMultimonAllowed.x64 =ECBE8 +bServerSku.x64 =ECBEC +ulMaxDebugSessions.x64=ECBF0 +bRemoteConnAllowed.x64=ECBF4