Support for 6.1.7601.24402

[1Pekol]

Hi, in W7 Pro (propably after installation KB4493472) RDPWrap sed "supported partially". I solved and tested 32bit termsrv.dll:

[6.1.7601.24402] SingleUserPatch.x86=1 SingleUserOffset.x86=1A675 SingleUserCode.x86=nop DefPolicyPatch.x86=1 DefPolicyOffset.x86=19E41 DefPolicyCode.x86=CDefPolicy_Query_eax_esi

Have a nice day. p.s. Sorry, I do not known any 64bit dll version I do not have any 64bit practice. So I hope somebody another from comunity will take some time to solve 64bit.

[jirijanata]

[6.1.7601.24402] SingleUserPatch.x64=1 SingleUserOffset.x64=17F26 SingleUserCode.x64=Zero DefPolicyPatch.x64=1 DefPolicyOffset.x64=17CFE DefPolicyCode.x64=CDefPolicy_Query_eax_rdi

EDIT: Corrected value

[1Pekol]

[6.1.7601.24402] SingleUserPatch.x64=1 SingleUserOffset.x64=17F25 SingleUserCode.x64=Zero DefPolicyPatch.x64=1 DefPolicyOffset.x64=17CFE DefPolicyCode.x64=CDefPolicy_Query_eax_rdi

Is your solution tested? Thanks

[jirijanata]

Of couse. Windows 7 x64. Offsets found throught IDA.

[chrislengrc]

Do I just paste this into "C:\Program Files\RDP Wrapper\rdpwrap.ini" and restart?

once I do this my RDP doesn't seem to be "Listening"?

[jirijanata]

0. Backup rdpwrap.ini file
1. Download RDPWrapper from github and unpack it.
2. Uninstall RDPWrapper
3. Change in install.bat "%~dp0RDPWInst" -i -o to "%~dp0RDPWInst" -i = simply remove -o and save the file.
4. Copy rdpwrap.ini into the same folder as install.bat
5. Add to rdpwrap.ini new offsets and save it.
6. Install RDPWrapper with install.bat

[joebrug]

Curious, why do you have to uninstall/reinstall and not just add the new section to the existing ini file? Is this a new requirement? :)

[jirijanata]

No, but rdpwrap.ini was mostly used by Remote Desktop Service and I can't easilly edit it. So - this is the easiest way.

[joebrug]

I've seen so many emails lately about people not able to get RDPWrapper working, some can, some cant.. it's not that hard.. trying to figure out what their problem is. I just noticed my WSUS services were stopped, so didn't get the 6.1.7601.24402 update yet. I have tested your x64 settings above by simply copying/pasting inside c:\program files\rdpwrapper\rdpwrap.ini and RDPConf.exe said Fully Supported. Restarted computer and have two RDP sessions in at the moment. Looks good.

[jirijanata]

Thank you for test. I've also tested this settings on live Windows 7 installation.

[joebrug]

How come no DefPolicy* stuff? Not sure what it does, or if its needed, but the rest have it so thought I'd ask :)

[jirijanata]

It's actually quite easy:

1. Open IDA and load termsrv.dll
   • you need to look on the begining on the offset. This dll file has 80 000 offset.
2. Alt+t (search) ; __int64 __fastcall CDefPolicy::Query
3. The you are looking for cmp [rdi+63Ch], eax

It looks in IDA so and you just need to substract 80000 from the 97CFE:

.text:000007FF75A97CC8 ; int64 fastcall CDefPolicy::Query(CDefPolicy __hidden this, int ) .text:000007FF75A97CC8 ?Query@CDefPolicy@@UEAAJPEAH@Z proc near .text:000007FF75A97CC8 ; DATA XREF: .rdata:000007FF75AEB560↓o .text:000007FF75A97CC8 ; .pdata:stru_7FF75B20578↓o ... .text:000007FF75A97CC8 .text:000007FF75A97CC8 arg_0 = qword ptr 8 .text:000007FF75A97CC8 arg_8 = qword ptr 10h .text:000007FF75A97CC8 .text:000007FF75A97CC8 ; FUNCTION CHUNK AT .text:000007FF75AA4148 SIZE 00000019 BYTES .text:000007FF75A97CC8 .text:000007FF75A97CC8 mov [rsp+arg_0], rbx .text:000007FF75A97CCD mov [rsp+arg_8], rsi .text:000007FF75A97CD2 push rdi .text:000007FF75A97CD3 sub rsp, 20h .text:000007FF75A97CD7 mov rbx, rdx .text:000007FF75A97CDA mov rdi, rcx .text:000007FF75A97CDD xor esi, esi .text:000007FF75A97CDF lea ecx, [rsi+10h] ; int .text:000007FF75A97CE2 lea rdx, aCdefpolicyQuer ; "CDefPolicy::Query" .text:000007FF75A97CE9 call ?_DbgPrintMessage@@YAXHPEBDZZ ; _DbgPrintMessage(int,char const *,...) .text:000007FF75A97CEE mov r11d, [rdi+644h] .text:000007FF75A97CF5 mov [rbx], r11d .text:000007FF75A97CF8 mov eax, [rdi+638h] .text:000007FF75A97CFE cmp [rdi+63Ch], eax

[joebrug]

Oh wow you make that seem very easy! So the "header"offset is always the last 5 characters? (000007FF75A80000) Okay so thats how you get the DefPolicyOffset but what about the other values like SingleUserOffset.x64?

[jirijanata]

Everything needed is actually in this video - see my other post: https://github.com/stascorp/rdpwrap/issues/727#issuecomment-482255218

[joebrug]

I've tried watching that video.. makes no sense, gets confusing. :(

[fre4kyC0de]

Add these offsets to your rdpwrap.ini: https://github.com/fre4kyC0de/rdpwrap/blob/master/6.1.7601.24402.txt

[joebrug]

Thanks @fre4kyC0de , still love to know how you do it ;) I notice a dif between you and @jirijanata . Why the dif? who's correct? :)

Jiri: SingleUserOffset.x64=17F25

Freaky: SingleUserOffset.x64=17F26

[fre4kyC0de]

Maybe (I‘ll recheck that as I did the reversing at 1 AM) jirijanata posted the offset of the „mov eax, 1“-command while the offset of the first „parameter“ has to be used. This is a little confusing when reversing exactly this offset.

[jirijanata]

@joebrug - @fre4kyC0de is right. It should be 17F26

.text:000007FF75A97ED0 ; int64 fastcall CSessionArbitrationHelper::IsSingleSessionPerUserEnabled(CSessionArbitrationHelper __hidden this, int ) .text:000007FF75A97ED0 ?IsSingleSessionPerUserEnabled@CSessionArbitrationHelper@@UEAAJPEAH@Z proc near .text:000007FF75A97ED0 ; DATA XREF: .rdata:000007FF75AEA858↓o .text:000007FF75A97ED0 ; .pdata:stru_7FF75B205A8↓o ... .text:000007FF75A97ED0 .text:000007FF75A97ED0 var_178 = qword ptr -178h .text:000007FF75A97ED0 var_168 = dword ptr -168h .text:000007FF75A97ED0 var_160 = qword ptr -160h .text:000007FF75A97ED0 var_158 = qword ptr -158h .text:000007FF75A97ED0 var_150 = dword ptr -150h .text:000007FF75A97ED0 var_148 = qword ptr -148h .text:000007FF75A97ED0 var_140 = dword ptr -140h .text:000007FF75A97ED0 var_13C = dword ptr -13Ch .text:000007FF75A97ED0 VersionInformation= _OSVERSIONINFOW ptr -138h .text:000007FF75A97ED0 var_1E = byte ptr -1Eh .text:000007FF75A97ED0 var_18 = qword ptr -18h .text:000007FF75A97ED0 var_8 = byte ptr -8 .text:000007FF75A97ED0 arg_0 = qword ptr 8 .text:000007FF75A97ED0 arg_10 = qword ptr 18h .text:000007FF75A97ED0 arg_18 = qword ptr 20h .text:000007FF75A97ED0 .text:000007FF75A97ED0 ; FUNCTION CHUNK AT .text:000007FF75AA6388 SIZE 00000127 BYTES .text:000007FF75A97ED0 .text:000007FF75A97ED0 mov [rsp+arg_0], rbx .text:000007FF75A97ED5 mov [rsp+arg_10], rsi .text:000007FF75A97EDA mov [rsp+arg_18], rdi .text:000007FF75A97EDF push r13 .text:000007FF75A97EE1 sub rsp, 190h .text:000007FF75A97EE8 mov rax, cs:__security_cookie .text:000007FF75A97EEF xor rax, rsp .text:000007FF75A97EF2 mov [rsp+198h+var_18], rax .text:000007FF75A97EFA mov rdi, rdx .text:000007FF75A97EFD lea rdx, aCsessionarbitr_17 ; "CSessionArbitrationHelper::IsSingleSess"... .text:000007FF75A97F04 mov ecx, 10h ; int .text:000007FF75A97F09 call ?_DbgPrintMessage@@YAXHPEBDZZ ; _DbgPrintMessage(int,char const *,...) .text:000007FF75A97F0E lea rcx, [rsp+198h+VersionInformation.dwMajorVersion] ; Dst .text:000007FF75A97F13 xor edx, edx ; Val .text:000007FF75A97F15 mov r8d, 118h ; Size .text:000007FF75A97F1B call memset_0 .text:000007FF75A97F20 lea rcx, [rsp+198h+VersionInformation] ; lpVersionInformation .text:000007FF75A97F25 mov ebx, 1

[joebrug]

Ok, so I understand subtracting header from the values using hex calculator, but what values did you use? What lines? For single user and def policy.. just trying to learn/understand :) thanks guys

[Kbotz]

Thanks to fre4kyC0de and jirijanata for their efforts. The tests I ran on both the Pro and Home Win7 x64 setups shows that SingleUserOffset.x64=17F26 allows for successful simultaneous RDP sessions with the updated termsrv v.6.1.7601.24402, but 17F25 does not. It appears jirijanata concluded the same thing earlier.

[fre4kyC0de]

17F26 is the correct value; I just rechecked it

[joebrug]

Thanks @fre4kyC0de . Anyway you'd be willing to explain how you got the value for SingleUserOffset and DefPolicyOffset ? Is it really as simple as @jirijanata showed above with getting header value, then searching for "; int64 fastcall CDefPolicy::Query" ? Just not certain where to look after that. Thanks!

[Kbotz]

The only "bug" I can see is with the Instant Messaging program I run on a handful of PCs/Laptops I have connected to my local LAN. Each time an RDP session is now started, Trillian IM spits out the following message: "Another device under your control, >> "-- resource --" << , has forcefully disconnected you by request." The connection to any current online contact that Trillian hosts is killed in the process, and that connection then has to be manually re-engaged (restarted). Never saw this quirk before with earlier fixes.

[fre4kyC0de]

@joebrug

For demonstration I'll describe, how to do with IDA (termsrv.dll 6.1.7601.24402 x64):

1) Load the file into IDA and let it download the symbos. 2) Go to the beginning of the file. 3) Copy the imagebase (in this case 7FF75A80000) and paste it into an editor / write it down somewhere 4) In the "functions"-window search for "CSessionArbitrationHelerp::IsSingleSessionPerUserEnabled" 5) Press to leave the graph mode 6) Search for two commands a) "call memset_0" b) "call cs:__imp_GetVersionExW" 7) between those two, there is a "mov ebx, 1"; click it

The correct way: 8) switch to "Hex View"; it should have marked these byte sequence: "BB 01 00 00 00" We want RDPWrap to replace the "01" with "00", so "mov ebx, 1" gets "mov ebx, 0" 9) mark the "01" 10) At the bottom IDA should display two offsets a) 0x17326 = Offset in the file b) 0x7FF75A97F26 = Offset, when loaded in RAM 11) from the second offset substract the imagebase (result is 0x17F26) DONE

The easy way: 8) substract the imagebase from the offset displayed at the left (results in 0x17F25) 9) add 1 (as we want to swap the value and not the command) [remember to do hexadecimal calculations]

[stwubby]

Hi Guys and Girls. I was able to remotely copy the rdpwrap.ini from the RDP Wrapper programs folder to where ever, opened it in notepad, pasted in the new offset info, save it there, copy the updated one, then pasted it back to where it belongs (RDP Wrapper programs folder) it asked for admin permission to replace rdpwrap.ini then allowed it. Don't know why you were talking about having to uninstall Rdpwrapper and all that other jazz. Then you can run the update and not worry that you have to visit the remote site to deal with it. Naturally you must have full control permissions over that file. Thank you fre4kyC0de, jirijanata, joebrug for your efforts. Much appreciated.

[chrislengrc]

Hi Guys and Girls. I was able to remotely copy the rdpwrap.ini from the RDP Wrapper programs folder to where ever, opened it in notepad, pasted in the new offset info, save it there, copy the updated one, then pasted it back to where it belongs (RDP Wrapper programs folder) it asked for admin permission to replace rdpwrap.ini then allowed it. Don't know why you were talking about having to uninstall Rdpwrapper and all that other jazz. Then you can run the update and not worry that you have to visit the remote site to deal with it. Naturally you must have full control permissions over that file. Thank you fre4kyC0de, jirijanata, joebrug for your efforts. Much appreciated.

I edited the .ini file in RDPwrapper programs folder using notepad++ as admin, however I had to reboot to get it to work, i'd like to avoid that step in future so wondered what you meany by "Then you can run the Update and not worry" what Update?

[joebrug]

There is no "update", as far as I know.. I assume they're talking about the update.bat file that comes with RDP Wrapper.. but to my knowledge, it doesn't do anything, since @binarymaster hasn't/wont update the .ini file on the server side. I wish he would take @fre4kyC0de 's updates and append them to his .ini file. It'd sure save a lot of headaches. :)

[joebrug]

@joebrug

For demonstration I'll describe, how to do with IDA (termsrv.dll 6.1.7601.24402 x64):

Great @fre4kyC0de ! Thanks, so thats SingleUserOffset.x64, but how do you get the other values you need? DefPolicyOffset, etc. Thanks again

[stwubby]

The update that you know is sitting there in The MS updates that will break your rdp wrapper. The updates don't affect the rdp wrapper .ini file so pre edit rdpwapper.ini then run updates because it reboots after these updates. You should test it first of course on a non remote machine so you know it will work on the remote machine.

From: "chrislengrc" notifications@github.com To: "stascorp/rdpwrap" rdpwrap@noreply.github.com Cc: "Stephen Robertson" srobtson@telus.net, "Comment" comment@noreply.github.com Sent: Monday, April 15, 2019 9:58:37 AM Subject: Re: [stascorp/rdpwrap] Support for 6.1.7601.24402 (#734)

Hi Guys and Girls. I was able to remotely copy the rdpwrap.ini from the RDP Wrapper programs folder to where ever, opened it in notepad, pasted in the new offset info, save it there, copy the updated one, then pasted it back to where it belongs (RDP Wrapper programs folder) it asked for admin permission to replace rdpwrap.ini then allowed it. Don't know why you were talking about having to uninstall Rdpwrapper and all that other jazz. Then you can run the update and not worry that you have to visit the remote site to deal with it. Naturally you must have full control permissions over that file. Thank you fre4kyC0de, jirijanata, joebrug for your efforts. Much appreciated.

I edited the .ini file in RDPwrapper programs folder using notepad++ as admin, however I had to reboot to get it to work, i'd like to avoid that step in future so wondered what you meany by "Then you can run the Update and not worry" what Update?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub , or mute the thread .

[PocketSam]

You can just stop Terminal Services through Computer Management Services section or with net stop TermService then edit rdpwrap.ini file and start TermService again.

But it seems that sometimes you need to reboot to apply new rdpwrap.ini file. :(

[TonightShaka]

I turn to a version call of RDPWrapper V1.7, since they do not make a sense and give stinging tips, I had a lot of difficulties, I get a layman if I do not read here to break a head. The program has a BUG, ​​the purpose is here and help, will do and post here ... I will give the credits to: jirijanata and fre4kyC0de .. I will add all the code files to rdpwrap.ini. and the fix already applied did not install by Jirijanata:

Backup rdpwrap.ini file Download RDPWrapper from github and unpack it. Uninstall RDPWrapper Change in install.bat "%~dp0RDPWInst" -i -o to "%~dp0RDPWInst" -i = simply remove -o and save the file. Copy rdpwrap.ini into the same folder as install.bat Add to rdpwrap.ini new offsets and save it. Install RDPWrapper with install.bat

I'll go ahead, just editing the .rdpwrap.ini file just does not work. More option in installer, sorry my English, using google translator. YOU CAN CHARGE ME IN 5 DAYS HERE.

[DrLove73]

rdp.ini is editable if you use Notepad++ . When you try to save the file with Notepad++, it will ask if you want to open current file in Notepad++ as Administrator. Click yes and after reload (and typing Administrator credentials) you can save the file promptly.

[RobertRoberts2020]

[6.1.7601.24402] SingleUserPatch.x64=1 SingleUserOffset.x64=17F26 SingleUserCode.x64=Zero DefPolicyPatch.x64=1 DefPolicyOffset.x64=17CFE DefPolicyCode.x64=CDefPolicy_Query_eax_rdi

EDIT: Corrected value

it shows up as " fully supported". but I can't get more than 2 sessions in using this,

[DrLove73]

Have you tried rebooting PC between installation and trying?

[PocketSam]

Have you tried rebooting PC between installation and trying?

Seems like the problem occurred when automatic updates were enabled. I've disabled it and now everything works fine for at least 3 days.

[s0nic9]

@RobertRoberts2020 @PocketSam tested today on fresh Win2008R2 fully updated, ini from fre4kyC0de works. 1 local user + 4 concurrent users , no problems.

[s0nic9]

today, on a server in this version (Win2008R2) , two concurrent users only, ini was ignored even if rdpconf say "fully supported". I need to add a second blank line at the end of the ini to get it work ! weird.

[affinityv]

Was it perhaps the file format was with Unix line endings instead of DOS?

[s0nic9]

yes, i'm thinking about that but i was copy/paste over rdp from my current ini (from my win10) which is work to the win2008. hmm while writing , perhaps a diff between win7/2008r2 and win8+ encoding support

[affinityv]

Yes, always make sure it is a plain text file with DOS line endings. Whatever editor you use, be sure of how the file is saved (it's format).

[sebthesun]

I have de same problem with this version (windows server 2008 r2) but I can't get it work for more than 2 RDP... I updated the ini file with the settings from @fre4kyC0de but with no luck. I don't what to look for to find the cause.

Thank for your help.

[MiniK0nG]

somtimes the wrapper says service state : stopped Listener state : Not Listening and i have to reinstalll all. Can you update the ini file pls, i can share the file here https://we.tl/t-I4moScaKIV thanks for the help