Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

10.0.25982.1000 please #3216

Open
CodeDruidX opened this issue Jun 24, 2024 · 6 comments
Open

10.0.25982.1000 please #3216

CodeDruidX opened this issue Jun 24, 2024 · 6 comments
Labels
add build Add new termsrv.dll build for support

Comments

@CodeDruidX
Copy link

Hi there
I am using some junk canary build called 10.0.25982.1000.rs_prerelease.231020-1353
Here is my termsrv.zip

I've tried to patch it instead of wrapping, but it contains two different matches for 39 81 3C 06 00 00, so i went into troubles (blue windows recovery screen after reboot) with my expirements.
Duplication of configurations of nearest builds also didnt work.

image

I will be grateful, if someone help me with proper .ini offsets
@binarymaster binarymaster added the add build Add new termsrv.dll build for support label Jun 24, 2024
@CodeDruidX
Copy link
Author

CodeDruidX commented Jun 25, 2024
edited
Loading

i did some research and found offsets via IDA.
It was quite easy with one of the last versions as example, but smth went wrong

[10.0.25982.1000]
; no x86 section
SingleUserPatch.x64=1
SingleUserOffset.x64=9850B
SingleUserCode.x64=Zero

DefPolicyPatch.x64=1
DefPolicyOffset.x64=95945
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx

LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=8BB21
LocalOnlyCode.x64=jmpshort

SLInitHook.x64=1
SLInitOffset.x64=ACA68
SLInitFunc.x64=New_CSLQuery_Initialize

[10.0.25982.1000-SLInit]
; no x86 section
bInitialized.x64 =11BDF0
bServerSku.x64 =11BDF4
lMaxUserSessions.x64 =11BDF8
bAppServerAllowed.x64 =11BE00
bRemoteConnAllowed.x64=11BE08
bMultimonAllowed.x64 =11BE0C
ulMaxDebugSessions.x64=11BE14
bFUSEnabled.x64 =11BE18

The second session still kicks the first
image
After reboot TermService cannot start:
image

Here is my explanation:
SLInitHook.x64=1
SLInitOffset.x64=ACA68
SLInitFunc.x64=New_CSLQuery_Initialize
image
DefPolicyPatch.x64=1
DefPolicyOffset.x64=95945
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
image
LocalOnlyPatch.x64=1
LocalOnlyOffset.x64=8BB21
LocalOnlyCode.x64=jmpshort
image
SingleUserPatch.x64=1
SingleUserOffset.x64=9850B
SingleUserCode.x64=Zero
image
bInitialized.x64 =11BDF0
bServerSku.x64 =11BDF4
lMaxUserSessions.x64 =11BDF8
bAppServerAllowed.x64 =11BE00
bRemoteConnAllowed.x64=11BE08
bMultimonAllowed.x64 =11BE0C
ulMaxDebugSessions.x64=11BE14
bFUSEnabled.x64 =11BE18
image

All assemble seems to be the same as here (10.0.20348.2400):
#2555 (comment)
i carefully adapted it, but where is mistake?

Really want to start it with my creepy build)
Someone, please help!

@CodeDruidX
Copy link
Author 

DefPolicyPatch.x64=1
DefPolicyOffset.x64=9593F
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp

Thank you very much, it works!

@binarymaster binarymaster reopened this Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
add build Add new termsrv.dll build for support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@binarymaster @CodeDruidX and others