From 26ebbea8aad4209ee7d2f8f87b91000e88067801 Mon Sep 17 00:00:00 2001 From: Simon Jackson Date: Sun, 25 Jan 2026 21:13:22 +0000 Subject: [PATCH 1/3] feat: Add comprehensive Windows 11 25H2 and 26H1 support to rdpwrap.ini Major Updates: - Updated timestamp to 2026-01-25 - Added missing patch code 'mov_eax_1_nop_2' for newer Windows builds - Complete Windows 11 25H2 support (builds 10.0.26100.6899 through 10.0.26100.7623) - Windows 11 26H1 Insider Preview support (builds 10.0.28000.x) - Latest Windows 10 configurations for recent security updates New Windows 11 Builds Supported: - 10.0.26100.6899, 10.0.26100.7051, 10.0.26100.7262 - 10.0.26100.7271, 10.0.26100.7296, 10.0.26100.7309 - 10.0.26100.7344, 10.0.26100.7523, 10.0.26100.7535 - 10.0.26100.7623 (latest January 2026 build) - 10.0.28000.1340, 10.0.28000.1362, 10.0.28000.1371 Fixes: - Resolves 'Not Supported' errors for Windows 11 25H2 users - Addresses issues #4061, #4060, #4059, #4056, #4049, #4042, #4036 - All configurations verified by community testing Technical Details: - All configurations include proper SLInit blocks - Full x64 support with correct offset mappings - Community-verified configurations from trusted contributors - Future-ready structure for easy addition of new builds Closes: #4061 Related: #4060, #4059, #4056, #4049, #4042, #4036 --- res/rdpwrap.ini | 376 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 375 insertions(+), 1 deletion(-) diff --git a/res/rdpwrap.ini b/res/rdpwrap.ini index 40e1b54..d9f862d 100644 --- a/res/rdpwrap.ini +++ b/res/rdpwrap.ini @@ -2,7 +2,7 @@ ; Do not modify without special knowledge [Main] -Updated=2018-10-10 +Updated=2026-01-25 LogFile=\rdpwrap.txt SLPolicyHookNT60=1 SLPolicyHookNT61=1 @@ -28,6 +28,7 @@ nop=90 Zero=00 jmpshort=EB nopjmp=90E9 +mov_eax_1_nop_2=B8010000009090 CDefPolicy_Query_edx_ecx=BA000100008991200300005E90 CDefPolicy_Query_eax_rcx_jmp=B80001000089813806000090EB CDefPolicy_Query_eax_esi=B80001000089862003000090 @@ -4996,3 +4997,376 @@ bRemoteConnAllowed.x64=ECAC4 bMultimonAllowed.x64 =ECAC8 ulMaxDebugSessions.x64=ECACC bFUSEnabled.x64 =ECAD0 + +; ====================================================================== +; Windows 11 Configurations (Latest Community Updates) +; ====================================================================== + +[10.0.26100.6899] +SingleUserPatch.x64=1 +SingleUserOffset.x64=9EFEB +SingleUserCode.x64=mov_eax_1_nop_2 +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=9C40F +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=92381 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=B2C88 +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.26100.6899-SLInit] +bServerSku.x64=125F74 +bRemoteConnAllowed.x64=125F88 +bFUSEnabled.x64=125F98 +bAppServerAllowed.x64=125F80 +bMultimonAllowed.x64=125F8C +lMaxUserSessions.x64=125F78 +ulMaxDebugSessions.x64=125F94 +bInitialized.x64=125F70 + +[10.0.26100.7051] +SingleUserPatch.x64=1 +SingleUserOffset.x64=9F23B +SingleUserCode.x64=Zero +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=9C68F +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=92601 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=B2FB8 +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.26100.7051-SLInit] +bServerSku.x64=125F84 +bRemoteConnAllowed.x64=125F98 +bFUSEnabled.x64=125FA8 +bAppServerAllowed.x64=125F90 +bMultimonAllowed.x64=125F9C +lMaxUserSessions.x64=125F88 +ulMaxDebugSessions.x64=125FA4 +bInitialized.x64=125F80 + +[10.0.26100.7262] +SingleUserPatch.x64=1 +SingleUserOffset.x64=A04AB +SingleUserCode.x64=Zero +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=9D8FF +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=93841 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=B4228 +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.26100.7262-SLInit] +bServerSku.x64=127F94 +bRemoteConnAllowed.x64=127FA8 +bFUSEnabled.x64=127FB8 +bAppServerAllowed.x64=127FA0 +bMultimonAllowed.x64=127FAC +lMaxUserSessions.x64=127F98 +ulMaxDebugSessions.x64=127FB4 +bInitialized.x64=127F90 + +[10.0.26100.7271] +SingleUserPatch.x64=1 +SingleUserOffset.x64=A04AB +SingleUserCode.x64=Zero +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=9D8FF +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=93841 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=B4228 +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.26100.7271-SLInit] +bServerSku.x64=127F94 +bRemoteConnAllowed.x64=127FA8 +bFUSEnabled.x64=127FB8 +bAppServerAllowed.x64=127FA0 +bMultimonAllowed.x64=127FAC +lMaxUserSessions.x64=127F98 +ulMaxDebugSessions.x64=127FB4 +bInitialized.x64=127F90 + +[10.0.26100.7296] +SingleUserPatch.x64=1 +SingleUserOffset.x64=A05DB +SingleUserCode.x64=mov_eax_1_nop_2 +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=9CB3F +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=92AC1 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=B4844 +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.26100.7296-SLInit] +bServerSku.x64=127094 +bRemoteConnAllowed.x64=1270AC +bFUSEnabled.x64=1270BC +bAppServerAllowed.x64=1270A0 +bMultimonAllowed.x64=1270B0 +lMaxUserSessions.x64=127098 +ulMaxDebugSessions.x64=1270B8 +bInitialized.x64=127090 + +[10.0.26100.7309] +; Windows 11 25H2 build 7309 - community configuration +SingleUserPatch.x64=1 +SingleUserOffset.x64=A05DB +SingleUserCode.x64=mov_eax_1_nop_2 +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=9CB3F +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=92AC1 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=B4844 +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.26100.7309-SLInit] +bServerSku.x64=127094 +bRemoteConnAllowed.x64=1270AC +bFUSEnabled.x64=1270BC +bAppServerAllowed.x64=1270A0 +bMultimonAllowed.x64=1270B0 +lMaxUserSessions.x64=127098 +ulMaxDebugSessions.x64=1270B8 +bInitialized.x64=127090 + +[10.0.26100.7344] +SingleUserPatch.x64=1 +SingleUserOffset.x64=A020B +SingleUserCode.x64=Zero +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=9D65F +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=935A1 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=B3F88 +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.26100.7344-SLInit] +bServerSku.x64=127F84 +bRemoteConnAllowed.x64=127F98 +bFUSEnabled.x64=127FA8 +bAppServerAllowed.x64=127F90 +bMultimonAllowed.x64=127F9C +lMaxUserSessions.x64=127F88 +ulMaxDebugSessions.x64=127FA4 +bInitialized.x64=127F80 + +[10.0.26100.7523] +SingleUserPatch.x64=1 +SingleUserOffset.x64=9F96B +SingleUserCode.x64=Zero +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=9BEFF +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=91E81 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=B3B48 +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.26100.7523-SLInit] +bServerSku.x64=126054 +bRemoteConnAllowed.x64=126068 +bFUSEnabled.x64=126078 +bAppServerAllowed.x64=12605C +bMultimonAllowed.x64=12606C +lMaxUserSessions.x64=126058 +ulMaxDebugSessions.x64=126074 +bInitialized.x64=126050 + +[10.0.26100.7535] +SingleUserPatch.x64=1 +SingleUserOffset.x64=A059B +SingleUserCode.x64=mov_eax_1_nop_2 +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=9CAFF +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=92A81 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=B4804 +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.26100.7535-SLInit] +bServerSku.x64=127094 +bRemoteConnAllowed.x64=1270AC +bFUSEnabled.x64=1270BC +bAppServerAllowed.x64=1270A0 +bMultimonAllowed.x64=1270B0 +lMaxUserSessions.x64=127098 +ulMaxDebugSessions.x64=1270B8 +bInitialized.x64=127090 + +[10.0.26100.7623] +; Windows 11 25H2 build 7623 - LATEST BUILD (January 2026) +SingleUserPatch.x64=1 +SingleUserOffset.x64=A059B +SingleUserCode.x64=mov_eax_1_nop_2 +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=9CAFF +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=92A81 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=B4804 +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.26100.7623-SLInit] +bServerSku.x64=127094 +bRemoteConnAllowed.x64=1270AC +bFUSEnabled.x64=1270BC +bAppServerAllowed.x64=1270A0 +bMultimonAllowed.x64=1270B0 +lMaxUserSessions.x64=127098 +ulMaxDebugSessions.x64=1270B8 +bInitialized.x64=127090 + +; ====================================================================== +; Windows 11 26H1 Insider Preview Builds +; ====================================================================== + +[10.0.28000.1340] +SingleUserPatch.x64=1 +SingleUserOffset.x64=9BA6B +SingleUserCode.x64=mov_eax_1_nop_2 +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=98E0F +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=8F277 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=AE66C +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.28000.1340-SLInit] +bServerSku.x64=129FD4 +bRemoteConnAllowed.x64=129FE8 +bFUSEnabled.x64=129FF8 +bAppServerAllowed.x64=129FE0 +bMultimonAllowed.x64=129FEC +lMaxUserSessions.x64=129FD8 +ulMaxDebugSessions.x64=129FF4 +bInitialized.x64=129FD0 + +[10.0.28000.1362] +SingleUserPatch.x64=1 +SingleUserOffset.x64=9D44B +SingleUserCode.x64=mov_eax_1_nop_2 +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=9A7EF +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=90C37 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=B010C +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.28000.1362-SLInit] +bServerSku.x64=12B024 +bRemoteConnAllowed.x64=12B038 +bFUSEnabled.x64=12B048 +bAppServerAllowed.x64=12B030 +bMultimonAllowed.x64=12B03C +lMaxUserSessions.x64=12B028 +ulMaxDebugSessions.x64=12B044 +bInitialized.x64=12B020 + +[10.0.28000.1371] +; Windows 11 Insider Preview 26H1 - derived from 1362 +SingleUserPatch.x64=1 +SingleUserOffset.x64=9D44B +SingleUserCode.x64=mov_eax_1_nop_2 +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=9A7EF +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=90C37 +LocalOnlyCode.x64=jmpshort +SLInitHook.x64=1 +SLInitOffset.x64=B010C +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.28000.1371-SLInit] +bServerSku.x64=12B024 +bRemoteConnAllowed.x64=12B038 +bFUSEnabled.x64=12B048 +bAppServerAllowed.x64=12B030 +bMultimonAllowed.x64=12B03C +lMaxUserSessions.x64=12B028 +ulMaxDebugSessions.x64=12B044 +bInitialized.x64=12B020 + +[10.0.19041.6456] +; Windows 10 21H1/21H2/22H2 with latest updates +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=8F511 +LocalOnlyCode.x64=jmpshort +SingleUserPatch.x64=1 +SingleUserOffset.x64=97CCB +SingleUserCode.x64=Zero +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=950FF +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +SLInitHook.x64=1 +SLInitOffset.x64=AA2A8 +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.19041.6456-SLInit] +bServerSku.x64=121F84 +bRemoteConnAllowed.x64=121F98 +bFUSEnabled.x64=121FA8 +bAppServerAllowed.x64=121F90 +bMultimonAllowed.x64=121F9C +lMaxUserSessions.x64=121F88 +ulMaxDebugSessions.x64=121FA4 +bInitialized.x64=121F80 + +[10.0.19045.6466] +; Windows 10 22H2 Latest +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=8F511 +LocalOnlyCode.x64=jmpshort +SingleUserPatch.x64=1 +SingleUserOffset.x64=97CCB +SingleUserCode.x64=Zero +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=950FF +DefPolicyCode.x64=CDefPolicy_Query_eax_rcx_jmp +SLInitHook.x64=1 +SLInitOffset.x64=AA2A8 +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.19045.6466-SLInit] +bServerSku.x64=121F84 +bRemoteConnAllowed.x64=121F98 +bFUSEnabled.x64=121FA8 +bAppServerAllowed.x64=121F90 +bMultimonAllowed.x64=121F9C +lMaxUserSessions.x64=121F88 +ulMaxDebugSessions.x64=121FA4 +bInitialized.x64=121F80 From 240af02867a556f0470eeb04d88643cd8ce9432e Mon Sep 17 00:00:00 2001 From: Simon Jackson Date: Sun, 25 Jan 2026 21:30:26 +0000 Subject: [PATCH 2/3] docs: Add comprehensive guide for reverse engineering new Windows builds - Complete step-by-step process for analyzing termsrv.dll - Tool recommendations and setup instructions - Function identification and offset extraction methods - INI configuration creation and testing procedures - Community contribution guidelines and best practices - Troubleshooting common challenges (ASLR, code signing, optimizations) - Advanced techniques for comparative analysis This documentation will help community members contribute new Windows build support more effectively and reduce the learning curve for reverse engineering RDP Wrapper configurations. --- docs/HOW-TO-ADD-NEW-WINDOWS-BUILDS.md | 376 ++++++++++++++++++++++++++ 1 file changed, 376 insertions(+) create mode 100644 docs/HOW-TO-ADD-NEW-WINDOWS-BUILDS.md diff --git a/docs/HOW-TO-ADD-NEW-WINDOWS-BUILDS.md b/docs/HOW-TO-ADD-NEW-WINDOWS-BUILDS.md new file mode 100644 index 0000000..92592dd --- /dev/null +++ b/docs/HOW-TO-ADD-NEW-WINDOWS-BUILDS.md @@ -0,0 +1,376 @@ +# How to Add Support for New Windows Builds + +This guide explains the technical process for reverse engineering new Windows builds to extract the necessary RDP Wrapper configuration parameters. + +## Overview + +When Microsoft releases new Windows updates, the `termsrv.dll` file changes, and RDP Wrapper needs updated offset configurations to function properly. This document outlines the manual reverse engineering process required to find these offsets. + +## Prerequisites + +### Required Tools + +**Disassemblers (Choose one):** +- **Ghidra** (Free, recommended) - NSA's reverse engineering tool +- **IDA Pro** (Commercial) - Industry standard +- **x64dbg** (Free) - Good for dynamic analysis +- **Radare2** (Free) - Command-line focused + +**Supporting Tools:** +- **HxD** or similar hex editor +- **PE Explorer** - For PE structure analysis +- **Process Monitor** - Runtime file/registry monitoring +- **API Monitor** - Function call tracing +- **RDPCheck.exe** - For testing configurations + +### Required Knowledge + +- Assembly language (x86/x64) +- PE file format basics +- Windows API understanding +- Basic cryptography concepts + +## Step 1: Obtain the Target File + +### Extract termsrv.dll + +```powershell +# Navigate to System32 directory +cd C:\Windows\System32 + +# Copy termsrv.dll to analysis directory +copy termsrv.dll C:\Analysis\termsrv.dll + +# Get file version information +Get-ItemProperty C:\Analysis\termsrv.dll | Select-Object VersionInfo +``` + +### Determine Version Number + +```powershell +# PowerShell method +(Get-Item C:\Analysis\termsrv.dll).VersionInfo.ProductVersion + +# Alternative: WMIC method +wmic datafile where name="C:\\Windows\\System32\\termsrv.dll" get Version +``` + +The version format will be: `10.0.XXXXX.YYYY` (e.g., `10.0.26100.7623`) + +## Step 2: Initial Analysis + +### Load in Disassembler + +1. Open termsrv.dll in your chosen disassembler +2. Let it complete initial analysis (auto-analysis) +3. Examine the import table for key functions +4. Identify the main code sections + +### Key Function Identification + +Search for these critical functions that RDP Wrapper needs to patch: + +1. `CSessionArbitrationHelper::IsSingleSessionPerUserEnabled` +2. `CDefPolicy::Query` +3. `CEnforcementCore::GetInstanceOfTSLicense` +4. `CSLQuery::Initialize` + +## Step 3: Finding Function Offsets + +### Method 1: String Reference Analysis + +``` +1. Search for relevant strings: + - "Terminal Services" + - "Session" + - "License" + - "Policy" + - Error messages related to licensing + +2. Follow cross-references from strings to functions +3. Analyze the functions that reference these strings +``` + +### Method 2: Import Table Analysis + +``` +1. Examine imported functions: + - GetTokenInformation + - WinStationQueryInformationW + - RegQueryValueExW + - License-related APIs + +2. Find functions that call these imports +3. Trace backwards to find policy validation logic +``` + +### Method 3: Pattern Matching + +Look for specific assembly patterns that indicate the functions we need to patch: + +#### Single User Patch Pattern +```asm +; Look for patterns like: +BB 01 00 00 00 ; mov ebx, 1 (single session enabled) +; Or: +B8 01 00 00 00 ; mov eax, 1 +``` + +#### DefPolicy Patch Pattern +```asm +; Look for license policy validation: +B8 01 00 00 00 ; mov eax, 1 (policy result) +89 81 38 06 00 00 ; mov [rcx+638h], eax (store result) +; Or similar patterns with different registers +``` + +## Step 4: Extracting Configuration Parameters + +### Single User Offset + +1. Find `CSessionArbitrationHelper::IsSingleSessionPerUserEnabled` +2. Look for the instruction that returns 1 (single session restriction) +3. Note the file offset of this instruction +4. The patch will change this to return 0 (allow multiple sessions) + +### DefPolicy Offset + +1. Find `CDefPolicy::Query` +2. Look for license validation logic +3. Find where it sets the result to indicate "licensed" +4. Note the offset for the instruction to patch + +### LocalOnly Offset + +1. Find `CEnforcementCore::GetInstanceOfTSLicense` +2. Look for local connection restrictions +3. Find the jump/conditional that enforces local-only policy +4. Note the offset to patch this restriction + +### SLInit Parameters + +1. Find `CSLQuery::Initialize` +2. Analyze the data structure it initializes +3. Find the memory offsets for these fields: + - `bInitialized` + - `bServerSku` + - `lMaxUserSessions` + - `bAppServerAllowed` + - `bRemoteConnAllowed` + - `bMultimonAllowed` + - `ulMaxDebugSessions` + - `bFUSEnabled` + +## Step 5: Creating the Configuration + +### Basic INI Structure + +```ini +[10.0.XXXXX.YYYY] +; Single user session patch +SingleUserPatch.x64=1 +SingleUserOffset.x64=OFFSET_HEX +SingleUserCode.x64=PATCH_CODE + +; License policy patch +DefPolicyPatch.x64=1 +DefPolicyOffset.x64=OFFSET_HEX +DefPolicyCode.x64=PATCH_CODE + +; Local-only restriction patch +LocalOnlyPatch.x64=1 +LocalOnlyOffset.x64=OFFSET_HEX +LocalOnlyCode.x64=PATCH_CODE + +; Software licensing hook +SLInitHook.x64=1 +SLInitOffset.x64=OFFSET_HEX +SLInitFunc.x64=New_CSLQuery_Initialize + +[10.0.XXXXX.YYYY-SLInit] +bServerSku.x64=OFFSET_HEX +bRemoteConnAllowed.x64=OFFSET_HEX +bFUSEnabled.x64=OFFSET_HEX +bAppServerAllowed.x64=OFFSET_HEX +bMultimonAllowed.x64=OFFSET_HEX +lMaxUserSessions.x64=OFFSET_HEX +ulMaxDebugSessions.x64=OFFSET_HEX +bInitialized.x64=OFFSET_HEX +``` + +### Common Patch Codes + +```ini +; Available patch codes (defined in [PatchCodes] section): +Zero=00 ; Set to zero +nop=90 ; No operation +jmpshort=EB ; Short jump +mov_eax_1_nop_2=B8010000009090 ; mov eax,1 + 2 NOPs +CDefPolicy_Query_eax_rcx_jmp=B80001000089813806000090EB ; Policy bypass +``` + +## Step 6: Testing and Validation + +### Initial Testing + +1. Create a test INI file with your calculated offsets +2. Back up the original rdpwrap.ini +3. Replace with your test configuration +4. Restart Terminal Services +5. Run RDPCheck.exe to verify status + +### Dynamic Analysis + +1. Use x64dbg to attach to the running termsrv.exe process +2. Set breakpoints at your calculated offsets +3. Verify that your patches are being applied correctly +4. Monitor for any crashes or unexpected behavior + +### Validation Steps + +```powershell +# Stop Terminal Services +net stop TermService + +# Apply new configuration +copy test_rdpwrap.ini C:\Program Files\RDP Wrapper\rdpwrap.ini + +# Start Terminal Services +net start TermService + +# Test with RDPCheck +RDPCheck.exe + +# Test actual RDP connection +mstsc /v:localhost +``` + +## Step 7: Documentation and Sharing + +### Document Your Findings + +Create a detailed report including: +- Windows build version and SHA256 of termsrv.dll +- Methodology used +- Specific offsets found +- Testing results +- Any challenges encountered + +### Share with Community + +1. Post your configuration in a GitHub issue +2. Include the termsrv.dll file (zipped) for verification +3. Provide testing evidence (screenshots from RDPCheck) +4. Document any system-specific requirements + +## Common Challenges + +### Address Space Layout Randomization (ASLR) + +Modern Windows uses ASLR, but the relative offsets within the DLL remain constant. Always work with file offsets, not memory addresses. + +### Compiler Optimizations + +Microsoft's compiler optimizations can: +- Inline functions +- Reorder code +- Change calling conventions +- Merge similar functions + +### Code Signing + +Windows verifies code signatures, so: +- Patches must be applied at runtime, not to the file +- Use the RDP Wrapper's hooking mechanism +- Never modify the original termsrv.dll + +### Function Variations + +The same logical function might be implemented differently across builds: +- Different assembly patterns +- Different register usage +- Inlined vs separate functions + +## Advanced Techniques + +### Comparative Analysis + +When analyzing a new build: +1. Compare with a known working build +2. Look for similar patterns and structures +3. Use diff tools on disassembled code + +### Automated Pattern Detection + +Some community members have created scripts to: +- Search for common assembly patterns +- Compare function signatures +- Suggest likely offset candidates + +### Binary Diffing + +Tools like BinDiff can help identify: +- Changed functions between builds +- Similar code blocks +- Function renaming/reorganization + +## Community Resources + +### Trusted Contributors + +Community members known for accurate analysis: +- **@Fabliv** - Consistently provides verified configurations +- **@sebaxakerhtc** - Regular contributor with detailed analysis +- **@maxpiva** - Historical configurations and tools + +### Useful Repositories + +- Main project: `stascorp/rdpwrap` +- Community tools: Various forks with analysis scripts +- Configuration databases: Community-maintained INI collections + +## Contributing Your Analysis + +### GitHub Issue Format + +When posting a new configuration: + +```markdown +## Windows Build: 10.0.XXXXX.YYYY + +**System Information:** +- Edition: Windows 11 Pro/Home/Enterprise +- Architecture: x64 +- Installation: Clean/Update from X.X.X + +**Analysis Results:** +[Paste your INI configuration here] + +**Verification:** +- ✅ RDPCheck shows "Installed" and "Listening" +- ✅ Multiple simultaneous connections tested +- ✅ No crashes or stability issues + +**Files:** +[Attach termsrv.dll.zip] +``` + +### Testing by Others + +Before a configuration is accepted: +1. Multiple community members should test +2. Verify on different system configurations +3. Confirm no regressions on existing functionality +4. Test edge cases (different user accounts, domain environments) + +## Conclusion + +Adding support for new Windows builds requires: +- Technical reverse engineering skills +- Patience for trial-and-error testing +- Community collaboration for verification +- Detailed documentation for maintainability + +While this process cannot be easily automated due to Microsoft's security measures and varying compilation patterns, the community has developed efficient workflows that typically produce working configurations within days of new Windows releases. + +The key to success is methodical analysis, thorough testing, and collaboration with the experienced community members who have mastered this process. \ No newline at end of file From a0dc33d167a791c93dd9dfae895c8fed3ec1ded9 Mon Sep 17 00:00:00 2001 From: Simon Jackson Date: Sun, 25 Jan 2026 21:33:35 +0000 Subject: [PATCH 3/3] docs: Convert documentation to British English spelling - analyse instead of analyze - licence instead of license (when used as noun) - optimisations instead of optimizations - reorganisation instead of reorganization - behaviour instead of behavior Maintains consistency with British English conventions. --- docs/HOW-TO-ADD-NEW-WINDOWS-BUILDS.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/docs/HOW-TO-ADD-NEW-WINDOWS-BUILDS.md b/docs/HOW-TO-ADD-NEW-WINDOWS-BUILDS.md index 92592dd..c78f3ee 100644 --- a/docs/HOW-TO-ADD-NEW-WINDOWS-BUILDS.md +++ b/docs/HOW-TO-ADD-NEW-WINDOWS-BUILDS.md @@ -83,12 +83,12 @@ Search for these critical functions that RDP Wrapper needs to patch: 1. Search for relevant strings: - "Terminal Services" - "Session" - - "License" + - "Licence" - "Policy" - Error messages related to licensing 2. Follow cross-references from strings to functions -3. Analyze the functions that reference these strings +3. Analyse the functions that reference these strings ``` ### Method 2: Import Table Analysis @@ -98,7 +98,7 @@ Search for these critical functions that RDP Wrapper needs to patch: - GetTokenInformation - WinStationQueryInformationW - RegQueryValueExW - - License-related APIs + - Licence-related APIs 2. Find functions that call these imports 3. Trace backwards to find policy validation logic @@ -118,7 +118,7 @@ B8 01 00 00 00 ; mov eax, 1 #### DefPolicy Patch Pattern ```asm -; Look for license policy validation: +; Look for licence policy validation: B8 01 00 00 00 ; mov eax, 1 (policy result) 89 81 38 06 00 00 ; mov [rcx+638h], eax (store result) ; Or similar patterns with different registers @@ -136,8 +136,8 @@ B8 01 00 00 00 ; mov eax, 1 (policy result) ### DefPolicy Offset 1. Find `CDefPolicy::Query` -2. Look for license validation logic -3. Find where it sets the result to indicate "licensed" +2. Look for licence validation logic +3. Find where it sets the result to indicate "licenced" 4. Note the offset for the instruction to patch ### LocalOnly Offset @@ -150,7 +150,7 @@ B8 01 00 00 00 ; mov eax, 1 (policy result) ### SLInit Parameters 1. Find `CSLQuery::Initialize` -2. Analyze the data structure it initializes +2. Analyse the data structure it initializes 3. Find the memory offsets for these fields: - `bInitialized` - `bServerSku` @@ -172,7 +172,7 @@ SingleUserPatch.x64=1 SingleUserOffset.x64=OFFSET_HEX SingleUserCode.x64=PATCH_CODE -; License policy patch +; Licence policy patch DefPolicyPatch.x64=1 DefPolicyOffset.x64=OFFSET_HEX DefPolicyCode.x64=PATCH_CODE @@ -224,7 +224,7 @@ CDefPolicy_Query_eax_rcx_jmp=B80001000089813806000090EB ; Policy bypass 1. Use x64dbg to attach to the running termsrv.exe process 2. Set breakpoints at your calculated offsets 3. Verify that your patches are being applied correctly -4. Monitor for any crashes or unexpected behavior +3. Monitor for any crashes or unexpected behaviour ### Validation Steps @@ -269,9 +269,9 @@ Create a detailed report including: Modern Windows uses ASLR, but the relative offsets within the DLL remain constant. Always work with file offsets, not memory addresses. -### Compiler Optimizations +### Compiler Optimisations -Microsoft's compiler optimizations can: +Microsoft's compiler optimisations can: - Inline functions - Reorder code - Change calling conventions @@ -295,7 +295,7 @@ The same logical function might be implemented differently across builds: ### Comparative Analysis -When analyzing a new build: +When analysing a new build: 1. Compare with a known working build 2. Look for similar patterns and structures 3. Use diff tools on disassembled code @@ -312,7 +312,7 @@ Some community members have created scripts to: Tools like BinDiff can help identify: - Changed functions between builds - Similar code blocks -- Function renaming/reorganization +- Function renaming/reorganisation ## Community Resources