avatarSam Decrock

Summary

The website content provides a detailed guide on how to manually patch Microsoft's Remote Desktop Protocol (RDP) service to enable multiple RDP sessions on Windows Home or Professional editions.

Abstract

The article discusses a method for allowing multiple concurrent RDP sessions on Windows machines, which is typically a feature reserved for higher-tier editions like Windows Server. It offers a quick fix solution with a link to another article but focuses on the technical process of patching the termsrv.dll file. The author explains how to use a debugger, such as x64dbg, to locate specific bytes within the DLL that control session limits and replace them with a NOP (no-operation) instruction to bypass the check. This modification effectively disables the restriction, allowing for simultaneous RDP connections. The article emphasizes understanding the process and includes step-by-step instructions with visual aids for disassembling and patching the DLL, as well as saving the patched file to enable the new functionality.

Opinions

  • The author advocates for knowledge and control over the patching process, preferring manual DLL patching over using RDP Wrapper.
  • There is an underlying assumption that readers are interested in a deeper understanding of the technical details behind RDP session limiting.
  • The author expresses a playful caution about avoiding the original restriction, implying that bypassing it is a desirable outcome for the reader.
  • The use of open-source tools like x64dbg and Online Disassembler is endorsed for their utility in reverse engineering and patching.
  • The author seems to take a hands-on approach to learning, encouraging readers to follow along and manipulate the DLL themselves.
  • There is a sense of accomplishment and satisfaction conveyed upon successfully patching the termsrv.dll and enabling multiple RDP sessions.

Patching Microsoft’s RDP service yourself

You probably arrived at this article looking for a way to allow multiple RDP sessions to you Windows Home or Professional machine. If you want the quick fix, read this article.

If you want to know a little bit more what you are doing, keep reading this ;-)

The original article describes 2 ways of patching your RDP service: running RDP Wrapper or patching termsrv.dll In this article I’ll be looking into patching the dll as I want to know what I’m doing.

Long story short, you need to look for the following bytes inside the dll:

39 81 3C 06 00 00 xx xx xx xx xx xx

xx xx xx xx xx xx are bytes that change from Windows update to Windows update.

Replace all of those bytes with:

B8 00 01 00 00 89 81 38 06 00 00 90

But what are we actually doing here?

Let’s load up termsrv.dll in x64dbg, that’s an open source debugger for Windows. Hit the play button so you’ll arrive at termsrv.dll .

Next, let’s look for these mysterious set of bytes. Right click anywhere and select Search For, All Modules, Pattern:

Enter the 6 bytes 39 81 3C 06 00 00 and hit OK to search:

You’ll end up on an address with 2 commands:

First, the content of some place in memory is compared to the content of eax . If the 2 values are the same, a jump is taken. je means jump if equal. If you follow the jump (double click it), you’ll end on a piece of code pointing to the following string:

I’m pretty sure that’s something we want to avoid :-)

When we have a look at the other examples in the original article, we see that the 2 commands are always a compare and a jump command. The only difference is the jump to address. That’s the thing changing between Windows updates. You can use https://onlinedisassembler.com/odaweb/ to do some online disassembling:

Ok, so let’s skip this jump command by replacing it with nop commands. A nop command is a no-operations command which basically does nothing. We can do this in x64dbg by selecting the jump command and hitting space.

Type in NOP and check Fill with NOP’s. A NOP is only 1 byte and we want the other 5 bytes to be NOP‘s as well.

To save the file, click File, Patch and click Path File. In the Patches window, you can see the 6 bytes being changed into 0x90 which is hex for NOP.

Save it your documents first, then replace it with c:\Windows\System32\termsrv.dll

Try connecting multiple users to your machine and you’ll see it works 🥳

So now we know what’s actually happening!

Disassembly
Rdp Services
Hacking
Recommended from ReadMedium
avatarFITNESATOR
New product Ultrahuman — 🏠 Home — Expectations

Ultrahuman has just launched a new campaign new device called Home. What can we expect?

2 min read
avatarKarolina Kozmana
Common side effects of not drinking

By rejecting alcohol, you reject something very human, an extra limb that we have collectively grown to deal with reality and with each…

10 min read
avatarKevin Beaumont
Recall: Stealing everything you’ve ever typed or viewed on your own Windows PC is now possible.

Photographic memory comes to Windows, and is the biggest security setback in a decade.

9 min read
avatarKallol Mazumdar
I Went on the Dark Web and Instantly Regretted It

Accessing the forbidden parts of the World Wide Web, only to realize the depravity of humanity

8 min read
avatarIain Stanley
I Went Speed-Dating in Tokyo: It Explains Japan’s Sexless Population Explosion!

Exclusive conversations with a bevy of beautiful, single girls? What could go wrong…

8 min read
avatarHazel Paradise
How I Create Passive Income With No Money

many ways to start a passive income today

5 min read