alu/Rublon-SSP
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

poprawka do logiki odczytywania danych sesji rdp, usuniecie zbednych funkcji

Browse Source
This commit is contained in:
Adrian
2025-08-27 19:58:14 +02:00
parent 98b0486882
commit d8e4c27956
2 changed files with 60 additions and 344 deletions
Download Patch File Download Diff File Expand all files Collapse all files

395
SSP_DLL/interprocessSSP.cpp
View File

@@ -27,7 +27,7 @@ void get_LUID_string(const PLUID luid, PWSTR out, size_t out_len) {
StringCchPrintfW(out, out_len, L"%08x-%08x", luid->HighPart, luid->LowPart); StringCchPrintfW(out, out_len, L"%08x-%08x", luid->HighPart, luid->LowPart);
} }
BOOL get_PIDs_from_sessionID(DWORD in_session_id, RELATED_PROCESSES *session_processes, BOOL update_flag) { BOOL get_PIDs_from_sessionID(DWORD in_session_id, RELATED_PROCESSES* session_processes, BOOL update_flag) {
WCHAR function_name[40] = { 0 }; WCHAR function_name[40] = { 0 };
MultiByteToWideChar(CP_ACP, 0, __FUNCTION__, -1, function_name, ARRAYSIZE(function_name)); MultiByteToWideChar(CP_ACP, 0, __FUNCTION__, -1, function_name, ARRAYSIZE(function_name));
@@ -71,296 +71,59 @@ BOOL get_PIDs_from_sessionID(DWORD in_session_id, RELATED_PROCESSES *session_pro
{ {
continue; continue;
} }
bool already_exists = FALSE;
if (update_flag) { if (update_flag) {
for (DWORD i = 0; i < session_processes->count; i++) { for (DWORD i = 0; i < session_processes->count; i++) {
if (CompareStringOrdinal(pe.szExeFile, -1, if (CompareStringOrdinal(pe.szExeFile, -1,
session_processes->process[session_processes->count].process_name, session_processes->process[i].process_name, -1, TRUE) == CSTR_EQUAL &&
-1, TRUE) == CSTR_EQUAL && session_processes->process[i].pid == pe.th32ProcessID)
session_processes->process[session_processes->count].pid == pe.th32ProcessID)
{ {
log_line(LOG_TYPE_DEBUG, log_line(LOG_TYPE_DEBUG,
L"[%s] Dla sesji ID = %lu, proces = %s, PID = %lu. juz istnieje...", L"[%s] Dla sesji ID = %lu, proces = %s, PID = %lu juz istnieje...",
function_name, function_name,
session_processes->process[session_processes->count].process_name, in_session_id,
session_processes->process[session_processes->count].pid session_processes->process[i].process_name,
session_processes->process[i].pid
); );
continue; already_exists = TRUE;
} break;
session_processes->process[session_processes->count].pid = pe.th32ProcessID;
session_processes->process[session_processes->count].pid;
StringCchCopyW(session_processes->process[session_processes->count].process_name,
ARRAYSIZE(session_processes->process[session_processes->count].process_name),
pe.szExeFile);
log_line(LOG_TYPE_DEBUG,
L"[%s] Wykryto dodatkowy proces dla sesji = %s, PID = %lu.",
function_name,
session_processes->process[session_processes->count].process_name,
session_processes->process[session_processes->count].pid
);
session_processes->count++;
}
}
else {
session_processes->process[session_processes->count].pid = pe.th32ProcessID;
session_processes->process[session_processes->count].pid;
StringCchCopyW(session_processes->process[session_processes->count].process_name,
ARRAYSIZE(session_processes->process[session_processes->count].process_name),
pe.szExeFile);
log_line(LOG_TYPE_DEBUG,
L"[%s] Wykryto proces dla sesji = %s, PID = %lu.",
function_name,
session_processes->process[session_processes->count].process_name,
session_processes->process[session_processes->count].pid
);
session_processes->count++;
}
}
}
} while (Process32NextW(hSnap, &pe));
}
return TRUE;
}
BOOL get_PID_from_SessionID(DWORD in_session_id, DWORD *pid, WCHAR *pid_exe_name) {
WCHAR function_name[40] = { 0 };
MultiByteToWideChar(CP_ACP, 0, __FUNCTION__, -1, function_name, ARRAYSIZE(function_name));
DWORD processes_count = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap == INVALID_HANDLE_VALUE) {
log_line(LOG_TYPE_ERROR, L"[%s] Blad CreateToolhelp32Snapshot", function_name);
return FALSE;
}
PROCESSENTRY32W pe;
pe.dwSize = sizeof(pe);
if (Process32FirstW(hSnap, &pe)) {
do {
DWORD procSessionId = 0;
if (ProcessIdToSessionId(pe.th32ProcessID, &procSessionId)) {
if (procSessionId == in_session_id) {
// jesli PID jest jednym z istotnych procesow systemowych - NIE UBIJAJ
if (CompareStringOrdinal(pe.szExeFile, -1, L"services.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"smss.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"wininit.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"lsass.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"csrss.exe", -1, TRUE) == CSTR_EQUAL)
{
continue;
}
*pid = pe.th32ProcessID;
StringCchCopyW(pid_exe_name, 64, pe.szExeFile);
processes_count++;
break;
}
}
} while (Process32NextW(hSnap, &pe));
}
if (processes_count > 1) {
log_line(LOG_TYPE_DEBUG,
L"[%s] Odnaleziono %lu procesow.",
function_name,
processes_count
);
}
log_line(LOG_TYPE_DEBUG,
L"[%s] Skorelowano sesje RDP z procesem: %s, PID: %lu, ID sesji RDP: %lu",
function_name,
pid_exe_name,
*pid,
in_session_id
);
return TRUE;
}
/*
FIND_SESSION_STATUS find_remote_domain_user_session(PSID user_sid, PUNICODE_STRING domain_username, DWORD *out_session_id) {
PWTS_SESSION_INFO session_info = NULL;
DWORD session_count = 0;
WCHAR function_name[64] = { 0 };
MultiByteToWideChar(CP_ACP, 0, __FUNCTION__, -1, function_name, ARRAYSIZE(function_name));
if (!WTSEnumerateSessionsW(WTS_CURRENT_SERVER_HANDLE, 0, 1, &session_info, &session_count)) {
log_line(LOG_TYPE_ERROR, L"[%s] Blad pobierania sesji WTSEnumerateSessions", function_name);
return FIND_SESSION_ERROR;
}
BOOL is_rdp_session_empty = TRUE;
for (int i = 0; i < MAX_RDP_SESSIONS; i++) {
if (remote_interactive_sessions[i].active) {
is_rdp_session_empty = FALSE;
}
}
WCHAR sid_string[128] = { 0 };
check_SID(user_sid, sid_string, ARRAYSIZE(sid_string));
if (!is_rdp_session_empty) {
log_line(LOG_TYPE_DEBUG,
L"[%s] Wykryto istniejace sesje RDP...", function_name);
for (int i = 0; i < MAX_RDP_SESSIONS; i++) {
if (compare_unicode_with_wchar(domain_username, remote_interactive_sessions[i].domain_username)
&& wcscmp(sid_string, remote_interactive_sessions[i].user_sid) == 0)
{
for (DWORD j = 0; j < session_count; j++) {
DWORD session_Id = session_info[j].SessionId;
USHORT* protocol = NULL;
DWORD bytesReturned = 0;
if (WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_Id, WTSClientProtocolType, (LPWSTR*)&protocol, &bytesReturned)) {
if (*protocol == WTS_PROTOCOL_RDP) {
WTS_CLIENT_ADDRESS* address_ptr = NULL;
if (WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_Id, WTSClientAddress, (LPWSTR*)&address_ptr, &bytesReturned)) {
WCHAR client_ip[INET_ADDRSTRLEN] = { 0 };
struct sockaddr_in sa;
ZeroMemory(&sa, sizeof(sa));
sa.sin_family = AF_INET;
CopyMemory(&sa.sin_addr, &address_ptr->Address[2], 4);
if (!InetNtopW(AF_INET, &sa.sin_addr, client_ip, INET_ADDRSTRLEN)) {
log_line(LOG_TYPE_ERROR, L"[%s] Blad konwersji IP w InetNtopW", function_name);
WTSFreeMemory(address_ptr);
WTSFreeMemory(protocol);
return FIND_SESSION_ERROR;
}
/*
log_line(LOG_TYPE_DEBUG,
L"[%s] Przed konwersja IP...", function_name);
if (wcscmp(client_ip, remote_interactive_sessions[i].ip_address) != 0) {
WTSFreeMemory(address_ptr);
WTSFreeMemory(protocol);
return FIND_SESSION_ERROR;
}
/*log_line(LOG_TYPE_DEBUG,
L"[%s] Po konwersji IP...", function_name);
WCHAR user_name[64] = { 0 };
PWTSCLIENTW pClient = NULL;
DWORD bytes = 0;
if (WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_Id, WTSClientInfo, (LPWSTR*)&pClient, &bytes) && pClient) {
log_line(LOG_TYPE_DEBUG,
L"[%s] Dla konta: %s, z IP: %s, SID: %s juz istnieje zapoczatkowana sesja RDP!",
function_name,
pClient->UserName,
client_ip,
sid_string);
WTSFreeMemory(pClient);
}
WTSFreeMemory(address_ptr);
WTSFreeMemory(protocol);
return FIND_SESSION_FOUND;
} }
} }
WTSFreeMemory(protocol);
}
}
}
}
}
for (DWORD i = 0; i < session_count; i++) { if (already_exists) {
DWORD session_Id = session_info[i].SessionId; continue;
USHORT* protocol = NULL;
DWORD bytesReturned = 0;
if (WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_Id, WTSClientProtocolType, (LPWSTR*)&protocol, &bytesReturned)) {
if (*protocol == WTS_PROTOCOL_RDP) {
LPWSTR data_buffer = NULL;
WCHAR user_name[64] = { 0 };
WCHAR domain_name[64] = { 0 };
WCHAR client_name[64] = { 0 };
WCHAR protocol_type[16] = { 0 };
WCHAR client_ip[INET_ADDRSTRLEN] = { 0 };
WTS_CLIENT_ADDRESS* address_ptr = NULL;
copy_lpwstr_string(remote_protocol_type_to_string(*protocol), protocol_type, ARRAYSIZE(protocol_type));
retrieve_session_data(session_Id, WTSUserName, user_name, ARRAYSIZE(user_name));
retrieve_session_data(session_Id, WTSDomainName, domain_name, ARRAYSIZE(domain_name));
retrieve_session_data(session_Id, WTSClientName, client_name, ARRAYSIZE(client_name));
if (WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_Id, WTSClientAddress, (LPWSTR*)&address_ptr, &bytesReturned)) {
if (address_ptr->AddressFamily == AF_INET) {
struct sockaddr_in sa;
ZeroMemory(&sa, sizeof(sa));
sa.sin_family = AF_INET;
CopyMemory(&sa.sin_addr, &address_ptr->Address[2], 4);
if (!InetNtopW(AF_INET, &sa.sin_addr, client_ip, INET_ADDRSTRLEN)) {
log_line(LOG_TYPE_ERROR, L"[%s] Blad konwersji IP w InetNtopW", function_name);
WTSFreeMemory(protocol);
WTSFreeMemory(address_ptr);
return FIND_SESSION_ERROR;
} }
} }
WTSFreeMemory(address_ptr);
}
PWTSCLIENTW pClient = NULL; session_processes->process[session_processes->count].pid = pe.th32ProcessID;
DWORD bytes = 0; session_processes->process[session_processes->count].pid;
StringCchCopyW(session_processes->process[session_processes->count].process_name,
if (WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_Id, WTSClientInfo, (LPWSTR*)&pClient, &bytes) && pClient) { ARRAYSIZE(session_processes->process[session_processes->count].process_name),
pe.szExeFile);
log_line(LOG_TYPE_DEBUG, log_line(LOG_TYPE_DEBUG,
L"[%s] Przechwycono sesje RemoteInteractive: Nazwa konta: %s, Domena: %s, Nazwa maszyny: %s, IP: %s, Protokol: %s", L"[%s] Wykryto dodatkowy proces dla sesji = %s, PID = %lu.",
function_name, function_name,
pClient->UserName, session_processes->process[session_processes->count].process_name,
pClient->Domain, session_processes->process[session_processes->count].pid
pClient->ClientName, );
client_ip, session_processes->count++;
protocol_type);
} }
for (int i = 0; i < MAX_RDP_SESSIONS; i++) {
if (!remote_interactive_sessions[i].active) {
remote_interactive_sessions[i].active = TRUE;
StringCchCopyW(remote_interactive_sessions[i].user_sid, ARRAYSIZE(remote_interactive_sessions[i].user_sid), sid_string);
StringCchCopyW(remote_interactive_sessions[i].domain_username, ARRAYSIZE(remote_interactive_sessions[i].domain_username), pClient->UserName);
StringCchCopyW(remote_interactive_sessions[i].ip_address, ARRAYSIZE(remote_interactive_sessions[i].ip_address), client_ip);
log_line(LOG_TYPE_DEBUG, L"[%s] Dodano sesje RDP do kolejki... Dane sesji: User SID: %s, Nazwa konta: %s, IP: %s",
function_name,
remote_interactive_sessions[i].user_sid,
remote_interactive_sessions[i].domain_username,
remote_interactive_sessions[i].ip_address);
WTSFreeMemory(pClient);
WTSFreeMemory(protocol);
WTSFreeMemory(session_info);
*out_session_id = session_Id;
return FIND_SESSION_NOT_FOUND;
}
}
WTSFreeMemory(pClient);
} }
WTSFreeMemory(protocol); } while (Process32NextW(hSnap, &pe));
}
} }
WTSFreeMemory(session_info); CloseHandle(hSnap);
return FIND_SESSION_ERROR;
return TRUE;
} }
*/
BOOL retrieve_session_data(DWORD session_id, WTS_INFO_CLASS info, WCHAR* out_buff, size_t out_size) { BOOL retrieve_session_data(DWORD session_id, WTS_INFO_CLASS info, WCHAR* out_buff, size_t out_size) {
LPWSTR data_buffer = NULL; LPWSTR data_buffer = NULL;
DWORD bytes_returned = 0; DWORD bytes_returned = 0;
if (!WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_id, info, &data_buffer, &bytes_returned)) { if (!WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_id, info, &data_buffer, &bytes_returned)) {
log_line(LOG_TYPE_ERROR, L"[%s] Blad przy pozyskiwaniu WTS_INFO_CLASS, kod: %lu...", log_line(LOG_TYPE_ERROR, L"[%s] Blad przy pozyskiwaniu WTS_INFO_CLASS, kod: %lu...",
L"retrieve_session_data", L"retrieve_session_data",
DWORD(info)); DWORD(info));
return FALSE; return FALSE;
} }
@@ -375,12 +138,12 @@ BOOL retrieve_session_data(DWORD session_id, WTS_INFO_CLASS info, WCHAR* out_buf
WTSFreeMemory(data_buffer); WTSFreeMemory(data_buffer);
return TRUE; return TRUE;
} }
copy_lpwstr_string((LPWSTR)NULL, out_buff, out_size); copy_lpwstr_string((LPWSTR)NULL, out_buff, out_size);
return TRUE; return TRUE;
} }
BOOL convert_ip_addr_to_string(WTS_CLIENT_ADDRESS *ip, WCHAR *ip_data) { BOOL convert_ip_addr_to_string(WTS_CLIENT_ADDRESS* ip, WCHAR* ip_data) {
if (ip->AddressFamily == AF_INET) { if (ip->AddressFamily == AF_INET) {
struct sockaddr_in sa; struct sockaddr_in sa;
ZeroMemory(&sa, sizeof(sa)); ZeroMemory(&sa, sizeof(sa));
@@ -401,8 +164,8 @@ BOOL convert_ip_addr_to_string(WTS_CLIENT_ADDRESS *ip, WCHAR *ip_data) {
StringCchCatW(buffer, ARRAYSIZE(buffer), temp); StringCchCatW(buffer, ARRAYSIZE(buffer), temp);
} }
log_line(LOG_TYPE_WARNING, L"[%s] Nieobslugiwany format adresu, kod: %lu, zawartosc addressFamily: %s...", log_line(LOG_TYPE_WARNING, L"[%s] Nieobslugiwany format adresu, kod: %lu, zawartosc addressFamily: %s...",
L"convert_ip_addr_to_string", L"convert_ip_addr_to_string",
ip->AddressFamily, ip->AddressFamily,
buffer); buffer);
return FALSE; return FALSE;
@@ -422,7 +185,7 @@ void print_kerberos_module_functions(HMODULE kerberos_module) {
return; return;
IMAGE_NT_HEADERS* ntHeaders = (IMAGE_NT_HEADERS*)(base_address + dos_header->e_lfanew); IMAGE_NT_HEADERS* ntHeaders = (IMAGE_NT_HEADERS*)(base_address + dos_header->e_lfanew);
if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) if (ntHeaders->Signature != IMAGE_NT_SIGNATURE)
return; return;
IMAGE_DATA_DIRECTORY exportDir = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; IMAGE_DATA_DIRECTORY exportDir = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
@@ -542,7 +305,7 @@ void free_rdp_sessions_array() {
ZeroMemory(&rdp_sessions, sizeof(rdp_sessions)); ZeroMemory(&rdp_sessions, sizeof(rdp_sessions));
} }
MATCH_SESSION_STATUS match_existing_rdp_sessions(DWORD in_session_id, DWORD *out_session_id) { MATCH_SESSION_STATUS match_existing_rdp_sessions(DWORD in_session_id, DWORD* out_session_id) {
WCHAR function_name[40] = { 0 }; WCHAR function_name[40] = { 0 };
MultiByteToWideChar(CP_ACP, 0, __FUNCTION__, -1, function_name, ARRAYSIZE(function_name)); MultiByteToWideChar(CP_ACP, 0, __FUNCTION__, -1, function_name, ARRAYSIZE(function_name));
@@ -553,8 +316,8 @@ MATCH_SESSION_STATUS match_existing_rdp_sessions(DWORD in_session_id, DWORD *out
if (rdp_sessions.session_count == 0) { if (rdp_sessions.session_count == 0) {
//utworz nowa sesje //utworz nowa sesje
log_line(LOG_TYPE_INFO, log_line(LOG_TYPE_INFO,
L"[%s] Wykryto nowa sesje RDP - Brak aktywnych sesji RDP uzytkownikow domenowych, dodawanie nowej...", L"[%s] Wykryto nowa sesje RDP - Brak aktywnych sesji RDP uzytkownikow domenowych, dodawanie nowej...",
function_name); function_name);
*out_session_id = in_session_id; *out_session_id = in_session_id;
@@ -564,9 +327,9 @@ MATCH_SESSION_STATUS match_existing_rdp_sessions(DWORD in_session_id, DWORD *out
for (DWORD i = 0; i < rdp_sessions.session_count; i++) { for (DWORD i = 0; i < rdp_sessions.session_count; i++) {
RDP_SESSION_DATA* sess = &rdp_sessions.session_data[i]; RDP_SESSION_DATA* sess = &rdp_sessions.session_data[i];
/* /*
* w przypadku gdy id sesji zgadza sie z juz istniejaca : * w przypadku gdy id sesji zgadza sie z juz istniejaca :
* sprawdz czy jest valid - jesli jest valid, to znaczy ze MFA * sprawdz czy jest valid - jesli jest valid, to znaczy ze MFA
* zostalo we wczesniejszej zaakceptowane i zaktualizuj proces wazny dla sesji RDP * zostalo we wczesniejszej zaakceptowane i zaktualizuj proces wazny dla sesji RDP
* jesli nie zostalo zaakceptowane - ubij procesy * jesli nie zostalo zaakceptowane - ubij procesy
*/ */
@@ -580,55 +343,7 @@ MATCH_SESSION_STATUS match_existing_rdp_sessions(DWORD in_session_id, DWORD *out
in_session_id); in_session_id);
return SESSION_UPDATE_EXISTING; return SESSION_UPDATE_EXISTING;
} }
else { else {
/*
DWORD pid = 0;
WCHAR proc_name[128] = { 0 };
DWORD processes_count = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap == INVALID_HANDLE_VALUE) {
log_line(LOG_TYPE_ERROR, L"[%s] Blad CreateToolhelp32Snapshot", function_name);
//return FALSE;
}
PROCESSENTRY32W pe;
pe.dwSize = sizeof(pe);
if (Process32FirstW(hSnap, &pe)) {
do {
DWORD procSessionId = 0;
if (ProcessIdToSessionId(pe.th32ProcessID, &procSessionId)) {
if (procSessionId == in_session_id) {
// jesli PID jest jednym z istotnych procesow systemowych - NIE UBIJAJ
if (CompareStringOrdinal(pe.szExeFile, -1, L"services.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"smss.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"wininit.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"lsass.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"csrss.exe", -1, TRUE) == CSTR_EQUAL)
{
continue;
}
//processes_count++;
log_line(LOG_TYPE_DEBUG,
L"[%s] Odnaleziono proces: %s, PID: %lu",
function_name,
pe.szExeFile,
pe.th32ProcessID
);
}
}
} while (Process32NextW(hSnap, &pe));
}
if (processes_count > 1) {
log_line(LOG_TYPE_DEBUG,
L"[%s] Odnaleziono %lu procesow.",
function_name,
processes_count
);
}
*/
log_line(LOG_TYPE_INFO, log_line(LOG_TYPE_INFO,
L"[%s] Sesja RDP ID = %lu juz istnieje i zostala odrzucona...", L"[%s] Sesja RDP ID = %lu juz istnieje i zostala odrzucona...",
function_name, function_name,
@@ -636,6 +351,15 @@ MATCH_SESSION_STATUS match_existing_rdp_sessions(DWORD in_session_id, DWORD *out
return SESSION_TERMINATE_EXISTING; return SESSION_TERMINATE_EXISTING;
} }
} }
else {
log_line(LOG_TYPE_INFO,
L"[%s] Wykryto juz istniejace sesje RDP, dodawanie nowej sesji o ID = %lu...",
function_name,
in_session_id);
*out_session_id = in_session_id;
return SESSION_CREATE_NEW;
}
} }
} }
log_line(LOG_TYPE_ERROR, log_line(LOG_TYPE_ERROR,
@@ -725,11 +449,12 @@ BOOL create_new_rdp_session(PSID user_psid, DWORD session_id) {
if (get_PIDs_from_sessionID(session_id, new_session.processes, FALSE)) { if (get_PIDs_from_sessionID(session_id, new_session.processes, FALSE)) {
//terminate_remaining_processes(new_session.processes, session_id); //terminate_remaining_processes(new_session.processes, session_id);
}*/ }*/
} else { }
else {
log_line(LOG_TYPE_ERROR, log_line(LOG_TYPE_ERROR,
L"[%s] MFA zaakceptowane, procedowanie polaczenia...", L"[%s] MFA zaakceptowane, procedowanie polaczenia...",
function_name); function_name);
new_session.valid = TRUE; new_session.valid = TRUE;
} }
if (get_PIDs_from_sessionID(session_id, new_session.processes, FALSE)) { if (get_PIDs_from_sessionID(session_id, new_session.processes, FALSE)) {
@@ -825,7 +550,7 @@ BOOL terminate_remaining_processes(RELATED_PROCESSES* session_processes, DWORD s
return TRUE; return TRUE;
} }
BOOL add_session_to_list(const RDP_SESSION_DATA *session) { BOOL add_session_to_list(const RDP_SESSION_DATA* session) {
WCHAR function_name[40] = { 0 }; WCHAR function_name[40] = { 0 };
MultiByteToWideChar(CP_ACP, 0, __FUNCTION__, -1, function_name, ARRAYSIZE(function_name)); MultiByteToWideChar(CP_ACP, 0, __FUNCTION__, -1, function_name, ARRAYSIZE(function_name));
@@ -853,7 +578,7 @@ BOOL add_session_to_list(const RDP_SESSION_DATA *session) {
rdp_sessions.capacity = new_capacity; rdp_sessions.capacity = new_capacity;
} }
rdp_sessions.session_data[rdp_sessions.session_count++] = *session; rdp_sessions.session_data[rdp_sessions.session_count - 1] = *session;
return TRUE; return TRUE;
} }
@@ -866,7 +591,7 @@ BOOL remove_session_from_list(DWORD sess_id) {
RDP_SESSION_DATA* sess = &rdp_sessions.session_data[i]; RDP_SESSION_DATA* sess = &rdp_sessions.session_data[i];
if (sess->session_id == sess_id) { if (sess->session_id == sess_id) {
log_line(LOG_TYPE_DEBUG, log_line(LOG_TYPE_DEBUG,
L"[%s] Usuwanie sesji RDP: %lu z listy --> PSID: %s, IP: %s, Nazwa konta: %s...", L"[%s] Usuwanie sesji RDP ID = %lu z listy --> PSID: %s, IP: %s, Nazwa konta: %s...",
function_name, function_name,
sess_id, sess_id,
sess->user_sid, sess->user_sid,
@@ -896,7 +621,7 @@ BOOL remove_session_from_list(DWORD sess_id) {
return TRUE; return TRUE;
} }
BOOL retrieve_rdp_session_info(DWORD session_id, RDP_SESSION_DATA *session_data, PSID user_psid) { BOOL retrieve_rdp_session_info(DWORD session_id, RDP_SESSION_DATA* session_data, PSID user_psid) {
WCHAR function_name[40] = { 0 }; WCHAR function_name[40] = { 0 };
MultiByteToWideChar(CP_ACP, 0, __FUNCTION__, -1, function_name, ARRAYSIZE(function_name)); MultiByteToWideChar(CP_ACP, 0, __FUNCTION__, -1, function_name, ARRAYSIZE(function_name));
@@ -938,7 +663,7 @@ BOOL retrieve_rdp_session_info(DWORD session_id, RDP_SESSION_DATA *session_data,
return TRUE; return TRUE;
} }
void format_data_for_connection(DWORD session_id, char *buffer) { void format_data_for_connection(DWORD session_id, char* buffer) {
char dns[64] = { 0 }; char dns[64] = { 0 };
char user[64] = { 0 }; char user[64] = { 0 };
for (DWORD i = 0; i < rdp_sessions.session_count; i++) { for (DWORD i = 0; i < rdp_sessions.session_count; i++) {
@@ -949,4 +674,4 @@ void format_data_for_connection(DWORD session_id, char *buffer) {
} }
} }
StringCchPrintfA(buffer, 192, "{\"Domena\":\"%s\",\"Nazwa konta\":\"%s\"}", dns, user); StringCchPrintfA(buffer, 192, "{\"Domena\":\"%s\",\"Nazwa konta\":\"%s\"}", dns, user);
} }

9
SSP_DLL/interprocessSSP.h
View File

@@ -78,16 +78,7 @@ void get_LUID_string(const PLUID luid, PWSTR out, size_t out_len);
BOOL get_PIDs_from_sessionID(DWORD in_session_id, RELATED_PROCESSES* session_processes, BOOL update_flag); BOOL get_PIDs_from_sessionID(DWORD in_session_id, RELATED_PROCESSES* session_processes, BOOL update_flag);
BOOL get_PID_from_SessionID(DWORD in_session_id, DWORD* pid, WCHAR* pid_exe_name);
/* RDP SESSIONS */
// do celow testowych
//FIND_SESSION_STATUS find_remote_domain_user_session(PSID user_sid, PUNICODE_STRING domain_username, DWORD* out_session_id);
BOOL retrieve_session_data(DWORD session_id, WTS_INFO_CLASS info, WCHAR* out_buff, size_t out_size); BOOL retrieve_session_data(DWORD session_id, WTS_INFO_CLASS info, WCHAR* out_buff, size_t out_size);
//RDP SESSIONS
void print_kerberos_module_functions(HMODULE kerberos_module); void print_kerberos_module_functions(HMODULE kerberos_module);