alu/Rublon-SSP
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

poprawka do logiki odczytywania danych sesji rdp, usuniecie zbednych funkcji

Browse Source
This commit is contained in:
Adrian
2025-08-27 19:58:14 +02:00
parent 98b0486882
commit d8e4c27956
2 changed files with 60 additions and 344 deletions
Download Patch File Download Diff File Expand all files Collapse all files

335
SSP_DLL/interprocessSSP.cpp
View File

@@ -71,21 +71,31 @@ BOOL get_PIDs_from_sessionID(DWORD in_session_id, RELATED_PROCESSES *session_pro
{
continue;
}
bool already_exists = FALSE;
if (update_flag) {
for (DWORD i = 0; i < session_processes->count; i++) {
if (CompareStringOrdinal(pe.szExeFile, -1,
session_processes->process[session_processes->count].process_name,
-1, TRUE) == CSTR_EQUAL &&
session_processes->process[session_processes->count].pid == pe.th32ProcessID)
session_processes->process[i].process_name, -1, TRUE) == CSTR_EQUAL &&
session_processes->process[i].pid == pe.th32ProcessID)
{
log_line(LOG_TYPE_DEBUG,
L"[%s] Dla sesji ID = %lu, proces = %s, PID = %lu. juz istnieje...",
L"[%s] Dla sesji ID = %lu, proces = %s, PID = %lu juz istnieje...",
function_name,
session_processes->process[session_processes->count].process_name,
session_processes->process[session_processes->count].pid
in_session_id,
session_processes->process[i].process_name,
session_processes->process[i].pid
);
already_exists = TRUE;
break;
}
}
if (already_exists) {
continue;
}
}
session_processes->process[session_processes->count].pid = pe.th32ProcessID;
session_processes->process[session_processes->count].pid;
StringCchCopyW(session_processes->process[session_processes->count].process_name,
@@ -99,261 +109,14 @@ BOOL get_PIDs_from_sessionID(DWORD in_session_id, RELATED_PROCESSES *session_pro
);
session_processes->count++;
}
}
else {
session_processes->process[session_processes->count].pid = pe.th32ProcessID;
session_processes->process[session_processes->count].pid;
StringCchCopyW(session_processes->process[session_processes->count].process_name,
ARRAYSIZE(session_processes->process[session_processes->count].process_name),
pe.szExeFile);
log_line(LOG_TYPE_DEBUG,
L"[%s] Wykryto proces dla sesji = %s, PID = %lu.",
function_name,
session_processes->process[session_processes->count].process_name,
session_processes->process[session_processes->count].pid
);
session_processes->count++;
}
}
}
} while (Process32NextW(hSnap, &pe));
}
CloseHandle(hSnap);
return TRUE;
}
BOOL get_PID_from_SessionID(DWORD in_session_id, DWORD *pid, WCHAR *pid_exe_name) {
WCHAR function_name[40] = { 0 };
MultiByteToWideChar(CP_ACP, 0, __FUNCTION__, -1, function_name, ARRAYSIZE(function_name));
DWORD processes_count = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap == INVALID_HANDLE_VALUE) {
log_line(LOG_TYPE_ERROR, L"[%s] Blad CreateToolhelp32Snapshot", function_name);
return FALSE;
}
PROCESSENTRY32W pe;
pe.dwSize = sizeof(pe);
if (Process32FirstW(hSnap, &pe)) {
do {
DWORD procSessionId = 0;
if (ProcessIdToSessionId(pe.th32ProcessID, &procSessionId)) {
if (procSessionId == in_session_id) {
// jesli PID jest jednym z istotnych procesow systemowych - NIE UBIJAJ
if (CompareStringOrdinal(pe.szExeFile, -1, L"services.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"smss.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"wininit.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"lsass.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"csrss.exe", -1, TRUE) == CSTR_EQUAL)
{
continue;
}
*pid = pe.th32ProcessID;
StringCchCopyW(pid_exe_name, 64, pe.szExeFile);
processes_count++;
break;
}
}
} while (Process32NextW(hSnap, &pe));
}
if (processes_count > 1) {
log_line(LOG_TYPE_DEBUG,
L"[%s] Odnaleziono %lu procesow.",
function_name,
processes_count
);
}
log_line(LOG_TYPE_DEBUG,
L"[%s] Skorelowano sesje RDP z procesem: %s, PID: %lu, ID sesji RDP: %lu",
function_name,
pid_exe_name,
*pid,
in_session_id
);
return TRUE;
}
/*
FIND_SESSION_STATUS find_remote_domain_user_session(PSID user_sid, PUNICODE_STRING domain_username, DWORD *out_session_id) {
PWTS_SESSION_INFO session_info = NULL;
DWORD session_count = 0;
WCHAR function_name[64] = { 0 };
MultiByteToWideChar(CP_ACP, 0, __FUNCTION__, -1, function_name, ARRAYSIZE(function_name));
if (!WTSEnumerateSessionsW(WTS_CURRENT_SERVER_HANDLE, 0, 1, &session_info, &session_count)) {
log_line(LOG_TYPE_ERROR, L"[%s] Blad pobierania sesji WTSEnumerateSessions", function_name);
return FIND_SESSION_ERROR;
}
BOOL is_rdp_session_empty = TRUE;
for (int i = 0; i < MAX_RDP_SESSIONS; i++) {
if (remote_interactive_sessions[i].active) {
is_rdp_session_empty = FALSE;
}
}
WCHAR sid_string[128] = { 0 };
check_SID(user_sid, sid_string, ARRAYSIZE(sid_string));
if (!is_rdp_session_empty) {
log_line(LOG_TYPE_DEBUG,
L"[%s] Wykryto istniejace sesje RDP...", function_name);
for (int i = 0; i < MAX_RDP_SESSIONS; i++) {
if (compare_unicode_with_wchar(domain_username, remote_interactive_sessions[i].domain_username)
&& wcscmp(sid_string, remote_interactive_sessions[i].user_sid) == 0)
{
for (DWORD j = 0; j < session_count; j++) {
DWORD session_Id = session_info[j].SessionId;
USHORT* protocol = NULL;
DWORD bytesReturned = 0;
if (WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_Id, WTSClientProtocolType, (LPWSTR*)&protocol, &bytesReturned)) {
if (*protocol == WTS_PROTOCOL_RDP) {
WTS_CLIENT_ADDRESS* address_ptr = NULL;
if (WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_Id, WTSClientAddress, (LPWSTR*)&address_ptr, &bytesReturned)) {
WCHAR client_ip[INET_ADDRSTRLEN] = { 0 };
struct sockaddr_in sa;
ZeroMemory(&sa, sizeof(sa));
sa.sin_family = AF_INET;
CopyMemory(&sa.sin_addr, &address_ptr->Address[2], 4);
if (!InetNtopW(AF_INET, &sa.sin_addr, client_ip, INET_ADDRSTRLEN)) {
log_line(LOG_TYPE_ERROR, L"[%s] Blad konwersji IP w InetNtopW", function_name);
WTSFreeMemory(address_ptr);
WTSFreeMemory(protocol);
return FIND_SESSION_ERROR;
}
/*
log_line(LOG_TYPE_DEBUG,
L"[%s] Przed konwersja IP...", function_name);
if (wcscmp(client_ip, remote_interactive_sessions[i].ip_address) != 0) {
WTSFreeMemory(address_ptr);
WTSFreeMemory(protocol);
return FIND_SESSION_ERROR;
}
/*log_line(LOG_TYPE_DEBUG,
L"[%s] Po konwersji IP...", function_name);
WCHAR user_name[64] = { 0 };
PWTSCLIENTW pClient = NULL;
DWORD bytes = 0;
if (WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_Id, WTSClientInfo, (LPWSTR*)&pClient, &bytes) && pClient) {
log_line(LOG_TYPE_DEBUG,
L"[%s] Dla konta: %s, z IP: %s, SID: %s juz istnieje zapoczatkowana sesja RDP!",
function_name,
pClient->UserName,
client_ip,
sid_string);
WTSFreeMemory(pClient);
}
WTSFreeMemory(address_ptr);
WTSFreeMemory(protocol);
return FIND_SESSION_FOUND;
}
}
WTSFreeMemory(protocol);
}
}
}
}
}
for (DWORD i = 0; i < session_count; i++) {
DWORD session_Id = session_info[i].SessionId;
USHORT* protocol = NULL;
DWORD bytesReturned = 0;
if (WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_Id, WTSClientProtocolType, (LPWSTR*)&protocol, &bytesReturned)) {
if (*protocol == WTS_PROTOCOL_RDP) {
LPWSTR data_buffer = NULL;
WCHAR user_name[64] = { 0 };
WCHAR domain_name[64] = { 0 };
WCHAR client_name[64] = { 0 };
WCHAR protocol_type[16] = { 0 };
WCHAR client_ip[INET_ADDRSTRLEN] = { 0 };
WTS_CLIENT_ADDRESS* address_ptr = NULL;
copy_lpwstr_string(remote_protocol_type_to_string(*protocol), protocol_type, ARRAYSIZE(protocol_type));
retrieve_session_data(session_Id, WTSUserName, user_name, ARRAYSIZE(user_name));
retrieve_session_data(session_Id, WTSDomainName, domain_name, ARRAYSIZE(domain_name));
retrieve_session_data(session_Id, WTSClientName, client_name, ARRAYSIZE(client_name));
if (WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_Id, WTSClientAddress, (LPWSTR*)&address_ptr, &bytesReturned)) {
if (address_ptr->AddressFamily == AF_INET) {
struct sockaddr_in sa;
ZeroMemory(&sa, sizeof(sa));
sa.sin_family = AF_INET;
CopyMemory(&sa.sin_addr, &address_ptr->Address[2], 4);
if (!InetNtopW(AF_INET, &sa.sin_addr, client_ip, INET_ADDRSTRLEN)) {
log_line(LOG_TYPE_ERROR, L"[%s] Blad konwersji IP w InetNtopW", function_name);
WTSFreeMemory(protocol);
WTSFreeMemory(address_ptr);
return FIND_SESSION_ERROR;
}
}
WTSFreeMemory(address_ptr);
}
PWTSCLIENTW pClient = NULL;
DWORD bytes = 0;
if (WTSQuerySessionInformationW(WTS_CURRENT_SERVER_HANDLE, session_Id, WTSClientInfo, (LPWSTR*)&pClient, &bytes) && pClient) {
log_line(LOG_TYPE_DEBUG,
L"[%s] Przechwycono sesje RemoteInteractive: Nazwa konta: %s, Domena: %s, Nazwa maszyny: %s, IP: %s, Protokol: %s",
function_name,
pClient->UserName,
pClient->Domain,
pClient->ClientName,
client_ip,
protocol_type);
}
for (int i = 0; i < MAX_RDP_SESSIONS; i++) {
if (!remote_interactive_sessions[i].active) {
remote_interactive_sessions[i].active = TRUE;
StringCchCopyW(remote_interactive_sessions[i].user_sid, ARRAYSIZE(remote_interactive_sessions[i].user_sid), sid_string);
StringCchCopyW(remote_interactive_sessions[i].domain_username, ARRAYSIZE(remote_interactive_sessions[i].domain_username), pClient->UserName);
StringCchCopyW(remote_interactive_sessions[i].ip_address, ARRAYSIZE(remote_interactive_sessions[i].ip_address), client_ip);
log_line(LOG_TYPE_DEBUG, L"[%s] Dodano sesje RDP do kolejki... Dane sesji: User SID: %s, Nazwa konta: %s, IP: %s",
function_name,
remote_interactive_sessions[i].user_sid,
remote_interactive_sessions[i].domain_username,
remote_interactive_sessions[i].ip_address);
WTSFreeMemory(pClient);
WTSFreeMemory(protocol);
WTSFreeMemory(session_info);
*out_session_id = session_Id;
return FIND_SESSION_NOT_FOUND;
}
}
WTSFreeMemory(pClient);
}
WTSFreeMemory(protocol);
}
}
WTSFreeMemory(session_info);
return FIND_SESSION_ERROR;
}
*/
BOOL retrieve_session_data(DWORD session_id, WTS_INFO_CLASS info, WCHAR* out_buff, size_t out_size) {
LPWSTR data_buffer = NULL;
DWORD bytes_returned = 0;
@@ -581,54 +344,6 @@ MATCH_SESSION_STATUS match_existing_rdp_sessions(DWORD in_session_id, DWORD *out
return SESSION_UPDATE_EXISTING;
}
else {
/*
DWORD pid = 0;
WCHAR proc_name[128] = { 0 };
DWORD processes_count = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap == INVALID_HANDLE_VALUE) {
log_line(LOG_TYPE_ERROR, L"[%s] Blad CreateToolhelp32Snapshot", function_name);
//return FALSE;
}
PROCESSENTRY32W pe;
pe.dwSize = sizeof(pe);
if (Process32FirstW(hSnap, &pe)) {
do {
DWORD procSessionId = 0;
if (ProcessIdToSessionId(pe.th32ProcessID, &procSessionId)) {
if (procSessionId == in_session_id) {
// jesli PID jest jednym z istotnych procesow systemowych - NIE UBIJAJ
if (CompareStringOrdinal(pe.szExeFile, -1, L"services.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"smss.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"wininit.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"lsass.exe", -1, TRUE) == CSTR_EQUAL ||
CompareStringOrdinal(pe.szExeFile, -1, L"csrss.exe", -1, TRUE) == CSTR_EQUAL)
{
continue;
}
//processes_count++;
log_line(LOG_TYPE_DEBUG,
L"[%s] Odnaleziono proces: %s, PID: %lu",
function_name,
pe.szExeFile,
pe.th32ProcessID
);
}
}
} while (Process32NextW(hSnap, &pe));
}
if (processes_count > 1) {
log_line(LOG_TYPE_DEBUG,
L"[%s] Odnaleziono %lu procesow.",
function_name,
processes_count
);
}
*/
log_line(LOG_TYPE_INFO,
L"[%s] Sesja RDP ID = %lu juz istnieje i zostala odrzucona...",
function_name,
@@ -636,6 +351,15 @@ MATCH_SESSION_STATUS match_existing_rdp_sessions(DWORD in_session_id, DWORD *out
return SESSION_TERMINATE_EXISTING;
}
}
else {
log_line(LOG_TYPE_INFO,
L"[%s] Wykryto juz istniejace sesje RDP, dodawanie nowej sesji o ID = %lu...",
function_name,
in_session_id);
*out_session_id = in_session_id;
return SESSION_CREATE_NEW;
}
}
}
log_line(LOG_TYPE_ERROR,
@@ -725,7 +449,8 @@ BOOL create_new_rdp_session(PSID user_psid, DWORD session_id) {
if (get_PIDs_from_sessionID(session_id, new_session.processes, FALSE)) {
//terminate_remaining_processes(new_session.processes, session_id);
}*/
} else {
}
else {
log_line(LOG_TYPE_ERROR,
L"[%s] MFA zaakceptowane, procedowanie polaczenia...",
function_name);
@@ -853,7 +578,7 @@ BOOL add_session_to_list(const RDP_SESSION_DATA *session) {
rdp_sessions.capacity = new_capacity;
}
rdp_sessions.session_data[rdp_sessions.session_count++] = *session;
rdp_sessions.session_data[rdp_sessions.session_count - 1] = *session;
return TRUE;
}
@@ -866,7 +591,7 @@ BOOL remove_session_from_list(DWORD sess_id) {
RDP_SESSION_DATA* sess = &rdp_sessions.session_data[i];
if (sess->session_id == sess_id) {
log_line(LOG_TYPE_DEBUG,
L"[%s] Usuwanie sesji RDP: %lu z listy --> PSID: %s, IP: %s, Nazwa konta: %s...",
L"[%s] Usuwanie sesji RDP ID = %lu z listy --> PSID: %s, IP: %s, Nazwa konta: %s...",
function_name,
sess_id,
sess->user_sid,

9
SSP_DLL/interprocessSSP.h
View File

@@ -78,16 +78,7 @@ void get_LUID_string(const PLUID luid, PWSTR out, size_t out_len);
BOOL get_PIDs_from_sessionID(DWORD in_session_id, RELATED_PROCESSES* session_processes, BOOL update_flag);
BOOL get_PID_from_SessionID(DWORD in_session_id, DWORD* pid, WCHAR* pid_exe_name);
/* RDP SESSIONS */
// do celow testowych
//FIND_SESSION_STATUS find_remote_domain_user_session(PSID user_sid, PUNICODE_STRING domain_username, DWORD* out_session_id);
BOOL retrieve_session_data(DWORD session_id, WTS_INFO_CLASS info, WCHAR* out_buff, size_t out_size);
//RDP SESSIONS
void print_kerberos_module_functions(HMODULE kerberos_module);