This is the sixth part of the Bit Twiddling series. For your convenience you can find other parts in the table of contents in Par 1 — Modifying Android application on a binary level
Today we’re going to solve the problem when the remote server disconnects GUI when we lock the workstation or disconnect.
Let’s start by explaining the problem a little bit more. Imagine that you connect like this:
|
1 |
Local ---> Remote |
If you now lock the Local workstation (with WIN+L) or disconnect, then the GUI on Remote will break. The user on Remote will not be logged out, the applications will continue to work, but the UI will not be there. This effectively breaks things like VNC or apps that take screenshots or click on the screen.
Similarly, the same happens when you connection with a jump host:
|
1 |
Local ---> Windows Server 2019 ---> Remote |
If you now disconnect Local or lock Local workstation, then the GUI on Remote will break. However, it’s different if you use Windows Server 2016:
|
1 |
Local ---> Windows Server 2016 ---> Remote |
If you now disconnect Local or lock the workstation, then the GUI on Remote will still be there. This suggests that something has changed in Windows Server 2019. This is not surprising as this is the time when Microsoft implemented RemoteFX heavily into their RDP to support cameras, USB redirection, improve security and much more.
At this point we have one solution – just use the Windows Server 2016 jump host and it fixes the issue. However, this way you won’t use the camera (it doesn’t work in 2016 typically) and you need to keep another machine along the way (this could be a virtual machine on your Remote, though). Let’s see if we can do better.
Fixing the workstation lock
The first thing to notice is that if you suspend the mstsc.exe on Local (with Task Manager or debugger) and then lock the workstation, then Remote doesn’t lose the UI. This suggests that disconnecting the GUI is an explicit action of the RDP implementation. However, we can easily fix that.
mstsc.exe registers for session notifications with WTSRegisterSessionNotification. We can see that with ApiMonitor:
We can simply hook this method to not register for any notifications. We can use that with the following WinDBG script:
|
1 2 3 4 |
.sympath srv*C:\tmp*http://msdl.microsoft.com/download/symbols .reload bu WTSAPI32!WTSRegisterSessionNotification ""e @rip 0x48 0xc7 0xc0 0x01 0x00 0x00 0x00 0xC3; qd"" g |
The shell code we put here is simply:
|
1 2 |
move rax, 1 ret |
You can run mstsc.exe, attach the debugger, add the breakpoint, resume the application, and then connect to the server. The debugger will detach shortly after you open the connection and you can check that now you can lock the workstation and the GUI will still be there.
Fixing the disconnection
Fixing the case on disconnect is slightly harder. Once again, when we pause the mstsc.exe, then the remote session still works even if we keep mstsc.exe paused for a long time. This suggests that the session is up as long as the connection is alive. Even though we paused the mstsc.exe application, the operating system keeps the connection up on the TCP level. We can exhibit that.
The idea is to run a proxy on the Remote. We’ll then connect like this:
|
1 |
Local ---> Proxy ---> Remote |
The proxy must just route the connection to the RDP server (on the port 3389),but do not lose the connection to Remote when the connection from Local disappears. This way we can simply kill the mstsc.exe on Local, and then the connection will still be alive and the GUI will persist. However, if you close mstsc.exe gracefully, then the client will terminate the GUI on the remote server. Therefore, just kill the client. You can also put your machine to sleep and the UI should still work.