A tool to find offsets in termsrv.dll for use with RDPWrap and generate corresponding rdpwrap.ini sections.
- Extracts RDPWrap offsets from
termsrv.dllfor enabling multiple RDP connections - Supports both symbol-based and heuristic analysis methods
- Generates properly formatted INI sections compatible with RDPWrap
- Handles both x86 and x64 architectures
- Works with various Windows versions
- Command-line interface for easy automation
- Fixed lowercase register naming in generated configurations
- Python 3.9 or higher
- Windows OS (since this analyzes Windows system files)
- Administrator privileges (recommended for accessing system files)
git clone https://github.com/bobotechnology/RDPWrapOffsetFinder.git
cd rdpwrap-offset-finder
pip install -e .pip install git+https://github.com/bobotechnology/RDPWrapOffsetFinder.git# Analyze default system termsrv.dll with symbol-based approach
rdpwrap-offset-finder
# Analyze specific termsrv.dll file
rdpwrap-offset-finder C:\Path\To\termsrv.dll
# Use heuristic pattern search instead of PDB symbols
rdpwrap-offset-finder --nosymbol
# Analyze specific file with heuristic approach
rdpwrap-offset-finder C:\Path\To\termsrv.dll --nosymbol[termsrv]: Path to termsrv.dll (default:%SystemRoot%\System32\termsrv.dll)--nosymbol: Use heuristic pattern search instead of PDB symbols--help: Show help message and exit
The tool works in two modes:
- Symbol-based (default): Uses PDB files to locate functions and variables with high precision
- Heuristic (with
--nosymbol): Uses pattern matching to find relevant code sections when symbols are unavailable
Both approaches extract the same information but may be more or less reliable depending on the availability of symbols and the specific version of termsrv.dll.
The tool outputs INI sections that can be added to rdpwrap.ini:
[VERSION_NUMBER]
; Enable local-only patch
LocalOnlyPatch.Arch=FLAG_VALUE
; Offset for local-only patch
LocalOnlyOffset.Arch=HEX_OFFSET_VALUE
; Code type for local-only patch (e.g., jmpshort, nopjmp)
LocalOnlyCode.Arch=CODE_TYPE
; Enable single-user patch
SingleUserPatch.Arch=FLAG_VALUE
; Offset for single-user patch
SingleUserOffset.Arch=HEX_OFFSET_VALUE
; Code type for single-user patch (e.g., mov_eax_1_nop_N, nop_N)
SingleUserCode.Arch=CODE_TYPE
; Enable default policy patch
DefPolicyPatch.Arch=FLAG_VALUE
; Offset for default policy patch
DefPolicyOffset.Arch=HEX_OFFSET_VALUE
; Code type for default policy patch (e.g., CDefPolicy_Query_eax_rcx_jmp)
DefPolicyCode.Arch=POLICY_CODE_TYPE
; Enable SLInit hook
SLInitHook.Arch=FLAG_VALUE
; Offset for SLInit hook
SLInitOffset.Arch=HEX_OFFSET_VALUE
; Function name for SLInit
SLInitFunc.Arch=FUNCTION_NAME
[VERSION_NUMBER-SLInit]
; Offset for bInitialized variable
bInitialized.Arch =HEX_OFFSET_VALUE
; Offset for bServerSku variable
bServerSku.Arch =HEX_OFFSET_VALUE
; Offset for lMaxUserSessions variable
lMaxUserSessions.Arch =HEX_OFFSET_VALUE
; Offset for bAppServerAllowed variable
bAppServerAllowed.Arch =HEX_OFFSET_VALUE
; Offset for bRemoteConnAllowed variable
bRemoteConnAllowed.Arch=HEX_OFFSET_VALUE
; Offset for bMultimonAllowed variable
bMultimonAllowed.Arch =HEX_OFFSET_VALUE
; Offset for ulMaxDebugSessions variable
ulMaxDebugSessions.Arch=HEX_OFFSET_VALUE
; Offset for bFUSEnabled variable
bFUSEnabled.Arch =HEX_OFFSET_VALUEContributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.
This project is licensed under the MIT License - see the LICENSE file for details.
This tool is intended for educational purposes and authorized testing only. Please ensure you comply with applicable laws and regulations when using this tool. Misuse of this tool may violate terms of service or local laws.