mutli session suipport

Author: DarkFire01

base/system/smss/smss.c

@@ -514,6 +514,74 @@ _main(IN INT argc,
         }
         SmpReleasePrivilege(State);
 
+        /*
+         * Bring up a second session (MuSession 1). smss is the session leader
+         * and is now sessionless again, so it can create another kernel session,
+         * load that session's subsystems (its own csrss) and launch its initial
+         * command (winlogon) - exactly what the SB API SmpStartCsr does for a
+         * remote session-create request, just driven directly here.
+         *
+         * Gated behind HKLM\SYSTEM\CCS\Control\Session Manager:EnableSecondSession
+         * (DWORD, default 0): the kernel session create, the per-session win32k
+         * load (session-image reuse path) and the per-session object namespaces
+         * all work, but session 1's csrss still trips deep per-session win32k GUI
+         * issues, so it is opt-in until that is finished.
+         */
+        {
+            ULONG EnableSecondSession = 0;
+            RTL_QUERY_REGISTRY_TABLE SecondSessionQueryTable[2];
+
+            RtlZeroMemory(SecondSessionQueryTable, sizeof(SecondSessionQueryTable));
+            SecondSessionQueryTable[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
+            SecondSessionQueryTable[0].Name = L"EnableSecondSession";
+            SecondSessionQueryTable[0].EntryContext = &EnableSecondSession;
+            SecondSessionQueryTable[0].DefaultType = REG_DWORD;
+            SecondSessionQueryTable[0].DefaultData = &EnableSecondSession;
+            SecondSessionQueryTable[0].DefaultLength = sizeof(EnableSecondSession);
+            RtlQueryRegistryValues(RTL_REGISTRY_CONTROL,
+                                   L"Session Manager",
+                                   SecondSessionQueryTable,
+                                   NULL,
+                                   NULL);
+
+            if (EnableSecondSession)
+            {
+            ULONG Session1Id = 1;
+            HANDLE Session1WinSubSysPid = NULL;
+            HANDLE Session1Command = NULL;
+            UNICODE_STRING Session1InitialCommand;
+
+            RtlInitEmptyUnicodeString(&Session1InitialCommand, NULL, 0);
+
+            DPRINT1("SMSS: Bringing up session %lu\n", Session1Id);
+            Status = SmpLoadSubSystemsForMuSession(&Session1Id,
+                                                   &Session1WinSubSysPid,
+                                                   &Session1InitialCommand);
+            if (!NT_SUCCESS(Status))
+            {
+                DPRINT1("SMSS: SmpLoadSubSystemsForMuSession(%lu) failed - 0x%x\n",
+                        Session1Id, Status);
+            }
+            else
+            {
+                Status = SmpExecuteInitialCommand(Session1Id,
+                                                  &Session1InitialCommand,
+                                                  &Session1Command,
+                                                  NULL);
+                if (!NT_SUCCESS(Status))
+                {
+                    DPRINT1("SMSS: session %lu initial command failed - 0x%x\n",
+                            Session1Id, Status);
+                }
+                else
+                {
+                    DPRINT1("SMSS: session %lu is up and running\n", Session1Id);
+                    if (Session1Command) NtClose(Session1Command);
+                }
+            }
+            } /* if (EnableSecondSession) */
+        }
+
         /* Wait on either CSRSS or Winlogon to die */
         Status = NtWaitForMultipleObjects(RTL_NUMBER_OF(Handles),
                                           Handles,

ntoskrnl/ex/sysinfo.c

@@ -1972,11 +1972,22 @@ SSI_DEF(SystemExtendServiceTableInformation)
                                       sizeof(Win32kName));
     }
 
-    /* Load the image */
+    /*
+     * Load the image into SESSION space. win32k is a per-session driver: every
+     * session maps its own physical copy at the same session-wide virtual
+     * address, so win32k's .data (gpsi, the USER/GDI heaps and handle tables,
+     * ...) is naturally per-session, while the single shadow service table -
+     * registered once and pointing at that shared VA - resolves to the current
+     * session's copy via its page tables. The first session loads it fresh; a
+     * later session reuses the existing entry and gets its own copy (the
+     * session-image reuse path in MmLoadSystemImage). The caller is attached to
+     * the target session here (the session was just created), so this maps into
+     * the right session.
+     */
     Status = MmLoadSystemImage((PUNICODE_STRING)Buffer,
                                NULL,
                                NULL,
-                               0,
+                               1,
                                (PVOID)&ModuleObject,
                                &ImageBase);
 
@@ -2262,6 +2273,10 @@ NTSTATUS
 NTAPI
 MmSessionDelete(IN ULONG SessionId);
 
+NTSTATUS
+NTAPI
+MmDetachCurrentSession(VOID);
+
 /* Class 47 - Create a new session (TSE) */
 SSI_DEF(SystemSessionCreate)
 {
@@ -2287,10 +2302,9 @@ SSI_DEF(SystemSessionCreate)
     return Status;
 }
 
-/* Class 48 - Delete an existing session (TSE) */
+/* Class 48 - Detach the calling process from its session (TSE) */
 SSI_DEF(SystemSessionDetach)
 {
-    ULONG SessionId;
     KPROCESSOR_MODE PreviousMode = KeGetPreviousMode();
 
     if (Size != sizeof(ULONG)) return STATUS_INFO_LENGTH_MISMATCH;
@@ -2301,11 +2315,17 @@ SSI_DEF(SystemSessionDetach)
         {
             return STATUS_PRIVILEGE_NOT_HELD;
         }
-    }
 
-    SessionId = *(PULONG)Buffer;
+        ProbeForReadUlong(Buffer);
+    }
 
-    return MmSessionDelete(SessionId);
+    /*
+     * The session id is accepted for ABI compatibility but the operation always
+     * detaches the calling process from its current session (matching the class
+     * name and Windows semantics), leaving it sessionless so it can create or
+     * join another session.
+     */
+    return MmDetachCurrentSession();
 }
 
 /* Class 49 - UNKNOWN */

ntoskrnl/include/internal/mm.h

@@ -1775,6 +1775,10 @@ MmDetachSession(
     _Inout_ PVOID SessionEntry,
     _Out_ PKAPC_STATE ApcState);
 
+NTSTATUS
+NTAPI
+MmDetachCurrentSession(VOID);
+
 VOID
 NTAPI
 MmQuitNextSession(

ntoskrnl/mm/ARM3/miarm.h

@@ -521,6 +521,20 @@ typedef struct _MM_SESSION_SPACE
 } MM_SESSION_SPACE, *PMM_SESSION_SPACE;
 
 extern PMM_SESSION_SPACE MmSessionSpace;
+
+//
+// Per-session loaded-image tracking entry. Linked into
+// MmSessionSpace->ImageList; one per distinct image mapped into the session,
+// with a reference count covering repeated loads of the same image within the
+// session (ReactOS uses a simple list where Win10 uses an AVL ImageTree).
+//
+typedef struct _MI_SESSION_IMAGE
+{
+    LIST_ENTRY Link;
+    PVOID ImageBase;
+    PFN_COUNT PteCount;
+    LONG ImageCount;
+} MI_SESSION_IMAGE, *PMI_SESSION_IMAGE;
 extern MMPTE HyperTemplatePte;
 extern MMPDE ValidKernelPde;
 extern MMPTE ValidKernelPte;
@@ -1882,6 +1896,71 @@ MiInitializeSessionIds(
     VOID
 );
 
+PVOID
+NTAPI
+MiSessionWideReserveImageAddress(
+    _In_ PFN_COUNT PteCount
+);
+
+VOID
+NTAPI
+MiSessionWideFreeImageAddress(
+    _In_ PVOID ImageBase,
+    _In_ PFN_COUNT PteCount
+);
+
+NTSTATUS
+NTAPI
+MiSessionCommitPageTables(
+    _In_ PVOID StartVa,
+    _In_ PVOID EndVa
+);
+
+NTSTATUS
+NTAPI
+MiCommitSessionImagePages(
+    _In_ PVOID DriverBase,
+    _In_ PFN_COUNT PteCount
+);
+
+VOID
+NTAPI
+MiFreeSessionImage(
+    _In_ PVOID DriverBase,
+    _In_ PFN_COUNT PteCount
+);
+
+VOID
+NTAPI
+MiTestSessionImageLoad(
+    VOID
+);
+
+PMI_SESSION_IMAGE
+NTAPI
+MiSessionLookupImage(
+    _In_ PVOID ImageBase
+);
+
+NTSTATUS
+NTAPI
+MiSessionInsertImage(
+    _In_ PVOID ImageBase,
+    _In_ PFN_COUNT PteCount
+);
+
+VOID
+NTAPI
+MiSessionRemoveImage(
+    _In_ PVOID ImageBase
+);
+
+VOID
+NTAPI
+MiSessionImageTeardown(
+    VOID
+);
+
 CODE_SEG("INIT")
 BOOLEAN
 NTAPI

ntoskrnl/mm/ARM3/pagfault.c

@@ -328,8 +328,13 @@ MiCheckVirtualAddress(IN PVOID VirtualAddress,
     }
     else if (MI_IS_SESSION_ADDRESS(VirtualAddress))
     {
-        /* ReactOS does not have an image list yet, so bail out to failure case */
-        ASSERT(IsListEmpty(&MmSessionSpace->ImageList));
+        /*
+         * Session images use a copy-based model: their pages are committed as
+         * valid PTEs and their PDEs are demand-faulted by MiCheckPdeForSessionSpace,
+         * so a legitimate session-image access never reaches this prototype-PTE
+         * lookup. Anything that lands here is an access to an uncommitted session
+         * address, which falls through to the failure case below.
+         */
     }
 
     /* Default case -- failure */

ntoskrnl/mm/ARM3/section.c

@@ -920,8 +920,8 @@ MiUnmapViewOfSection(IN PEPROCESS Process,
     return Status;
 }
 
-static
 NTSTATUS
+NTAPI
 MiSessionCommitPageTables(IN PVOID StartVa,
                           IN PVOID EndVa)
 {