A tool to find offsets in termsrv.dll for use with RDPWrap and generate corresponding rdpwrap.ini sections.
- Extracts RDPWrap offsets from
termsrv.dllfor enabling multiple RDP connections - Supports both symbol-based and heuristic analysis methods
- Generates properly formatted INI sections compatible with RDPWrap
- Handles both x86 and x64 architectures
- Can be built as a standalone executable via PyInstaller
# Analyze default system termsrv.dll with symbol-based approach
rdpwrap-offset-finder
# Analyze specific termsrv.dll file
rdpwrap-offset-finder C:\Path\To\termsrv.dll
# Use heuristic pattern search instead of PDB symbols
rdpwrap-offset-finder C:\Path\To\termsrv.dll --nosymbol[termsrv]: Path to termsrv.dll (default:%SystemRoot%\System32\termsrv.dll)--nosymbol: Use heuristic pattern search instead of PDB symbols--help: Show help message and exit
python build_exe.pyOutput goes to dist/rdpwrap-offset-finder.exe.
Requires Python 3.9+ and PyInstaller.
The tool works in two modes:
- Symbol-based (default): Uses PDB files to locate functions and variables with high precision
- Heuristic (with
--nosymbol): Uses pattern matching to find relevant code sections when symbols are unavailable
Both approaches extract the same information but may be more or less reliable depending on the availability of symbols and the specific version of termsrv.dll.
The tool outputs INI sections that can be added to rdpwrap.ini:
[VERSION_NUMBER]
; Enable local-only patch
LocalOnlyPatch.Arch=FLAG_VALUE
; Offset for local-only patch
LocalOnlyOffset.Arch=HEX_OFFSET_VALUE
; Code type for local-only patch (e.g., jmpshort, nopjmp)
LocalOnlyCode.Arch=CODE_TYPE
; Enable single-user patch
SingleUserPatch.Arch=FLAG_VALUE
; Offset for single-user patch
SingleUserOffset.Arch=HEX_OFFSET_VALUE
; Code type for single-user patch (e.g., mov_eax_1_nop_N, nop_N)
SingleUserCode.Arch=CODE_TYPE
; Enable default policy patch
DefPolicyPatch.Arch=FLAG_VALUE
; Offset for default policy patch
DefPolicyOffset.Arch=HEX_OFFSET_VALUE
; Code type for default policy patch
; e.g. CDefPolicy_Query_eax_rcx (register-based CMP)
; CDefPolicy_Query_r9d_rdi_jmp (register-based MOV+CMP+JNE)
DefPolicyCode.Arch=POLICY_CODE_TYPE
; Enable SLInit hook
SLInitHook.Arch=FLAG_VALUE
; Offset for SLInit hook
SLInitOffset.Arch=HEX_OFFSET_VALUE
; Function name for SLInit
SLInitFunc.Arch=FUNCTION_NAME
[VERSION_NUMBER-SLInit]
; Offset for bInitialized variable
bInitialized.Arch =HEX_OFFSET_VALUE
; Offset for bServerSku variable
bServerSku.Arch =HEX_OFFSET_VALUE
; Offset for lMaxUserSessions variable
lMaxUserSessions.Arch =HEX_OFFSET_VALUE
; Offset for bAppServerAllowed variable
bAppServerAllowed.Arch =HEX_OFFSET_VALUE
; Offset for bRemoteConnAllowed variable
bRemoteConnAllowed.Arch=HEX_OFFSET_VALUE
; Offset for bMultimonAllowed variable
bMultimonAllowed.Arch =HEX_OFFSET_VALUE
; Offset for ulMaxDebugSessions variable
ulMaxDebugSessions.Arch=HEX_OFFSET_VALUE
; Offset for bFUSEnabled variable
bFUSEnabled.Arch =HEX_OFFSET_VALUEThis project is licensed under the MIT License - see the LICENSE file for details.
This tool is intended for educational purposes and authorized testing only. Please ensure you comply with applicable laws and regulations when using this tool. Misuse of this tool may violate terms of service or local laws.