quinta-feira, 16 de junho de 2011

Exploding Windows 7 interactive sessions

I always wondered if Windows 7, supposedly having the same core than it's server counterpart, was somehow capable of supporting more than one interactive session. I'd speculate whether Microsoft had changed it's core not to limit functionality but to present to the end user a lighter kernel, faster and less resource demanding.

I was wrong. This post presents the proof that more than one interactive session is indeed possible within Windows 7.

Considering this, I remembered the many times I needed to login interactively into a client machine while the user was logged in. How many reasons where there? How many helpdesk calls, tests, validations, etc. without having to lock or logoff the user? How many times have I prayed for some way to bypass this limitation? Hundred of times. Particularly for the server editions when the 2 remote sessions limit (plus 1 for the console) was hit. What was more annoying? Killing remote sessions or be killed by someone else that also needed to enter?

But the most important point I'd like to raise with this post, is that my hack targets Winlogon, opposing the traditional and obvious target that aims to Remote Desktop service (termsrv.dll). Winlogon has become the master in this domain. Isn't this an error? Should Winlogon have such power? This seems contrary to Microsoft modular policy.

So, the figure shows you the target as Windows 7 Professional, and I’ve got two active sessions opened, one in console and the other remote.
What are the possibilities then? Well, as usually said, your imagination is the limit. In fact your memory is, but this approach allows for theoretically unlimited usage of terminal interactive sessions.

To use the tool, you need to connect thru RDP or the console and establish a second session. Before logging in, identify the new opened session and remember the PID of the newly created winlogon.exe process. Run the tool as this:

You can login now and as you’ll see, you’ll be in a newly fresh interactive session.
No error messages, no one being killed or locked.
I'm not going to delve more in the subject, nor will I be sharing the tool I built like in the other posts because I don't want to get in trouble with Microsoft, but for those willing to send me an email requesting the tool, I'll share it with you.

PS: being a PoC the tool only works on Windows 7 (yeh!) SP1 32 bits.

Sem comentários: