Search code examples
c++windowsrdpvirtual-channel

VirtualChannelInit stucks


I'm developing an rdp virtual channel application. I've registered client side dll in registry and trying to understand, that client dll is loaded. But I'm getting stuck when calling pVirtualChannelInit from pEntryPoints. It just doesn't return any result, debugger goes to disassemled code on this function. But if do not stop on this call, VirtualChannelEntry called for the second time (why?).

If I use debugger to mstsc.exe. After some time after first call, in console I can see this: First-chance exception at 0x00000004 in mstsc.exe: 0xC0000005: an access violation in the performance at 0x00000004. //translated with google And after second call when rdp session is appearing on the screen:

First-chance exception at 0x773EC42D (KernelBase.dll) in mstsc.exe: 0x000006BA: RPC server is unavailable.
First-chance exception at 0x773EC42D (KernelBase.dll) in mstsc.exe: 0x000006BA: RPC server is unavailable.
First-chance exception at 0x773EC42D (KernelBase.dll) in mstsc.exe: 0x000006BA: RPC server is unavailable.
First-chance exception at 0x773EC42D in mstsc.exe: Microsoft C++ exception: unsigned long at memory location 0x06CCF8C0.
First-chance exception at 0x773EC42D in mstsc.exe: Microsoft C++ exception: unsigned long at memory location 0x06CCF8C0.
First-chance exception at 0x773EC42D in mstsc.exe: Microsoft C++ exception: [rethrow] at memory location 0x00000000.
First-chance exception at 0x773EC42D in mstsc.exe: Microsoft C++ exception: [rethrow] at memory location 0x00000000.
First-chance exception at 0x773EC42D in mstsc.exe: Microsoft C++ exception: unsigned long at memory location 0x06CCF8C0.
First-chance exception at 0x773EC42D in mstsc.exe: Microsoft C++ exception: unsigned long at memory location 0x06CCF8C0.
First-chance exception at 0x773EC42D in mstsc.exe: Microsoft C++ exception: [rethrow] at memory location 0x00000000.
First-chance exception at 0x773EC42D in mstsc.exe: Microsoft C++ exception: [rethrow] at memory location 0x00000000.

Pointers in pEntryPoints are always:

pVirtualChannelInit - 0x00000004 pVirtualChannelOpen - 0x0000ffff pVirtualChannelClose - 0x000000b8 pVirtualChannelWrite - 0x00000000 (Why 0?)

HANDLE ClientHandle = NULL;
CHANNEL_DEF pChannel[1];
CHANNEL_ENTRY_POINTS SavedEntryPoints;
PCHANNEL_INIT_EVENT_FN pChannelInitEventProc;

BOOL VCAPITYPE VirtualChannelEntry(PCHANNEL_ENTRY_POINTS  pEntryPoints)
{
    ofstream myfile;
    myfile.open ("D:\\Projects\\bench_cli\\ConsoleApplication1\\Release\\example.txt");
    myfile << "Writing this to a file.\n";

    UINT retval1 = 0;
    ZeroMemory(&pChannel[0], sizeof(CHANNEL_DEF));
    strcpy(pChannel[0].name, "Bench");
    pChannel[0].options = CHANNEL_OPTION_ENCRYPT_RDP | CHANNEL_OPTION_COMPRESS_RDP;
    pChannelInitEventProc = VirtualChannelInitEvent;
    memcpy(&SavedEntryPoints, pEntryPoints, sizeof(CHANNEL_ENTRY_POINTS));

    myfile << " copied" << endl;

    // call VirtualChannelInit using the function pointer in
    // PCHANNEL_ENTRY_POINTS
    myfile << "Initing" << endl;

    retval1 = pEntryPoints->pVirtualChannelInit (&ClientHandle,
                pChannel, 1, VIRTUAL_CHANNEL_VERSION_WIN2000,
                pChannelInitEventProc); //here we stuck

    myfile << " init" << endl; //this never printed
    myfile.close();

    return TRUE;
}

VOID VCAPITYPE VirtualChannelInitEvent( LPVOID pInitHandle, UINT event, LPVOID pData, UINT dataLength)
{
...//never called
}

Solution

  • pVirtualChannelInit should be a valid pointer (to code). 0x00000004 is not, hence the access violation

    Your problem may be caused by improper structure packing/alignment at compile time.

    Use a debugger to figure out the correct alignment, by inspecting the memory pointed to by the PCHANNEL_ENTRY_POINTS pEntryPoints parameter passed to your VirtualChannelEntry implementation. The structure starts with 2 32 bits values, followed by 4 function pointers. The first field is a size field (value depends on bitness, 32 bits:0x0018, or 64:0x0028), the second one should be 0x00001.

    Then, use #pragma pack push/pop (MSVC compiler) around the inclusion of the header defining the CHANNEL_ENTRY_POINTS structure to force the correct alignment at compile time.