myvtm/Module/mod_FreeRDPWrap/RDPWInst.cpp

// RDPWInst.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <Windows.h>
#include <process.h>
#include <tchar.h>
#include <Winsvc.h>
#include <stdio.h>
#include <strsafe.h>

#include "FreeRDPErrorCode.h"
#include "RDPWInst.h"


#include "phnt\winsta.h"

#pragma comment(lib, "Userenv.lib")
#pragma comment(lib, "WtsApi32.lib")
#pragma comment(lib, "version.lib")

#define	TERM_SERVICE TEXT("TermService")
#define SVC_CERT_PROP TEXT("CertPropSvc")
#define SVC_SEESSION_ENV TEXT("SessionEnv")

#define RDP_WRAP_BINARY   TEXT("\\bin\\RDPWrap.dll")
#define RDP_WRAP_BINARY64 TEXT("\\bin\\RDPWrap64.dll")

#define RDP_WRAP_CONFIG_FILE TEXT("\\cfg\\rdpwrap.ini")
#define RDP_WRAP_CONFIG_FILE64 TEXT("\\cfg\\rdpwrap.ini")

#define DEFAULT_TERMSRV_PATH TEXT("%SystemRoot%\\System32\\termsrv.dll")

typedef BOOL(WINAPI *PFuncWow64DisableWow64FsRedirection)(PVOID);
typedef BOOL(WINAPI *PFuncWow64RevertWow64FsRedirection)(PVOID);
typedef BOOL(WINAPI *PFuncWow64EnableWow64FsRedirection)(BOOLEAN);

typedef BOOLEAN(WINAPI *PFuncWinStationEnumerateW)(
	_In_opt_ HANDLE hServer,
	_Out_ PSESSIONIDW *SessionIds,
	_Out_ PULONG Count
	);
typedef BOOL(WINAPI *PFuncWinStationFreeMemory)(
	_In_ PVOID Buffer);

TCHAR gszTermServicePath[MAX_PATH] = { 0 };
TCHAR gszExistedTSPath[MAX_PATH] = { 0 };
int gArch = 0;
int Will = (int)Invalid;

FILE_VERSION FV = { 0 };

BOOL bEnterWowRedirect = FALSE;

BOOLEAN RevertWowRedirection();
BOOL DisableWowRedirection();

void EnterWowRedirection()
{
	if(gArch == 64) {
		if(!bEnterWowRedirect) {
			DisableWowRedirection();
			bEnterWowRedirect = TRUE;
		}
	}
}

void LeaveWowRedirection()
{
	if(gArch == 64) {
		if(bEnterWowRedirect) {
			RevertWowRedirection();
			bEnterWowRedirect = FALSE;
		}
	}
}

DWORD ToLowerCase(TCHAR *szChars) 
{
	if (szChars == NULL) {
		return 0;
	}
	DWORD charsLen = lstrlen(szChars);
	DWORD dwCount = 0;
	for (DWORD i = 0; i < charsLen; ++i) {
		if (szChars[i] >= 'A' && szChars[i] <= 'Z') {
			szChars[i] = szChars[i] + ('a' - 'A');
			dwCount++;
		}
	}
	return dwCount;
}

//#define IFCALLEXIT(_cb) do { if ( TRUE != (_cb) ) { AppQuit(-1); } } while (0)
#define IFCALLEXIT_WITH_RESULT(_cb, exit_code)  \
	do { if ( TRUE != (_cb) ) {  \
	AppQuit(exit_code); goto Error; }  \
	} while (0)

VOID AppQuit(int nExitCode);

VOID RestartTsvProcess();

BOOL CheckTsvRestarted(DWORD dwLastPID);

BOOL IsFileExisted(LPCTSTR lpszSpecifiedPath)
{
	auto dwRet = GetFileAttributes(lpszSpecifiedPath);
	return (dwRet != INVALID_FILE_ATTRIBUTES) && !(dwRet & FILE_ATTRIBUTE_DIRECTORY);
}

/*the lpszSpecifiedValue must be all lower char*/
BOOL IsTermsrvHasBeenReplaced(LPCTSTR lpszSpecifiedValue, BOOL& bThirdParty)
{
	if(lpszSpecifiedValue == NULL || _tcslen(gszTermServicePath) == 0)
	{
		bThirdParty = FALSE;
		return FALSE;
	}

	if (_tcsstr(lpszSpecifiedValue, TEXT("termsrv.dll")) != NULL)
	{
		return FALSE;
	}

	if (_tcsstr(lpszSpecifiedValue, TEXT("rdpwrap.dll")) != NULL
		|| _tcsstr(lpszSpecifiedValue, TEXT("rdpwrap64.dll")) != NULL)
	{
		bThirdParty = FALSE;
		return TRUE;
	}

	bThirdParty = TRUE;
	return TRUE;
}

DWORD ExpandPath(LPCTSTR lpcszOriginal, LPTSTR lpDest, const DWORD dwDestSize)
{
	//StringReplace(Path, '%ProgramFiles%', '%ProgramW6432%', [rfReplaceAll, rfIgnoreCase]);
	DWORD dwBufSize = ExpandEnvironmentStrings(lpcszOriginal, lpDest, dwDestSize);
	if (dwBufSize > dwDestSize) {
		Dbg(TEXT("[!] Buffer is too small to convert envstring \"%s\"."), lpcszOriginal);
	}
	return dwBufSize;
}

BOOL GetWrapperDllPath(TCHAR szWrapPath[], const DWORD dwPathSize)
{
	DWORD nLocLen = 0;
	nLocLen = GetCurrentDirectory(dwPathSize, szWrapPath);
	if (nLocLen == 0)
	{
		Dbg(TEXT("[-] GetCurrentDirectory failed with status %d"), GetLastError());
		return FALSE;
	}
	if (FAILED(StringCbCat(szWrapPath, dwPathSize, gArch == 64 ? RDP_WRAP_BINARY64 : RDP_WRAP_BINARY)))
	{
		Dbg(TEXT("[-] StringCbCatW failed with error %d"), GetLastError());
		return FALSE;
	}
	Dbg(TEXT("[*] RDP wrap executable file path : <%s>"), szWrapPath);

	if (!IsFileExisted(szWrapPath))
	{
		Dbg(TEXT("[-] detect the above file is not exist !!!"));
		return FALSE;
	}
	return TRUE;
}

BOOL GetWrapperINIPath(TCHAR szWrapPath[], const DWORD dwPathSize)
{
	DWORD nLocLen = 0;
	nLocLen = GetCurrentDirectory(dwPathSize, szWrapPath);
	if (nLocLen == 0)
	{
		Dbg(TEXT("[-] GetCurrentDirectory failed with status %d"), GetLastError());
		return FALSE;
	}
	if (FAILED(StringCbCat(szWrapPath, dwPathSize, gArch == 64 ? RDP_WRAP_CONFIG_FILE64 : RDP_WRAP_CONFIG_FILE)))
	{
		Dbg(TEXT("[-] StringCbCatW failed with error %d"), GetLastError());
		return FALSE;
	}
	Dbg(TEXT("[*] RDP wrap config file path : <%s>"), szWrapPath);
	if (!IsFileExisted(szWrapPath))
	{
		Dbg(TEXT("[-] detect the above file is not exist !!!"));
		return FALSE;
	}
	return TRUE;
}

BOOL CheckIfSectionExist(TCHAR* szFilePath, char* szSection)
{
	BOOL fExist = FALSE;
	DWORD NumberOfBytesRead = 0;
	DWORD FileSize;
	char *FileRaw = NULL;

	HANDLE hFile = CreateFile(szFilePath, GENERIC_READ, FILE_SHARE_WRITE | FILE_SHARE_READ,
		NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

	if (hFile == INVALID_HANDLE_VALUE)
	{
		return FALSE;
	}

	FileSize = GetFileSize(hFile, NULL);
	if (FileSize == INVALID_FILE_SIZE)
	{
		return FALSE;
	}

	FileRaw = new char[FileSize];
	fExist = ReadFile(hFile, FileRaw, FileSize, &NumberOfBytesRead, NULL);
	if (fExist)
	{
		fExist = !!strstr(FileRaw, szSection);
	}
	delete FileRaw;
	CloseHandle(hFile);
	return fExist;
}

BOOL ExtractFiles()
{
	BOOL fResult = FALSE;
	/*
	WrapPath =: C:\\Program files\\RDP Wrapper
	if not exist 
	  create it
	  if create failed
	     halt false
	if update-online from center setting.
	  download lastest ini-file
	  suc: s := wrapPath + 'rdpwrap.ini'

	if not update-online or update-failed
	  s := localPath + 'rdpwrap.ini'
	
	extract 'rdpclip.exe'


	%SystemRoot%\System32\rdpclip.exe
	'%SystemRoot%\System32\rfxvmt.dll
	*/


	return fResult;
}

BOOL SetWrapperDll(LPTSTR lpWrapPath)
{
	if (lpWrapPath == NULL) {
		return FALSE;
	}
	DWORD dwLen = (_tcsclen(lpWrapPath) + 1)*sizeof(TCHAR);
	DWORD dwFlag = KEY_WRITE;
	if (gArch == 64) {
		dwFlag |= KEY_WOW64_64KEY;
	}
	BOOL fResult = FALSE;
	HKEY hKey;
	LONG lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, 
		TEXT("SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters"),
		0, dwFlag, &hKey);
	if (lResult == ERROR_SUCCESS) {
		lResult = RegSetValueEx(hKey, TEXT("ServiceDll"), 0, REG_EXPAND_SZ, (const BYTE*)lpWrapPath, dwLen);
		if (lResult == ERROR_SUCCESS) {
			Dbg(TEXT("[+] RegSetValueEx succ: %s"), lpWrapPath);

			if ((gArch == 64) && (FV.w.Major == 6) && (FV.w.Minor == 0)) {
				TCHAR szRegExe[MAX_PATH] = { 0 };
				ExpandPath(TEXT("%SystemRoot%"), szRegExe, MAX_PATH);
				_tcscat_s(szRegExe, TEXT("\\system32\\reg.exe"));
				TCHAR szParameters[MAX_PATH] = { 0 };
				sprintf_s(szParameters, TEXT("ADD HKLM\\SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters /v ServiceDll /t REG_EXPAND_SZ /d %s /f"), lpWrapPath);
				//添加一个值<名称：ServiceDll，类型：REG_EXPAND_SZ，数据：>，不用提示并强行覆盖现有注册表项
				Dbg(TEXT("[+] Parameters: %s"), szParameters);
				if (!_spawnl(_P_WAIT, szRegExe, TEXT("reg.exe"), szParameters, NULL)) {
					Dbg(TEXT("[+] _wspawnl succ."));
					fResult = TRUE;
				}
				else {
					Dbg(TEXT("[-] _wspawnl error."));
				}
			}
			else {
				fResult = TRUE;
			}
		}
	}
	else {
		Dbg(TEXT("[-] RegOpenKeyEx error returned %u, GLE=%u."), lResult, GetLastError());
	}
	RegCloseKey(hKey);
	return fResult;
}

BOOL ResetServiceDll()
{
	DWORD dwFlag = KEY_WRITE;
	if (gArch == 64) {
		dwFlag |= KEY_WOW64_64KEY;
	}
	BOOL fResult = FALSE;
	HKEY hKey;
	LONG lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters"),
		0, dwFlag, &hKey);
	if (lResult == ERROR_SUCCESS) {
		TCHAR szTermsrv[MAX_PATH] = DEFAULT_TERMSRV_PATH;
		DWORD dwLen = (_tcslen(DEFAULT_TERMSRV_PATH) + 1)*sizeof(TCHAR);
		lResult = RegSetValueEx(hKey, TEXT("ServiceDll"), 0, REG_EXPAND_SZ, (const BYTE*)szTermsrv, dwLen);
		if (lResult == ERROR_SUCCESS) {
			Dbg(TEXT("[+] RegSetValueEx succ: %s"), szTermsrv);
			fResult = TRUE;
		}
		else {
			Dbg(TEXT("[-] RegSetValueEx \"%s\" error returned %u, GLE=%u."), szTermsrv, lResult, GetLastError());
		}
	}
	else {
		Dbg(TEXT("[-] RegOpenKeyEx \"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters\" error returned %u, GLE=%u."), lResult, GetLastError());
	}
	RegCloseKey(hKey);
	return fResult;
}

BOOL ExtractResource(LPTSTR lpDestPath)
{
	HMODULE hModule = NULL;
	HRSRC hrSRC = FindResource(hModule, TEXT(""), RT_RCDATA);

	return TRUE;
}

INT SvcGetStarType(LPCTSTR lpcSvcName)
{
	INT nResult = -1;
	SC_HANDLE hSC = NULL;
	SC_HANDLE hSvc = NULL;
	LPQUERY_SERVICE_CONFIG lpServiceConfig;
	Dbg(TEXT("[*] Checking %s ..."), lpcSvcName);
	hSC = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
	if (hSC == NULL) {
		Dbg(TEXT("[-] OpenSCManager error GLE=%u."), GetLastError());
	}
	else {
		hSvc = OpenService(hSC, lpcSvcName, SERVICE_QUERY_CONFIG);
		if (hSvc == NULL) {
			Dbg(TEXT("[-] OpenService for \"%s\" error GLE=%u."), lpcSvcName, GetLastError());
		}
		else {
			DWORD dwByteNeeded;
			DWORD dwBufSize;
			BOOL fResult = QueryServiceConfig(hSvc, NULL, 0, &dwByteNeeded);
			if (!fResult && ERROR_INSUFFICIENT_BUFFER == GetLastError()) {
				dwBufSize = dwByteNeeded;
				lpServiceConfig = (LPQUERY_SERVICE_CONFIG)LocalAlloc(LMEM_FIXED, dwBufSize);

				if (!QueryServiceConfig(hSvc, lpServiceConfig, dwBufSize, &dwByteNeeded)) {
					Dbg(TEXT("[-] QueryServiceConfig twice error GLE=%u."), GetLastError());
				}
				else {
					nResult = lpServiceConfig->dwStartType;
				}
				LocalFree(lpServiceConfig);
			}
			else {
				Dbg(TEXT("[-] QueryServiceConfig error GLE=%u."), GetLastError());
			}
		}
	}
	CloseServiceHandle(hSC);
	CloseServiceHandle(hSvc);
	return nResult;
}

BOOL SvcConfigStarType(LPCTSTR lpcSvcName, DWORD dwStartType)
{
	SC_HANDLE hSC = NULL;
	SC_HANDLE hSvc = NULL;
	BOOL fResult = FALSE;
	Dbg(TEXT("[*] Configuring %s ..."), lpcSvcName);
	hSC = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
	if (hSC == NULL) {
		Dbg(TEXT("[-] OpenSCManager error GLE=%u."), GetLastError());
	}
	else {
		hSvc = OpenService(hSC, lpcSvcName, SERVICE_CHANGE_CONFIG);
		if (hSvc == NULL) {
			Dbg(TEXT("[-] OpenService with \"%s\" for change-config error GLE=%u."), lpcSvcName, GetLastError());
		}
		else {
			if (ChangeServiceConfig(hSvc, SERVICE_NO_CHANGE, dwStartType, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL,
				NULL, NULL, NULL)) {
				fResult = TRUE;
			}
			else {
				Dbg(TEXT("[-] ChangeServiceConfig error GLE=%u."), GetLastError());
			}
		}
	}
	CloseServiceHandle(hSvc);
	CloseServiceHandle(hSC);
	return fResult;
}

BOOL SvcStartService(LPCTSTR lpcSvcName, DWORD dwLastProID = 0)
{
	BOOL fResult = FALSE;
	SC_HANDLE hSC = NULL;
	SC_HANDLE hSvc = NULL;

	Dbg(TEXT("[*] Starting service %s ..."), lpcSvcName);
	hSC = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
	if (hSC == NULL) {
		Dbg(TEXT("[-] OpenSCManager error GLE=%u."), GetLastError());
		goto FAILED;
	}
	else {
		hSvc = OpenService(hSC, lpcSvcName, SERVICE_START);
		if (hSvc == NULL) {
			Dbg(TEXT("[-] OpenService with \"%s\" for start error GLE=%u."), lpcSvcName, GetLastError());
			goto FAILED;
		}
		else {
			fResult = StartService(hSvc, 0, NULL);
			if (!fResult) {
				DWORD dwError = GetLastError();
				if (dwError == ERROR_SERVICE_ALREADY_RUNNING) {
					Dbg(TEXT("[!] Service already started or SCM hasn't registered killed process."));
					Sleep(2000);
					fResult = StartService(hSvc, 0, NULL);
					if (!fResult) {
						Dbg(TEXT("[-] StartService twice error GLE=%u."), GetLastError());
						if (!_tcsicmp(lpcSvcName, TERM_SERVICE) && CheckTsvRestarted(dwLastProID)) {
							
						} else {
							goto FAILED;
						}
					}
				}
				else {
					Dbg(TEXT("[-] StartService error GLE=%u."), dwError);
					goto FAILED;
				}
			}
		}
	}
	fResult = TRUE;
	
FAILED:

	if (hSvc != NULL) {
		CloseServiceHandle(hSvc);
	}
	if (hSC != NULL) {
		CloseServiceHandle(hSC);
	}
	return fResult;
}

BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
	TOKEN_PRIVILEGES tp;
	LUID luid;

	if (!LookupPrivilegeValue(
		NULL,            // lookup privilege on local system
		lpszPrivilege,   // privilege to lookup 
		&luid))          // receives LUID of privilege
	{
		Dbg(TEXT("[-] LookupPrivilegeValue error: %u"), GetLastError());
		return FALSE;
	}

	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	if (bEnablePrivilege)
		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	else
		tp.Privileges[0].Attributes = 0;

	// Enable the privilege or disable all privileges.

	if (!AdjustTokenPrivileges(
		hToken,
		FALSE,
		&tp,
		sizeof(TOKEN_PRIVILEGES),
		(PTOKEN_PRIVILEGES)NULL,
		(PDWORD)NULL))
	{
		Dbg(TEXT("[-] AdjustTokenPrivileges error: %u"), GetLastError());
		return FALSE;
	}

	if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
	{
		Dbg(TEXT("[-] The token does not have the specified privilege. "));
		return FALSE;
	}
	return TRUE;
}

BOOL AddPrivilege(LPCTSTR lpszPrivilege)
{
	HANDLE hToken = NULL;
	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
		Dbg(TEXT("[-] OpenProcessToken error, GLE=%u."), GetLastError());
		return FALSE;
	}
	return SetPrivilege(hToken, lpszPrivilege, TRUE);
}

BOOL KillProcess(DWORD dwProcessID)
{
	BOOL fResult = FALSE;
	HANDLE hProc = OpenProcess(PROCESS_TERMINATE, FALSE, dwProcessID);
	if (hProc == NULL) {
		Dbg(TEXT("[-] OpenProcess error: %u"), GetLastError());
	}
	else if (!TerminateProcess(hProc, 0)) {
		Dbg(TEXT("[-] TerminateProcess error: %u"), GetLastError());
	}
	else {
		Dbg(TEXT("[+] TerminateProcess <pid %d> succ."), dwProcessID);
		fResult = TRUE;
	}
	CloseHandle(hProc);
	return fResult;
}

VOID CheckTermsrvDependencies()
{
	if (SvcGetStarType(SVC_CERT_PROP) == SERVICE_DISABLED) {
		SvcConfigStarType(SVC_CERT_PROP, SERVICE_DEMAND_START);
	}
	if (SvcGetStarType(SVC_SEESSION_ENV) == SERVICE_DISABLED) {
		SvcConfigStarType(SVC_SEESSION_ENV, SERVICE_DEMAND_START);
	}
}
/*
 * dwDepCount[in and out]
 */
VOID CheckTermsrvProcess(DWORD& dwProcessID, TCHAR pszDependencySvc[][MAX_PATH], DWORD& dwDepCount)
{
	SC_HANDLE hSC;
	DWORD dwNeedBytes, dwReturnBytes, dwResumeHandle;
	BOOL fFound = FALSE, fStarted = FALSE, fResult = FALSE;
	TCHAR szTermServiceName[MAX_PATH];
	DWORD dwTermServicePID = 0;
	DWORD dwErrorCode = 0;
	hSC = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE);

	if (hSC == NULL) {
		Dbg(TEXT("[-] OpenSCManager error GLE=%u."), GetLastError());
	}
	else {

Refresh:
		dwResumeHandle = 0;
		//TODO: 1489 !!!
		ENUM_SERVICE_STATUS_PROCESS svcs[1489];
		ZeroMemory(svcs, sizeof(ENUM_SERVICE_STATUS_PROCESS) * 1489);
		fResult = EnumServicesStatusEx(hSC, SC_ENUM_PROCESS_INFO, SERVICE_WIN32, SERVICE_STATE_ALL,
			(LPBYTE)&svcs[0], sizeof(svcs[0]) * 1489, &dwNeedBytes, &dwReturnBytes, &dwResumeHandle, NULL);
		if (fResult) {
			for (int i = 0; i < 1489; ++i) {
				if (svcs[i].lpServiceName != NULL) {
					if (!_tcsicmp(svcs[i].lpServiceName, TERM_SERVICE)) {
						fFound = TRUE;
						_tcscpy_s(szTermServiceName, svcs[i].lpServiceName);
						dwTermServicePID = svcs[i].ServiceStatusProcess.dwProcessId;
						dwProcessID = dwTermServicePID;
						break;
					}
				}
			}
			if (!fFound) {
				Dbg(TEXT("[-] TermService not found."));
			}
			else if (dwProcessID == 0) {
				if (fStarted) {
					Dbg(TEXT("[-] Failed to set up TermService. Unknown error."));
				}
				else {
					SvcConfigStarType(TERM_SERVICE, SERVICE_AUTO_START);
					SvcStartService(TERM_SERVICE);
					fStarted = TRUE;
					goto Refresh;
				}
			}
			else {
				Dbg(TEXT("[+] TermService found (pid %u)."), dwProcessID);
				//Found Shared service (maybe).
				const DWORD dwMaxSize = dwDepCount;
				if (dwMaxSize > 0) {
					DWORD nCount = 0;
					for (int i = 0; i < 1489; ++i) {
						if (svcs[i].lpServiceName != NULL && svcs[i].ServiceStatusProcess.dwProcessId == dwTermServicePID) {
							if (_tcsicmp(svcs[i].lpServiceName, TERM_SERVICE)) {
								_tcscpy_s(pszDependencySvc[nCount++], svcs[i].lpServiceName);
								if (nCount > dwMaxSize) {
									Dbg(TEXT("[!] Shared TermService out of range."));
									break;
								}
							}
						}
					}
					dwDepCount = nCount;
					if (nCount > 0) {
						for (DWORD i = 0; i < nCount; ++i) {
							if (i == 0) {
								Dbg(TEXT("[*] Shared services found:"));
							}
							Dbg(TEXT("[*] >>> %s"), pszDependencySvc[i]);
						}
					}
					else {
						Dbg(TEXT("[*] No shared services found."));
					}
				}
				else {
					dwDepCount = 0;
					for (int i = 0; i < 1489; ++i) {
						if (svcs[i].lpServiceName != NULL && svcs[i].ServiceStatusProcess.dwProcessId == dwTermServicePID) {
							if (_tcsnicmp(svcs[i].lpServiceName, TERM_SERVICE, _tclen(TERM_SERVICE))) {
								dwDepCount++;
							}
						}
					}
				}
			}
		}
		else {
			dwErrorCode = GetLastError();
			/*if (dwErrorCode == ERROR_MORE_DATA) {

			}
			else*/ {
				CloseServiceHandle(hSC);
				Dbg(TEXT("[-] EnumServicesStatusEx error GLE=%u."), dwErrorCode);
				return;
			}
		}
	}
}

BOOL GetFileVersion(LPCTSTR lptstrFilename, FILE_VERSION *FileVersion)
{
	typedef struct
	{
		WORD             wLength;
		WORD             wValueLength;
		WORD             wType;
		WCHAR            szKey[16];
		WORD             Padding1;
		VS_FIXEDFILEINFO Value;
		WORD             Padding2;
		WORD             Children;
	} VS_VERSIONINFO;

	if (lptstrFilename == NULL) {
		Dbg(TEXT("[-] Invalid file path for GetFileVersion."));
		return FALSE;
	}
	Dbg(TEXT("[*] Fetch file version : %s"), lptstrFilename);

	HMODULE hFile = LoadLibraryEx(lptstrFilename, NULL, LOAD_LIBRARY_AS_DATAFILE);
	if (!hFile)
	{
		return FALSE;
	}

	HRSRC hResourceInfo = FindResourceW(hFile, (LPCWSTR)1, (LPCWSTR)0x10);
	if (!hResourceInfo)
	{
		return FALSE;
	}

	VS_VERSIONINFO *VersionInfo = (VS_VERSIONINFO*)LoadResource(hFile, hResourceInfo);
	if (!VersionInfo)
	{
		return FALSE;
	}

	memcpy_s(&(FileVersion->w), sizeof(DWORD), &(VersionInfo->Value.dwFileVersionMS), sizeof(DWORD));
	//FileVersion->Version.dw = VersionInfo->Value.dwFileVersionMS;
	FileVersion->Release = (WORD)(VersionInfo->Value.dwFileVersionLS >> 16);
	FileVersion->Build = (WORD)VersionInfo->Value.dwFileVersionLS;

	FileVersion->fDebug = !!((VersionInfo->Value.dwFileFlags & VFF_DEBUG) == VFF_DEBUG);
	FileVersion->fPrerelease = !!((VersionInfo->Value.dwFileFlags & VFF_PRERELEASE) == VFF_PRERELEASE);
	FileVersion->fPrivate = !!((VersionInfo->Value.dwFileFlags & VFF_PRIVATE) == VFF_PRIVATE);
	FileVersion->fSpecial = !!((VersionInfo->Value.dwFileFlags & VFF_SPECIAL) == VFF_SPECIAL);

	return TRUE;
}

BOOL SupportedArchitecture(int& arch)
{
	if(gArch != 0) {
		arch = gArch;
		return TRUE;
	}

	SYSTEM_INFO si = { 0 };
	GetNativeSystemInfo(&si);
	
	BOOL Result = FALSE;
	switch (si.wProcessorArchitecture)
	{
	case 0:
		gArch = 32;
		Result = TRUE; //  Intel x86
		break;
	case 6:
		Result = FALSE; // Itanium-based x64
		break;
	case 9:
		gArch = 64;
		Result = TRUE; // Intel/AMD x64
		break;
	default:
		Result = FALSE;
		break;
	}

	arch = gArch;
	return Result;
}

BOOL CheckTermsrvVersion()
{
	TCHAR szTermServicePath[MAX_PATH] = { 0 };
	TCHAR szTermServiceSlimPath[MAX_PATH] = { 0 };
	_tcscpy_s(szTermServiceSlimPath, DEFAULT_TERMSRV_PATH);
	ExpandPath(szTermServiceSlimPath, szTermServicePath, MAX_PATH);
	FILE_VERSION fv = { 0 };
	GetFileVersion(szTermServicePath, &fv);
	TCHAR szVersion[64] = { 0 };
	sprintf_s(szVersion, TEXT("%d.%d.%d.%d"), fv.w.Major, fv.w.Minor, fv.Release, fv.Build);
	Dbg(TEXT("[*] Terminal Services version: %s"), szVersion);
	
	CopyMemory(&FV, &fv, sizeof(FILE_VERSION));
	if (fv.w.Major == 5 && fv.w.Minor == 1) {
		if (gArch == 32) {
			Dbg(TEXT("[!] Windows XP is not supported."));
			Dbg(TEXT("You may take a look at RDP Realtime Patch by Stas''M for Windows XP"));
		}
		else if (gArch == 64) {
			Dbg(TEXT("[!] Windows XP 64-bit Edition is not supported."));
		}
		return FALSE;
	}
	if (fv.w.Major == 5 && fv.w.Minor == 2) {
		if (gArch == 32) {
			Dbg(TEXT("[!] Windows Server 2003 is not supported."));
		}
		else if (gArch == 64) {
			Dbg(TEXT("[!] Windows Server 2003 or XP 64-bit Edition is not supported."));
		}
		return FALSE;
	}

	int situation = 0;
	if (fv.w.Major == 6 && fv.w.Minor == 0) {
		situation = 1;
		if (gArch == 32 && fv.Release == 6000 && fv.Build == 16386) {
			Dbg(TEXT("[!] This version of Terminal Services may crash on logon attempt."));
			Dbg(TEXT("It''s recommended to upgrade to Service Pack 1 or higher."));
		}
	}
	if (fv.w.Major == 6 && fv.w.Minor == 1) {
		situation = 1;
	}
	TCHAR szWrapPath[MAX_PATH + 1] = { 0 };
	if (!GetWrapperINIPath(szWrapPath, MAX_PATH)) {
		Dbg(TEXT("[-] Get wrap config file failed."));
	}
	else
	{
		char section[MAX_PATH] = { 0 };
		sprintf_s(section, TEXT("[%d.%d.%d.%d]"), fv.w.Major, fv.w.Minor, fv.Release, fv.Build);
		if (CheckIfSectionExist(szWrapPath, section)) {
			situation = 2;
		} else {
			LogWarn(Severity_None, Error_Succeed, 0, (LPCTSTR)CSimpleStringA::Format("Terminal Services version: %s", szVersion));
			//GetSystemVersion();
		}
	}

	if (situation == 0) {
		Dbg(TEXT("[-] This version of Terminal Services is not supported."));
		LogError(Severity_Middle, Error_InvalidState, ERROR_FREERDP_RDPWRAP_NOT_SUPPORT_FOR_NOW, "This version of Terminal Services is not supported.");
	}
	else if (situation == 1) {
		Dbg(TEXT("[!] This version of Terminal Services is supported partially."));
		LogWarn(Severity_Middle, Error_NotMeetCondition, ERROR_FREERDP_RDPWRAP_NOT_SUPPORT_FOR_NOW, "This version of Terminal Services is supported partially.");
		Dbg(TEXT("[!] It means you may have some limitations such as only 2 concurrent sessions."));
	}
	else if (situation == 2) {
		Dbg(TEXT("[+] This version of Terminal Services is fully supported."));
		LogEvent(Severity_Middle, 0, "This version of Terminal Services is fully supported.");
	}
	return  (situation == 2);
}

/*consider that sometimes the windows system would upgrade...*/
BOOL CheckTermsrvIsSupportForNow()
{
	BOOL result = CheckTermsrvVersion();
	if(!result) {
		LogWarn(Severity_Middle, Error_InvalidState, ERROR_FREERDP_RDPWRAP_NOT_SUPPORT_DUE_SYS_UPDATE,
			"RDPWrap is not supported due to system upgrade or newer config lack of section.");
	}
	return result;
}

BOOL CheckTermsrvVersionEx(LPCTSTR TermsrvFilePath)
{
	if(TermsrvFilePath == NULL || strlen(TermsrvFilePath) <= 0) {
		return FALSE;
	}
	TCHAR szTermServicePath[MAX_PATH] = { 0 };
	ExpandPath(TermsrvFilePath, szTermServicePath, MAX_PATH);
	FILE_VERSION fv = { 0 };
	GetFileVersion(szTermServicePath, &fv);
	TCHAR szVersion[64] = { 0 };
	sprintf_s(szVersion, TEXT("%d.%d.%d.%d"), fv.w.Major, fv.w.Minor, fv.Release, fv.Build);
	Dbg(TEXT("[*] Terminal Services version: %s"), szVersion);
	CopyMemory(&FV, &fv, sizeof(FILE_VERSION));
	if (fv.w.Major == 5 && fv.w.Minor == 1) {
		if (gArch == 32) {
			Dbg(TEXT("[!] Windows XP is not supported."));
			Dbg(TEXT("You may take a look at RDP Realtime Patch by Stas''M for Windows XP"));
		}
		else if (gArch == 64) {
			Dbg(TEXT("[!] Windows XP 64-bit Edition is not supported."));
		}
		return FALSE;
	}
	if (fv.w.Major == 5 && fv.w.Minor == 2) {
		if (gArch == 32) {
			Dbg(TEXT("[!] Windows Server 2003 is not supported."));
		}
		else if (gArch == 64) {
			Dbg(TEXT("[!] Windows Server 2003 or XP 64-bit Edition is not supported."));
		}
		return FALSE;
	}

	int situation = 0;
	if (fv.w.Major == 6 && fv.w.Minor == 0) {
		situation = 1;
		if (gArch == 32 && fv.Release == 6000 && fv.Build == 16386) {
			Dbg(TEXT("[!] This version of Terminal Services may crash on logon attempt."));
			Dbg(TEXT("It''s recommended to upgrade to Service Pack 1 or higher."));
		}
	}
	if (fv.w.Major == 6 && fv.w.Minor == 1) {
		situation = 1;
	}
	TCHAR szWrapPath[MAX_PATH + 1] = { 0 };
	if (!GetWrapperINIPath(szWrapPath, MAX_PATH)) {
		Dbg(TEXT("[-] Get wrap config file failed."));
	}
	else
	{
		char section[MAX_PATH] = { 0 };
		sprintf_s(section, TEXT("[%d.%d.%d.%d]"), fv.w.Major, fv.w.Minor, fv.Release, fv.Build);
		if (CheckIfSectionExist(szWrapPath, section)) {
			situation = 2;
		} else {
			LogWarn(Severity_None, Error_Succeed, 0, (LPCTSTR)CSimpleStringA::Format("Terminal Services version: %s", szVersion));
		}
	}

	if (situation == 0) {
		Dbg(TEXT("[-] This version of Terminal Services is not supported."));
		LogError(Severity_High, Error_InvalidState, ERROR_FREERDP_RDPWRAP_NOT_SUPPORT_FOR_NOW, "This version of Terminal Services is not supported.");
	}
	else if (situation == 1) {
		Dbg(TEXT("[!] This version of Terminal Services is supported partially."));
		LogWarn(Severity_Low, Error_NotMeetCondition, ERROR_FREERDP_RDPWRAP_NOT_SUPPORT_FOR_NOW, "This version of Terminal Services is supported partially.");
		Dbg(TEXT("[!] It means you may have some limitations such as only 2 concurrent sessions."));
	}
	else if (situation == 2) {
		Dbg(TEXT("[+] This version of Terminal Services is fully supported."));
		LogEvent(Severity_Middle, 0, "This version of Terminal Services is fully supported.");
	}
	return  (situation == 2);
}

BOOL DisableWowRedirection()
{
	PFuncWow64DisableWow64FsRedirection func = NULL;
	PVOID OldWow64RedirectionValue;
	BOOL Result = FALSE;
	HMODULE hMoudle = GetModuleHandle(TEXT("kernel32"));
	if (hMoudle) {
		func = (PFuncWow64DisableWow64FsRedirection)::GetProcAddress(hMoudle,
			"Wow64DisableWow64FsRedirection");
	}
	if (func) {
		Result = func(&OldWow64RedirectionValue);
	}
	return Result;
}

BOOLEAN RevertWowRedirection()
{
	PFuncWow64RevertWow64FsRedirection func = NULL;
	PVOID OldWow64RedirectionValue;
	BOOL Result = FALSE;
	HMODULE hMoudle = GetModuleHandle(TEXT("kernel32"));
	if (hMoudle) {
		func = (PFuncWow64DisableWow64FsRedirection)::GetProcAddress(hMoudle,
			"Wow64RevertWow64FsRedirection");
	}
	if (func) {
		Result = func(&OldWow64RedirectionValue);
	}
	return Result;
}
/*
 * Result:
 * -1: inner error leads to be disabled to figure out it's installed status.
 *  2: cannot install because occruption.
 *  0: not installed.
 *  1: installed.
 * Addition:
 * Set gszTermServicePath
 *
 */
int CheckInstall()
{
	HKEY hKey;
	int fResult = 0;
	DWORD dwFlag = KEY_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS;
	if (gArch == 64/*Win64Bit*/) {
		dwFlag |= KEY_WOW64_64KEY;
	}
	else {
		dwFlag |= KEY_WOW64_32KEY;
	}
	LONG lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\TermService"),
		0, dwFlag, &hKey);
	if (lResult == ERROR_SUCCESS) {
		DWORD dwType = REG_SZ;
		DWORD dwSize = MAX_PATH*sizeof(TCHAR);
		TCHAR szValue[MAX_PATH + 1] = { 0 };
		lResult = RegQueryValueEx(hKey, TEXT("ImagePath"), NULL, &dwType, (LPBYTE)szValue, &dwSize);
		if (lResult == ERROR_SUCCESS) {
			Dbg(TEXT("[*] ImagePath: %s"), szValue);
			ToLowerCase(szValue);
			if (_tcsstr(szValue, TEXT("svchost.exe")) == NULL && _tcsstr(szValue, TEXT("svchost -k")) == NULL) {
				Dbg(TEXT("[-] TermService is hosted in a custom application (BeTwin, etc.) - unsupported."));
				LogError(Severity_High, Error_AlreadyExist, 0, "TermService is hosted in a custom application (BeTwin, etc.) - unsupported.");
				fResult = 2;
			}
			else {
				dwType = REG_EXPAND_SZ;
				dwSize = MAX_PATH * sizeof(TCHAR);
				//windows 7 bug occurs if only set RRF_RT_REG_EXPAND_SZ !!
				DWORD dwSpecified = RRF_RT_REG_EXPAND_SZ | RRF_RT_REG_SZ | RRF_NOEXPAND;
				ZeroMemory(szValue, sizeof(TCHAR)*(MAX_PATH + 1));
				lResult = RegGetValue(hKey, TEXT("Parameters"), TEXT("ServiceDll"), dwSpecified, NULL, (PVOID)szValue, &dwSize);
				if (lResult == ERROR_SUCCESS) {
					Dbg(TEXT("[*] ServiceDll: %s"), szValue);
					_tcscpy_s(gszTermServicePath, szValue);
					ToLowerCase(szValue);
					if (_tcsstr(szValue, TEXT("termsrv.dll")) == NULL 
						&& _tcsstr(szValue, TEXT("rdpwrap.dll")) == NULL
						&& _tcsstr(szValue, TEXT("rdpwrap64.dll")) == NULL) {
						Dbg(TEXT("[-] Another third-party TermService library is installed."));
						LogWarn(Severity_Middle, Error_AlreadyExist, ERROR_FREERDP_RDPWRAP_THIRD_PARTY,
							    "Another third-party TermService library is installed.");
						fResult = 2;
					}
					else {
						if (!!_tcsstr(szValue, TEXT("rdpwrap.dll"))
							||
							!!_tcsstr(szValue, TEXT("rdpwrap64.dll"))) {
							Dbg(TEXT("[*] RDP Wrapper Library is already installed."));
							fResult = 1;
						}
					}
				}
				else {
					Dbg(TEXT("[-] RegGetValue error returned %u, GLE=%u."), lResult, GetLastError());
					fResult = -1;
				}
			}
		}
		else {
			Dbg(TEXT("[-] RegQueryValueEx error returned %u, GLE=%u."), lResult, GetLastError());
			fResult = -1;
		}
	}
	else {
		Dbg(TEXT("[-] RegOpenKeyEx error, GLE=%u."), GetLastError());
		fResult = -1;
	}
	RegCloseKey(hKey);
	return fResult;
}

BOOL ExecWait(LPTSTR lpszCmdLine)
{
	BOOL fResult = FALSE;

	STARTUPINFO si = { 0 };
	PROCESS_INFORMATION pi = { 0 };
	ZeroMemory(&si, sizeof(STARTUPINFO));
	si.cb = sizeof(si);
	if (!CreateProcess(NULL, lpszCmdLine, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi)) {
		Dbg(TEXT("[-] CreateProcess with \"%s\" error, GLE=%u."), lpszCmdLine, GetLastError());
		return fResult;
	}

	CloseHandle(pi.hThread);
	WaitForSingleObject(pi.hProcess, INFINITE);
	CloseHandle(pi.hProcess);
	return TRUE;
}

BOOL TSConfigRegistry(BOOL fEnable)
{
	BOOL fResult = FALSE;
	HKEY hKey = NULL;
	HKEY hInnerKey = NULL;
	LONG lResult;
	DWORD dwFlag = KEY_WRITE;
	if (gArch == 64/*Win64Bit*/) {
		dwFlag |= KEY_WOW64_64KEY;
	}
	else {
		dwFlag |= KEY_WOW64_32KEY;
	}

	lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server"),
		0, dwFlag, &hKey);
	if (lResult == ERROR_SUCCESS) {
		DWORD dwEnable = fEnable == TRUE ? (DWORD)0 : (DWORD)1;
		lResult = RegSetValueEx(hKey, TEXT("fDenyTSConnections"), 0, REG_DWORD, (const BYTE*)&dwEnable, sizeof(DWORD));
		if (lResult == ERROR_SUCCESS) {
			Dbg(TEXT("[+] RegSetValueEx for \"fDenyTSConnections\" succ: Enable(%u)"), dwEnable);
		}
		else {
			Dbg(TEXT("[-] RegSetValueEx for \"fDenyTSConnections\" error %ld, GLE=%u"), lResult, GetLastError());
			goto FAILED;
		}
	}
	else {
		Dbg(TEXT("[-] RegOpenKeyEx for \"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" error %ld, GLE=%u"), lResult, GetLastError());
		goto FAILED;
	}
	RegCloseKey(hKey);

	if (fEnable) {
		lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core"),
			0, dwFlag, &hKey);
		if (lResult == ERROR_FILE_NOT_FOUND) {
			Dbg(TEXT("[*] Start to create  \"Licensing Core\" key..."));
			DWORD dwDisposition = REG_OPENED_EXISTING_KEY;
			lResult = RegCreateKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core"),
				0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
		}

		if (lResult == ERROR_SUCCESS) {
			DWORD dwEnable = (DWORD)1;
			lResult = RegSetValueEx(hKey, TEXT("EnableConcurrentSessions"), 0, REG_DWORD, (const BYTE*)&dwEnable, sizeof(DWORD));
			if (lResult == ERROR_SUCCESS) {
				Dbg(TEXT("[+] RegSetValueEx for \"EnableConcurrentSessions\" succ: Enable(%u)"), dwEnable);
			}
			else {
				Dbg(TEXT("[-] RegSetValueEx for \"EnableConcurrentSessions\" error, GLE=%u"), GetLastError());
				goto FAILED;
			}
		}
		else {
			Dbg(TEXT("[-] RegOpenKeyEx for \"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Licensing Core\" error %ld, GLE=%u"),
				lResult, GetLastError());
			goto FAILED;
		}
		RegCloseKey(hKey);

		lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"),
			0, dwFlag, &hKey);
		if (lResult == ERROR_SUCCESS) {
			DWORD dwEnable = TRUE;
			lResult = RegSetValueEx(hKey, TEXT("AllowMultipleTSSessions"), 0, REG_DWORD, (const BYTE*)&dwEnable, sizeof(DWORD));
			if (lResult == ERROR_SUCCESS) {
				Dbg(TEXT("[+] RegSetValueEx for \"AllowMultipleTSSessions\" succ: Enable(%u)"), dwEnable);
			}
			else {
				Dbg(TEXT("[-] RegSetValueEx for \"AllowMultipleTSSessions\" error %ld, GLE=%u"), lResult, GetLastError());
				goto FAILED;
			}
		}
		else {
			Dbg(TEXT("[-] RegOpenKeyEx for \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" error %ld, GLE=%u"), lResult, GetLastError());
			goto FAILED;
		}
		RegCloseKey(hKey);
		
		lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns"),
			0, dwFlag, &hKey);
		if (lResult == ERROR_FILE_NOT_FOUND) {
			Dbg(TEXT("[*] Start to create  \"AddIns\" key..."));
			DWORD dwDisposition = REG_OPENED_EXISTING_KEY;
			lResult = RegCreateKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns"),
				0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
			if (lResult == ERROR_SUCCESS) {
				
				//lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns\\Clip Redirector"),
				//	0, dwFlag, &hInnerKey);

				lResult = RegCreateKeyEx(HKEY_LOCAL_MACHINE, 
					TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns\\Clip Redirector"),
					0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hInnerKey, &dwDisposition);

				if (lResult == ERROR_SUCCESS) {
					//Refer to "atlbase.h"
					TCHAR szValue[] = TEXT("RDPClip\0");
					DWORD dwValSize = ((DWORD)(_tcslen(szValue)) + 1)*sizeof(TCHAR);
					lResult = RegSetValueEx(hInnerKey, TEXT("Name"), 0, REG_SZ, (const BYTE*)szValue, dwValSize);
					if (lResult != ERROR_SUCCESS) {
						Dbg(TEXT("[-] RegSetValueEx for \"Name\" error %ld, GLE=%u"), lResult, GetLastError());
						goto FAILED;
					}

					DWORD dwValue = (DWORD)3;
					lResult = RegSetValueEx(hInnerKey, TEXT("Type"), 0, REG_DWORD, (const BYTE*)&dwValue, sizeof(DWORD));
					if (lResult != ERROR_SUCCESS) {
						Dbg(TEXT("[-] RegSetValueEx for \"Type\" error %ld, GLE=%u"), lResult, GetLastError());
						goto FAILED;
					}

					RegCloseKey(hInnerKey);
				}
				else {
					Dbg(TEXT("[-] RegCreateKeyEx for \"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns\\Clip Redirector\" error %ld, GLE=%u"), lResult, GetLastError());
					goto FAILED;
				}
				

				//lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns\\DND Redirector"),
				//	0, dwFlag, &hInnerKey);

				lResult = RegCreateKeyEx(HKEY_LOCAL_MACHINE,
					TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns\\DND Redirector"),
					0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hInnerKey, &dwDisposition);

				if (lResult == ERROR_SUCCESS) {
					TCHAR szRDPDND[] = TEXT("RDPDND\0");
					DWORD dwValSize = ((DWORD)(_tcslen(szRDPDND)) + 1)*sizeof(TCHAR);
					lResult = RegSetValueEx(hInnerKey, TEXT("Name"), 0, REG_SZ, (const BYTE*)szRDPDND, dwValSize);
					if (lResult != ERROR_SUCCESS) {
						Dbg(TEXT("[-] RegSetValueEx for \"Type\" error %ld, GLE=%u"), lResult, GetLastError());
						goto FAILED;
					}
					DWORD dwValue = (DWORD)3;
					lResult = RegSetValueEx(hInnerKey, TEXT("Type"), 0, REG_DWORD, (const BYTE*)&dwValue, sizeof(DWORD));
					if (lResult != ERROR_SUCCESS) {
						Dbg(TEXT("[-] RegSetValueEx for \"Type\" error %ld, GLE=%u"), lResult, GetLastError());
						goto FAILED;
					}
				}
				else {
					Dbg(TEXT("[-] RegCreateKeyEx for \"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns\\DND Redirector\" error %ld, GLE=%u"), lResult, GetLastError());
					goto FAILED;
				}
				RegCloseKey(hInnerKey);

				//lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns\\Dynamic VC"),
				//	0, dwFlag, &hInnerKey);
				lResult = RegCreateKeyEx(HKEY_LOCAL_MACHINE,
					TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns\\Dynamic VC"),
					0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hInnerKey, &dwDisposition);

				if (lResult == ERROR_SUCCESS) {
					DWORD dwValue = (DWORD)-1;
					lResult = RegSetValueEx(hInnerKey, TEXT("Type"), 0, REG_DWORD, (const BYTE*)&dwValue, sizeof(DWORD));
					if (lResult != ERROR_SUCCESS) {
						Dbg(TEXT("[-] RegSetValueEx for \"Type\" error %ld, GLE=%u"), lResult, GetLastError());
						goto FAILED;
					}
				}
				else {
					Dbg(TEXT("[-] RegCreateKeyEx for \"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns\\Dynamic VC\" error %ld, GLE=%u"), lResult, GetLastError());
					goto FAILED;
				}
				RegCloseKey(hInnerKey);
			}
			else {
				Dbg(TEXT("[-] RegCreateKeyEx for \"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns\" error %ld, GLE=%u"), lResult, GetLastError());
				goto FAILED;
			}
		}
		else {
			//Dbg(TEXT("[-] RegOpenKeyEx for \"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\AddIns\" error %ld, GLE=%u"), lResult, GetLastError());
		}
		RegCloseKey(hKey);
	}

	return TRUE;

FAILED:
	if (hInnerKey != NULL) {
		RegCloseKey(hInnerKey);
	}
	if (hKey != NULL) {
		RegCloseKey(hKey);
	}
	return FALSE;
}

BOOL TSConfigFirewall(BOOL fEnable)
{
	BOOL fResult = FALSE;
	TCHAR szCmdLine[MAX_PATH] = { 0 };
	if (fEnable) {
		_tcscpy_s(szCmdLine, TEXT("netsh advfirewall firewall add rule name=\"Remote Desktop\" dir=in protocol=tcp localport=3389 profile=any action=allow"));
	}
	else {
		_tcscpy_s(szCmdLine, TEXT("netsh advfirewall firewall delete rule name=\"Remote Desktop\""));
	}
	return ExecWait(szCmdLine);
}

/*
Returned:
  -1: Unknown
  0: Not Installed
  1: Installed
  2: 3rd-party
*/
int IsWrapperInstalled()
{
	HKEY hKey = NULL;
	HKEY hSubKey = NULL;
	int fResult = -1;
	DWORD dwFlag = KEY_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS;
	if (gArch == 64/*Win64Bit*/) {
		dwFlag |= KEY_WOW64_64KEY;
	}
	else {
		dwFlag |= KEY_WOW64_32KEY;
	}
	LONG lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\TermService"),
		0, dwFlag, &hKey);
	if (lResult == ERROR_SUCCESS) {
		DWORD dwType = REG_SZ;
		DWORD dwSize = MAX_PATH*sizeof(TCHAR);
		TCHAR szValue[MAX_PATH + 1] = { 0 };
		lResult = RegQueryValueEx(hKey, TEXT("ImagePath"), NULL, &dwType, (LPBYTE)szValue, &dwSize);
		if (lResult == ERROR_SUCCESS) {
			Dbg(TEXT("[*] ImagePath: %s"), szValue);
			ToLowerCase(szValue);
			if (_tcsstr(szValue, TEXT("svchost.exe")) == NULL) {
				fResult = 2;
				goto End;
			}
		}
		RegCloseKey(hKey);
		hKey = NULL;

		lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, 
			TEXT("SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters"),
			0, dwFlag, &hKey);
		if (lResult == ERROR_SUCCESS) {
			dwType = RRF_RT_REG_EXPAND_SZ | RRF_RT_REG_SZ | RRF_NOEXPAND;
			dwSize = MAX_PATH*sizeof(TCHAR);
			ZeroMemory(szValue, MAX_PATH*sizeof(TCHAR));
			lResult = RegQueryValueEx(hKey, TEXT("ServiceDll"), NULL, &dwType, (LPBYTE)szValue, &dwSize);
			if (lResult == ERROR_SUCCESS) {
				Dbg(TEXT("[*] ServiceDll: %s"), szValue);
				memset(gszExistedTSPath, 0, sizeof(gszExistedTSPath));
				_tcscpy_s(gszExistedTSPath, szValue);
				ToLowerCase(szValue);
				if (_tcsstr(szValue, TEXT("termsrv.dll")) == NULL 
					&& _tcsstr(szValue, TEXT("rdpwrap.dll")) == NULL
					&& _tcsstr(szValue, TEXT("rdpwrap64.dll")) == NULL) {
					Dbg(TEXT("[-] Another third-party TermService library is installed."));
					LogWarn(Severity_Low, Error_AlreadyExist, 0, "Another third-party TermService library is installed.");
					fResult = 2;
					goto End;
				}
				else {
					if (!!_tcsstr(szValue, TEXT("rdpwrap.dll"))
						||
						!!_tcsstr(szValue, TEXT("rdpwrap64.dll"))) {
						Dbg(TEXT("[*] RDP Wrapper Library is already installed."));
						fResult = 1;
					}
					else {
						fResult = 0;
					}
				}
			}
		}
	}

End:
	if (hKey) {
		RegCloseKey(hKey);
		hKey = NULL;
	}
	return fResult;
}


/*
Returned:
 -1: Unknown
 SERVICE_STOPPED: Stop
 SERVICE_START_PENDING: Starting...
 ...
*/
DWORD GetTermSrvState()
{
	DWORD dwResult = INFINITE;
	SC_HANDLE schSCManager;
	SC_HANDLE schService;
	DWORD cbBytesNeeded;
	DWORD cbBufSize;
	PBYTE Buf = NULL;
	schSCManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
	if (!schSCManager)
	{
		Dbg(TEXT("[-] Open SC Manager failed with status %d "), GetLastError());
		return dwResult;
	}
	schService = OpenService(schSCManager, TERM_SERVICE, SERVICE_QUERY_STATUS);
	if (!schService) {
		Dbg(TEXT("[-] Open SC Service failed with status %d "), GetLastError());
		goto Error;
	}

	if (QueryServiceStatusEx(schService, SC_STATUS_PROCESS_INFO, NULL, 0, &cbBytesNeeded)) {
		goto Error;
	}
	Buf = (LPBYTE)LocalAlloc(LMEM_FIXED, cbBytesNeeded);
	cbBufSize = cbBytesNeeded;
	if (Buf == NULL) {
		Dbg(TEXT("[-] LocalAlloc failed with status %d "), GetLastError());
		goto Error;
	}
	ZeroMemory(Buf, cbBufSize);
	if (!QueryServiceStatusEx(schService, SC_STATUS_PROCESS_INFO, Buf, cbBufSize, &cbBytesNeeded)) {
		Dbg(TEXT("[-] QueryServiceStatusEx failed with status %d "), GetLastError());
		goto Error;
	}
	LPSERVICE_STATUS_PROCESS lpServiceStatusProcess = (LPSERVICE_STATUS_PROCESS)Buf;
	dwResult = lpServiceStatusProcess->dwCurrentState;

Error:

	if (Buf != NULL) {
		LocalFree(Buf);
		Buf = NULL;
	}

	if (schService) {
		CloseServiceHandle(schService);
		schService = NULL;
	}

	if (schSCManager) {
		CloseServiceHandle(schSCManager);
		schSCManager = NULL;
	}
	return dwResult;
}


bool IsListenerWorking()
{
	bool fListen = false;
	ULONG Count;
	PSESSIONIDW PSessionIDW;
	static PFuncWinStationEnumerateW pFuncWinStationQueryInformationW = NULL;
	static PFuncWinStationFreeMemory pFuncWinStationFreeMemory = NULL;
	
	if (!pFuncWinStationQueryInformationW || !pFuncWinStationFreeMemory) {
		HMODULE winsta;
		winsta = LoadLibrary(TEXT("winsta.dll"));

		//pFuncWinStationQueryInformationW = (PFuncWinStationEnumerateW)GetProcAddress(winsta, "WinStationEnumerateW");
		pFuncWinStationQueryInformationW = (PFuncWinStationEnumerateW)GetProcAddress(winsta, "WinStationEnumerateW");
		pFuncWinStationFreeMemory = (PFuncWinStationFreeMemory)GetProcAddress(winsta, "WinStationFreeMemory");
	}

	if (!pFuncWinStationQueryInformationW || pFuncWinStationFreeMemory) {
		Dbg(TEXT("[-] pFuncWinStationQueryInformationW is invalid"));
		return false;
	}
	if (!pFuncWinStationQueryInformationW(NULL, &PSessionIDW, &Count)) {
		Dbg(TEXT("[-] WinStationQueryInformationW failed with status %d "), GetLastError());
		return false;
	}
	for (ULONG i = 0; i < Count; ++i) {
		if (lstrcmpW(PSessionIDW[i].WinStationName, L"RDP-Tcp") == 0) {
			fListen = true;
			break;
		}
	}

	pFuncWinStationFreeMemory(&PSessionIDW);
	return fListen;
}

int InstallEntry(WillItem option)
{

	int arch = 0;
	if (!SupportedArchitecture(arch)) {
		Dbg(TEXT("[-] Unsupported processor architecture."));
		return 0;
	}
	BOOL fWow64 = FALSE;
	//IsWow64Process(GetCurrentProcess(), &fWow64);
	fWow64 = arch == 64 ? TRUE : FALSE;
	int installed = CheckInstall();
	if (option != Invalid) {
		if (option == Install) {
			Will = Install;
			if (installed == 0) {
				Dbg(TEXT("[*] Installing..."));
				EnterWowRedirection();

				TCHAR szWrapPath[MAX_PATH + 1] = { 0 };
				IFCALLEXIT_WITH_RESULT(GetWrapperDllPath(szWrapPath, MAX_PATH), GetRes);

				IFCALLEXIT_WITH_RESULT(CheckTermsrvVersion(), ChkTsVer);

				DWORD dwTSProcessID = 0;
				TCHAR pszSharedSvc[128][MAX_PATH] = { 0 };
				DWORD dwSharedSvcCount = 128;
				CheckTermsrvProcess(dwTSProcessID, pszSharedSvc, dwSharedSvcCount);
				if (dwTSProcessID != 0) {

					Dbg(TEXT("[*] Configuring service library..."));
					IFCALLEXIT_WITH_RESULT(SetWrapperDll(szWrapPath), SetRes);

					Dbg(TEXT("[*] Checking dependencies..."));
					CheckTermsrvDependencies();

					Dbg(TEXT("[*] Terminating service..."));
					AddPrivilege(SE_DEBUG_NAME);
					KillProcess(dwTSProcessID);
					Sleep(1000);

					if (dwSharedSvcCount > 0) {
						for (DWORD i = 0; i < dwSharedSvcCount; ++i) {
							SvcStartService(pszSharedSvc[i]);
						}
					}
					Sleep(500);
					IFCALLEXIT_WITH_RESULT(SvcStartService(TERM_SERVICE, dwTSProcessID), StaSvc);
					Sleep(500);

					Dbg(TEXT("[*] Configuring registry..."));
					IFCALLEXIT_WITH_RESULT(TSConfigRegistry(TRUE), CfgReg);

					Dbg(TEXT("[*] Configuring firewall..."));
					IFCALLEXIT_WITH_RESULT(TSConfigFirewall(TRUE), CfgFWall);

					Dbg(TEXT("[+] Successfully installed."));
				}
				else {

					LeaveWowRedirection();
					return (ChkTsPce);
				}

				LeaveWowRedirection();
				return Success;
			}
			else if(installed == 1) {
				return Success;
			}
		}
		else if (option == Unstall) {
			Will = Unstall;
			if (installed != 1) {
				if(installed == 0) {
					Dbg(TEXT("[*] RDP Wrapper Library is not installed."));
					return Success;
				}
				Dbg(TEXT("[*] RDP Wrapper Library is not supported."));
				return NoSupport;
			}

			Dbg(TEXT("[*] Uninstalling..."));
			EnterWowRedirection();

			DWORD dwTSProcessID = 0;
			TCHAR pszSharedSvc[128][MAX_PATH] = { 0 };
			DWORD dwSharedSvcCount = 128;
			CheckTermsrvProcess(dwTSProcessID, pszSharedSvc, dwSharedSvcCount);

			if (dwTSProcessID != 0) {

				Dbg(TEXT("[*] Resetting service library..."));
				IFCALLEXIT_WITH_RESULT(ResetServiceDll(), ResetRes);

				Dbg(TEXT("[*] Terminating service..."));
				AddPrivilege(SE_DEBUG_NAME);
				KillProcess(dwTSProcessID);
				Sleep(1000);

				//Dbg(TEXT("[*] Removing files..."));
				//DeleteFiles();

				if (dwSharedSvcCount > 0) {
					for (DWORD i = 0; i < dwSharedSvcCount; ++i) {
						SvcStartService(pszSharedSvc[i]);
					}
				}
				Sleep(500);
				IFCALLEXIT_WITH_RESULT(SvcStartService(TERM_SERVICE, dwTSProcessID), StaSvc);
				Sleep(500);

				Dbg(TEXT("[*] Configuring registry..."));
				IFCALLEXIT_WITH_RESULT(TSConfigRegistry(FALSE), CfgReg);

				Dbg(TEXT("[*] Configuring firewall..."));
				IFCALLEXIT_WITH_RESULT(TSConfigFirewall(FALSE), CfgFWall);

				Dbg(TEXT("[+] Successfully uninstalled."));
			}
			else {

				LeaveWowRedirection();
				return (ChkTsPce);
			}

			LeaveWowRedirection();
			return Success;
		}
		else if (option == Restart) {
			Will = Restart;
			Dbg(TEXT("[*] Restarting..."));
			DWORD dwTSProcessID = 0;
			TCHAR pszSharedSvc[128][MAX_PATH] = { 0 };
			DWORD dwSharedSvcCount = 128;
			CheckTermsrvProcess(dwTSProcessID, pszSharedSvc, dwSharedSvcCount);
			if (dwTSProcessID != 0) {

				Dbg(TEXT("[*] Terminating service..."));
				AddPrivilege(SE_DEBUG_NAME);
				KillProcess(dwTSProcessID);
				Sleep(1000);

				if (dwSharedSvcCount > 0) {
					for (DWORD i = 0; i < dwSharedSvcCount; ++i) {
						SvcStartService(pszSharedSvc[i]);
					}
				}
				Sleep(500);
				IFCALLEXIT_WITH_RESULT(SvcStartService(TERM_SERVICE, dwTSProcessID), StaSvc);

				Dbg(TEXT("[+] Done."));
				return Success;
			}
			else {
				return (ChkTsPce);
			}
		}
		else if (option == Update) {
			Will = Update;
			if (installed != 1) {
				Dbg(TEXT("[*] RDP Wrapper Library is not installed."));
				return NoSupport;
			}

			Dbg(TEXT("[+] New update is available, updating..."));
			EnterWowRedirection();

			TCHAR szWrapPath[MAX_PATH + 1] = { 0 };
			IFCALLEXIT_WITH_RESULT(GetWrapperDllPath(szWrapPath, MAX_PATH), GetRes);
			//TODO: delete it
			TCHAR szTermsrv[MAX_PATH] = DEFAULT_TERMSRV_PATH;
			IFCALLEXIT_WITH_RESULT(CheckTermsrvVersionEx(szTermsrv), ChkTsVer);

			DWORD dwTSProcessID = 0;
			TCHAR pszSharedSvc[128][MAX_PATH] = { 0 };
			DWORD dwSharedSvcCount = 128;
			CheckTermsrvProcess(dwTSProcessID, pszSharedSvc, dwSharedSvcCount);
			if (dwTSProcessID != 0) {
				
				Dbg(TEXT("[*] Configuring service library..."));
				IFCALLEXIT_WITH_RESULT(SetWrapperDll(szWrapPath), SetRes);

				Dbg(TEXT("[*] Checking dependencies..."));
				CheckTermsrvDependencies();

				Dbg(TEXT("[*] Terminating service..."));
				AddPrivilege(SE_DEBUG_NAME);
				KillProcess(dwTSProcessID);
				Sleep(1000);

				if (dwSharedSvcCount > 0) {
					for (DWORD i = 0; i < dwSharedSvcCount; ++i) {
						SvcStartService(pszSharedSvc[i]);
					}
				}

				Sleep(500);
				IFCALLEXIT_WITH_RESULT(SvcStartService(TERM_SERVICE, dwTSProcessID), StaSvc);

				Dbg(TEXT("[+] Successfully upated."));
			}
			else {

				LeaveWowRedirection();
				return (ChkTsPce);
			}

			LeaveWowRedirection();
			return Success;
		}
		else if (option == Check) {
			Will = Check;
			if (installed == 1) {
				//Dbg(TEXT("[*] RDP Wrapper Library has been installed."));
				return Installed;
			}
		}
		else {
			return NoSupport;
		}
	}
	return 0;

Error:
	LeaveWowRedirection();
	Dbg(TEXT("[!] The specified procedure operated failed !"));
	return 0;
}

VOID RestartTsvProcess()
{
	DWORD dwTSProcessID = 0;
	TCHAR pszSharedSvc[128][MAX_PATH] = { 0 };
	DWORD dwSharedSvcCount = 128;

	CheckTermsrvProcess(dwTSProcessID, pszSharedSvc, dwSharedSvcCount);
	if (dwTSProcessID != 0) {

		Dbg(TEXT("[*] Terminating service..."));
		AddPrivilege(SE_DEBUG_NAME);
		KillProcess(dwTSProcessID);
		Sleep(1000);

		if (dwSharedSvcCount > 0) {
			for (DWORD i = 0; i < dwSharedSvcCount; ++i) {
				SvcStartService(pszSharedSvc[i]);
			}
		}
		Sleep(500);
		SvcStartService(TERM_SERVICE, dwTSProcessID);
	}

	return;
}

BOOL CheckTsvRestarted(DWORD dwLastPID)
{
	DWORD dwTSProcessID = 0;
	TCHAR pszSharedSvc[128][MAX_PATH] = { 0 };
	DWORD dwSharedSvcCount = 128;

	CheckTermsrvProcess(dwTSProcessID, pszSharedSvc, dwSharedSvcCount);
	if (dwTSProcessID != 0) {
		if(dwLastPID != 0 && dwLastPID != dwTSProcessID) {
			Dbg(TEXT("[!] Tsv has been restart ! current pid: %d, previous pid: %d"), dwTSProcessID, dwLastPID);
			return TRUE;
		} else if(dwLastPID != 0) {
			Dbg(TEXT("[!] Tsv is same as before, pid: %d"), dwTSProcessID);
			return FALSE;
		} else if(dwLastPID == 0) {
			return TRUE;
		}
	} else {
		Dbg(TEXT("[!] Get PID failed during CheckTermsrvProcess"));
	}
	return FALSE;
}


VOID AppQuit(int nExitCode)
{
	BOOL  process = TRUE;
	if (nExitCode != 0) {

		Dbg(TEXT("[!] ========================================="));
		Dbg(TEXT("[!] The specified procedure operated failed !"));

		InstPrgItem result = static_cast<InstPrgItem>(nExitCode);
		switch (result) {
		case ResetRes:
			Dbg(TEXT("[x] It's a really serious error, but cannot do anything because what it's doing is just recover job."));
			break;
		case CfgFWall:
			if (Will == Install) {
				ResetServiceDll();
				RestartTsvProcess();
				TSConfigRegistry(FALSE);
				TSConfigFirewall(FALSE);
			}
			else if (Will == Unstall) {

			}
			break;
		case CfgReg:
			if (Will == Install) {
				ResetServiceDll();
				RestartTsvProcess();
				TSConfigRegistry(FALSE);
			}
			else if (Will == Unstall) {

			}
			break;
		case SetRes:
			ResetServiceDll();
			break;
		case StaSvc:
			if (Will == Install) {
				ResetServiceDll();
				RestartTsvProcess();
			}
			else if (Will == Restart) {

			}
			else if (Will == Update) {
				ResetServiceDll();
				RestartTsvProcess();
			}
			break;
		default: // GetRes, ChkTsVer, ChkTsPce
			goto Exit;
			break;
		}
	}

Exit:
	//exit(-nExitCode);

	return;
}

ErrorCodeEnum CheckRdpWrapInstall(BOOL& bInstalled)
{
	ErrorCodeEnum ec = Error_Succeed;
	const int installed = CheckInstall();
	if(installed == 0) {
		bInstalled = FALSE;
	}else if(installed == 1) {
		if(!CheckTermsrvIsSupportForNow()) {
			if((ec = UnstallRdpWrap()) == Error_Succeed) {
				bInstalled = FALSE;
				Sleep(200);
			}
		} else {
			bInstalled = TRUE;
		}
	}else if(installed == 2){
		if(!ResetServiceDll()) {
			ec = Error_Unexpect;
		} else {
			bInstalled = FALSE;
			Sleep(200);
		}
	}else {
		ec = Error_Unexpect;
	}
	return ec;
}

ErrorCodeEnum InstallRdpWrap()
{
	ErrorCodeEnum ec = Error_Succeed;
	if(InstallEntry(Install) != Success) {
		ec = Error_Unexpect;
	}
	return ec;
}
ErrorCodeEnum UnstallRdpWrap()
{
	ErrorCodeEnum ec = Error_Succeed;
	if(InstallEntry(Unstall) != Success) {
		ec = Error_Unexpect;
	}
	return ec;
}

ErrorCodeEnum RestartRdpWrap()
{
	ErrorCodeEnum ec = Error_Succeed;
	if(InstallEntry(Restart) != Success) {
		ec = Error_Unexpect;
	}
	return ec;
}

ErrorCodeEnum UpdateRdpWrap()
{
	ErrorCodeEnum ec = Error_Succeed;
	if(InstallEntry(Update) != Success) {
		ec = Error_Unexpect;
	}
	return ec;
}