Jump to content

- - - - -

TeamViewer (TV in a Winpe System session

teamviewe winpe

  • Please log in to reply
No replies to this topic

#1 noel


    Frequent Member

  • Advanced user
  • 178 posts
  • Location:nantes

Posted 22 November 2022 - 04:03 PM


I know, it's useless. That's not the point.
To fill my free moments, I play with Windgb, IDA, Procmon, Winpe...


TV works correctly with the Winpe Administrator session.
But it does not start if it is launched in the System session.

So I modified its code a bit to get the login screen in the System session.

"TeamViewer.exe"  is a self-controlling program.
With Windbg, I can make my changes to this TV program.

The TeamViewer.exe file has a size of more than 70MB. The analysis with IDA lasted a day on my old PC.
Procmon reports the writing of a log file.
Comparing the contents of the files of the 2 sessions shows an error message.



2022/11/11 00:03:27.024  3776       3036 G1!  GUI running in system account, trying to restart it.
2022/11/11 00:03:27.024  3776       3036 G1!! Failed to restart GUI:  exception: CToken::WTSQueryUserToken() No user is logged into session, Errorcode=1008
2022/11/11 00:03:27.024  3776       3036 G1!! GUI started in System account and can't be restarted under a different user., Errorcode=1008


With Windbg, I asked a "bp" like this: "bp WTSAPI32! WTSQueryUserToken"
And I analyzed the stack a little bit.

After several weeks, and comparing the 2 sessions, I identified some of the code that I will describe.
I call this function "IsGuiInSystemAccount" of which here is the pseudo-code:

int "IsGuiInSystemAccount (){
  if memo_GuiInSystemAccount (cs:dword_14419F00C) != 2 {
	call GetCurrentProcess
	call OpenProcessToken
	ret = call isSIDofSystem  --> this fonction is a bit complex to describe here
	if ret == System then memo_GuiInSystemAccount = 1
	if ret == ADM    then memo_GuiInSystemAccount = 0
	test [rsp+78h+var_40]
	if != 0 then call sub_1402C05F0 ---> I think it will call it CloseHandle  !

	if memo_GuiInSystemAccount = 1 = System
		AdjustTokenPrivileges  SeTcbPrivilege
  return memo_GuiInSystemAccount

The modification consists in making TV believe that the user "System" is a simple "Administrator".
Replace this code with "nop":

.text:0000000140C57FBB                 test    al, al
.text:0000000140C57FBD                 setnz   cl


I launch TV from Windbg. A Windbg script introduces code modification.
The command line:

X:\Debugger\windbg.exe  -c "$$><X:\TV_cmd_windbg.txt" "X:\Program Files\TeamViewer\TeamViewer.exe"

The "X:\TV_cmd_windbg.txt" script  :

bp $exentry
eb TeamViewer + 0xc57fbb 90 90 90 90 90

The first TV screen is displayed.
This screen displays the ID and password assigned by a server at TV.
This screen also allows the connection to a remote machine by proposing the entry of the ID of the remote machine.


The direction of the "remote to Winpe System" connection works well.
But the direction of the connection "System Winpe to remote" does not display the screen of the remote machine.


System's mouse in Winpe is active and moves the cursor from the remote screen.
The "chat" and the "WebCam" work properly between the 2 machines.
But the text "connect to..." remains displayed in the connection window on Winpe.


My questions:
- how to exploit the "log_level" key of TV?
         I don't know what value to put to get more information in the log file.
- How to identify what prohibits displaying the remote screen?
- How and where to look?


add this evening :


What I believe to be the various steps to display the remote screen in winpe:
- Is a communication channel established to transmit the data from the remote screen?
- Are the bytes corresponding to the content of the screen emitted by the remote?
- Does Winpe receive them?
- How does it display them?
And the questions to ask yourself:
- How to scrutinize each step?
- which TV block or functions receive, decompress, display them?
- What is the method/function to display them? DirectX?
- Is it possible to monitor this display?


Any idea is good !


Also tagged with one or more of these keywords: teamviewe, winpe

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users