Hi all,
after some research, I found the solution.
First, SentinelSHK calls GetSystemMetrics to simply identify Remote Desktop.
PHP Code:
SM_REMOTESESSION = $1000; //4096
GetSystemMetrics(SM_REMOTESESSION);
If the result is true, the execution is aborted.
After that, SentinelSHK calls WTSQuerySessionInformationA to identify if the current session is running over Remote Desktop.
It doesn't check any further parameters, just compares if the WTSQuerySessionInformationA returns a valid value.
If it does, the execution is aborted.
The wtsApi32.dll is loaded on the fly, so the solution doesn't need to hook WTSQuerySessionInformationA.
The solution was Hooking GetSystemMetrics and catching when SM_REMOTESESSION is queried, returning zero (0).
And patch some byte from the calling address when its region resides on the main application.
PS.: Sometimes comctrls32.dll call GetSystemMetrics with SM_REMOTESESSION,
that's why you need to confirm the memory region.
Just patching one jump in the main application solves the problem.
PHP Code:
074C0581 | 8D4424 18 | lea eax,dword ptr ss:[esp+18]
074C0585 | 8D5424 10 | lea edx,dword ptr ss:[esp+10]
074C0589 | 50 | push eax
074C058A | 52 | push edx
074C058B | 6A 10 | push 10
074C058D | 6A FF | push FFFFFFFF
074C058F | 57 | push edi
074C0590 | 897C24 24 | mov dword ptr ss:[esp+24],edi
074C0594 | 897C24 2C | mov dword ptr ss:[esp+2C],edi
074C0598 | FFD1 | call ecx <= WTSQuerySessionInformationA
074C059A | 8B4424 10 | mov eax,dword ptr ss:[esp+10]
074C059E | 3BC7 | cmp eax,edi
074C05A0 | 74 27 | je app.74C05C9
074C05A2 | 66:3938 | cmp word ptr ds:[eax],di
074C05A5 | EB 22 | jmp app.74C05C9 <= PATCH
074D55A7 | 50 | push eax
074D55A8 | FF15 70E94A07 | call dword ptr ds:[<&WTSFreeMemory>]
074D55AE | 55 | push ebp
074D55AF | 897C24 14 | mov dword ptr ss:[esp+14],edi
074D55B3 | FF15 98206C07 | call dword ptr ds:[<&FreeLibrary>]
074D55B9 | 5F | pop edi
074D55BA | 5E | pop esi
074D55BB | 5D | pop ebp
074D55BC | B8 CB000000 | mov eax,CB
074D55C1 | 5B | pop ebx
074D55C2 | 81C4 10010000 | add esp,110
074D55C8 | C3 | ret
074D55C9 | 8B35 28206C07 | mov esi,dword ptr ds:[<&GetVersionExA>]
...