When using Remote Desktop Connection (formerly known as Terminal Services) to access a remote computer the server will send bitmap information to the client as a series of tiles (typically 64x64px ). When caching is enabled each tile is tagged with a unique 8-byte hash code, if the remote desktop needs to display an old tile again it needs only to send the small hash of the tile to the client rather than the full tile content (often 8KB or 16KB) which makes a considerable bandwidth saving if repetitive data is displayed on-screen.
The client maintains this cache on-disk where it can reach up to 40MB in size, capable of storing around 2550 tiles. Often the connection between the client and server is encrypted using SSL/TLS (or a basic fall-back encryption system if a certificate is unavailable) to protect against evesdropping, however the bitmap cache itself is not encrypted and can be trivially reverse-engineered.
I have developed a program that can read Bitmap Cache (*.bmc) files and display the tiles within.
Whilst the RDP protocol is now documented on MSDN, the BMC file format is not. My reverse-engineering has only revealed the basic information and raw bitmap data, I have little insight into other data fields in the file.
The BMC file format contains no header or other metadata. It is a simple format consisting of sequentially repeating BMC Tile structures until EOF.
Each BMC Tile consists of a 20-byte header followed by DIB bitmap data. Each tile (header and data) appears sequentially with no padding or alignment bytes. Each field also looks to be stored in Little Endian format.
The Tile header does not indicate what the bit-depth of the DIB data is, nor does it reliably state the dimensions of the tile. Initially I assumed the ushort at 0x08 indicated the width of the tile but in some places it was 0x3C despite the bitmap still being 64px wide. Other fields seem consistent across different tiles (like the ushort at 0x0C) but other tiles look similar to those tiles, but with radically different values.
| 00 | 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 0A | 0B | 0C | 0D | 0E | 0F | 10 | 11 | 12 | 13 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Hash Code | Dimensions? | Unknown | Bitmap Length? | Unknown | Flags? | Unknown | |||||||||||||
Below is a selection of three tiles' headers from a single BMC, showing there is no obvious meaning to the fields.
| 00 | 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 0A | 0B | 0C | 0D | 0E | 0F | 10 | 11 | 12 | 13 | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
50-3C-D7-4B-EA-D9-75-E6 | 0x40 | 0x00 | 0x40 | 0x00 | 0x00 | 0x40 | 0x00 | 0x00 | 0x11 | 0x00 | 0x00 | 0x00 | |||||||
| 64 | 64 | 16,384 | 0 | 4352 | 0 | |||||||||||||||
|
03-89-23-FC-3C-B9-62-4B | 0x40 | 0x00 | 0x30 | 0x00 | 0x00 | 0x30 | 0x00 | 0x00 | 0x11 | 0x00 | 0x00 | 0x00 | |||||||
| 64 | 48 | 12,288 | 0 | 4352 | 0 | |||||||||||||||
|
CC-AC-36-46-B8-04-79-37 | 0x29 | 0x00 | 0x12 | 0x00 | 0x88 | 0x0B | 0x00 | 0x00 | 0x11 | 0x00 | 0x00 | 0x00 | |||||||
| 41 | 18 | 34,827 | 0 | 4352 | 0 | |||||||||||||||
Nontheless, enough information can be extracted to give a general idea of what kind of activities take place over Remote Desktop.
There are times when saved tiles, if not the whole file, appear corrupted or otherwise comprised of garbage data. I believe this might be a form of encryption, but I haven't encountered any situation where I can reliably reproduce the files. It doesn't seem to be related to the use of TLS/SSL security in the connection, nor the version of Windows being connected to.