dohertj2
c95824a65d
Full read-only SDK (src/AVEVA.Historian.Client) implementing the CLAUDE.md required
surface against AVEVA Historian's binary WCF protocol — no native AVEVA runtime
dependency. All operations live-verified against a local Historian:
- ProbeAsync, ReadRawAsync, ReadAggregateAsync, ReadAtTimeAsync, ReadEventsAsync
- BrowseTagNamesAsync, GetTagMetadataAsync (17 native data-type codes mapped)
- GetConnectionStatusAsync, GetStoreForwardStatusAsync, GetSystemParameterAsync
- 108/108 unit + integration tests pass
Includes the reverse-engineering toolkit (tools/AVEVA.Historian.ReverseEngineering)
used to decode the protocol: WCF probes, IL inspection via dnlib, and IL-rewrite
instrumentation (instrument-wcf-{write,read}message etc.) plus the .NET Framework
trace harness (tools/AVEVA.Historian.NativeTraceHarness) for parity testing.
Sanitized handoff evidence under docs/reverse-engineering/. Native AVEVA binaries
(current/, aveva-install-x64/, aveva-install-x86/) are gitignored — fetch separately
from the AVEVA installer.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
51 lines
2.1 KiB
Markdown
51 lines
2.1 KiB
Markdown
# Native Open Capture Server
|
|
|
|
`tools\AVEVA.Historian.WcfCaptureServer` is a reverse-engineering-only WCF
|
|
server that hosts:
|
|
|
|
```text
|
|
net.tcp://localhost:33268/Hist
|
|
```
|
|
|
|
It implements the decompiled `HistoryServiceContract.IHistoryServiceContract`
|
|
shape and logs `OpenConnection`/`Open2` argument metadata as JSON. Credential
|
|
and opaque input buffers are not printed; the tool records lengths and SHA-256
|
|
hashes only. This tool is not referenced by the production SDK.
|
|
|
|
## Current result
|
|
|
|
The server builds and listens successfully:
|
|
|
|
```powershell
|
|
dotnet build tools\AVEVA.Historian.WcfCaptureServer\AVEVA.Historian.WcfCaptureServer.csproj
|
|
tools\AVEVA.Historian.WcfCaptureServer\bin\Debug\net481\AVEVA.Historian.WcfCaptureServer.exe 33268
|
|
```
|
|
|
|
Calling `ArchestrA.HistorianAccess.OpenConnection` with `TcpPort = 33268`
|
|
against `localhost` returned success from the native wrapper but did not hit the
|
|
capture server. A follow-up with `TcpPort = 1` also connected successfully to
|
|
the real local Historian, proving the wrapper ignores `TcpPort` for the local
|
|
machine path. Calling `127.0.0.1:33268` did not connect.
|
|
|
|
Current interpretation: the public wrapper detects `localhost` as a local server
|
|
name and uses the installed local Historian endpoint rather than the requested
|
|
test port. The local mock server cannot intercept `Open2` without redirecting
|
|
or stopping the real local endpoint, which is outside the safe automated path.
|
|
|
|
## Useful follow-up
|
|
|
|
To use this capture server, the native wrapper must be made to treat the target
|
|
as remote while routing traffic to this machine on the real Historian port, or
|
|
the lower-level native client export must be called directly. The most useful
|
|
targets are:
|
|
|
|
- `CHistoryConnectionWCF::OpenConnection3`
|
|
- `CClientInfo::SerializeOpenConnectionInParams3`
|
|
- `CClientInfo::EncryptWithClientKey`
|
|
- `CClientInfo::GetPwdString`
|
|
|
|
Frida is installed on this machine and can attach to the native PowerShell
|
|
process, but `aahClientManaged.dll` does not expose native symbols. The next
|
|
step is address discovery for those internal functions, then Frida hooks for
|
|
the serialized input buffer.
|