dohertj2/histsdk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ce62a5900146f84c07670562ba6eed0d37e6b43
histsdk/docs/reverse-engineering/native-open-capture-server.md
T
dohertj2 c95824a65d Initial commit: managed .NET 10 AVEVA Historian SDK + reverse-engineering toolkit 
Full read-only SDK (src/AVEVA.Historian.Client) implementing the CLAUDE.md required
surface against AVEVA Historian's binary WCF protocol — no native AVEVA runtime
dependency. All operations live-verified against a local Historian:

- ProbeAsync, ReadRawAsync, ReadAggregateAsync, ReadAtTimeAsync, ReadEventsAsync
- BrowseTagNamesAsync, GetTagMetadataAsync (17 native data-type codes mapped)
- GetConnectionStatusAsync, GetStoreForwardStatusAsync, GetSystemParameterAsync
- 108/108 unit + integration tests pass

Includes the reverse-engineering toolkit (tools/AVEVA.Historian.ReverseEngineering)
used to decode the protocol: WCF probes, IL inspection via dnlib, and IL-rewrite
instrumentation (instrument-wcf-{write,read}message etc.) plus the .NET Framework
trace harness (tools/AVEVA.Historian.NativeTraceHarness) for parity testing.

Sanitized handoff evidence under docs/reverse-engineering/. Native AVEVA binaries
(current/, aveva-install-x64/, aveva-install-x86/) are gitignored — fetch separately
from the AVEVA installer.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 06:31:48 -04:00

2.1 KiB
Raw Blame History

Native Open Capture Server

tools\AVEVA.Historian.WcfCaptureServer is a reverse-engineering-only WCF server that hosts:

net.tcp://localhost:33268/Hist

It implements the decompiled HistoryServiceContract.IHistoryServiceContract shape and logs OpenConnection/Open2 argument metadata as JSON. Credential and opaque input buffers are not printed; the tool records lengths and SHA-256 hashes only. This tool is not referenced by the production SDK.

Current result

The server builds and listens successfully:

dotnet build tools\AVEVA.Historian.WcfCaptureServer\AVEVA.Historian.WcfCaptureServer.csproj
tools\AVEVA.Historian.WcfCaptureServer\bin\Debug\net481\AVEVA.Historian.WcfCaptureServer.exe 33268

Calling ArchestrA.HistorianAccess.OpenConnection with TcpPort = 33268 against localhost returned success from the native wrapper but did not hit the capture server. A follow-up with TcpPort = 1 also connected successfully to the real local Historian, proving the wrapper ignores TcpPort for the local machine path. Calling 127.0.0.1:33268 did not connect.

Current interpretation: the public wrapper detects localhost as a local server name and uses the installed local Historian endpoint rather than the requested test port. The local mock server cannot intercept Open2 without redirecting or stopping the real local endpoint, which is outside the safe automated path.

Useful follow-up

To use this capture server, the native wrapper must be made to treat the target as remote while routing traffic to this machine on the real Historian port, or the lower-level native client export must be called directly. The most useful targets are:

  • CHistoryConnectionWCF::OpenConnection3
  • CClientInfo::SerializeOpenConnectionInParams3
  • CClientInfo::EncryptWithClientKey
  • CClientInfo::GetPwdString

Frida is installed on this machine and can attach to the native PowerShell process, but aahClientManaged.dll does not expose native symbols. The next step is address discovery for those internal functions, then Frida hooks for the serialized input buffer.

Reference in New Issue View Git Blame Copy Permalink