[F50] live Suspend/Activate captures — Suspend wires opcode 0x2D, Activate client-side
Re-ran analysis/frida/mx-nmx-trace.js (with the F46 hooks for
LmxProxy.dll!CLMXProxyServer.Suspend / .Activate) against
MxTraceHarness on the local AVEVA install. Two captures landed:
- captures/123-frida-suspend-advised-instrumented/
Scenario: --scenario=suspend-advised --tag=TestChildObject.ScanState
After mx.suspend.begin/end at 17:23:51.949Z, NMX PutRequest fires
~140ms later with body:
2d 01 00 command 0x2D, version 0x0001
cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 16-byte correlation_id (matches the prior AdviseSupervisory)
01 00 05 00 01 00 02 00 01 00 69 00 0a 00 engine + handle + attribute / property ids
47 92 00 00 03 00 00 00 trailer
TransferData wraps it; HRESULT 0 returned; ProcessDataReceived
callback delivers a 50-byte op-status frame; LMX surfaces it
through CUserConnectionCallback.OperationComplete. Suspend is
unambiguously server-side wire op 0x2D.
- captures/124-frida-activate-advised-instrumented/
Scenario: --scenario=activate-advised --tag=TestChildObject.ScanState
Activate fires at 17:26:02.982Z and returns Success synchronously
with no NMX traffic. The next NMX activity is 7+ seconds later
(harness teardown). Activate against a non-suspended item is
client-side only on this build.
The harness's activate-advised scenario doesn't sequence
Suspend-then-Activate, so we don't have direct evidence for
Activate-after-Suspend. Circumstantial reasoning: since Suspend
goes server-side with a state change, Activate likely also does to
revert. If direct evidence becomes needed, add a new
suspend-then-activate scenario to MxTraceHarness/Program.cs and
re-run.
design/70-risks-and-open-questions.md R5 moves to "settled —
Suspend is wire op 0x2D, Activate behaviour is conditional",
severity downgraded P2 -> P3 (no public Session::suspend /
Session::activate API exists today; if added later, 0x2D is the
encoder target).
design/followups.md F50 marked resolved.
docs/F50-suspend-activate-evidence.md: per-capture byte-level
evidence + repro recipe.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Joseph Doherty
@@ -0,0 +1,3 @@
|
|||||||
|
frida=C:\Users\dohertj2\AppData\Local\Programs\Python\Python312\Scripts\frida.exe
|
||||||
|
harness=C:\Users\dohertj2\Desktop\mxaccess\src\MxTraceHarness\bin\Release\net481\MxTraceHarness.exe
|
||||||
|
args=-f C:\Users\dohertj2\Desktop\mxaccess\src\MxTraceHarness\bin\Release\net481\MxTraceHarness.exe -l C:\Users\dohertj2\Desktop\mxaccess\analysis\frida\mx-nmx-trace.js -- --scenario=suspend-advised --tag=TestChildObject.ScanState --duration=8 --log=C:\Users\dohertj2\Desktop\mxaccess\captures\123-frida-suspend-advised-instrumented\harness.log --client=MxFridaTrace-123
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
1
|
||||||
@@ -0,0 +1,98 @@
|
|||||||
|
____
|
||||||
|
/ _ | Frida 17.9.1 - A world-class dynamic instrumentation toolkit
|
||||||
|
| (_| |
|
||||||
|
> _ | Commands:
|
||||||
|
/_/ |_| help -> Displays the help system
|
||||||
|
. . . . object? -> Display information about 'object'
|
||||||
|
. . . . exit/quit -> Exit
|
||||||
|
. . . .
|
||||||
|
. . . . More info at https://frida.re/docs/home/
|
||||||
|
. . . .
|
||||||
|
. . . . Connected to Local System (id=local)
|
||||||
|
Spawning `C:\Users\dohertj2\Desktop\mxaccess\src\MxTraceHarness\bin\Release\net481\MxTraceHarness.exe --scenario=suspend-advised --tag=TestChildObject.ScanState --duration=8 --log=C:\Users\dohertj2\Desktop\mxaccess\captures\123-frida-suspend-advised-instrumented\harness.log --client=MxFridaTrace-123`...
|
||||||
|
Spawned `C:\Users\dohertj2\Desktop\mxaccess\src\MxTraceHarness\bin\Release\net481\MxTraceHarness.exe --scenario=suspend-advised --tag=TestChildObject.ScanState --duration=8 --log=C:\Users\dohertj2\Desktop\mxaccess\captures\123-frida-suspend-advised-instrumented\harness.log --client=MxFridaTrace-123`. Resuming main thread!
|
||||||
|
[Local::MxTraceHarness.exe ]-> {"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.Write.variantA","base":"0x61b50000","rva":"0x12c0c","address":"0x61b62c0c","time":"2026-05-06T17:23:45.844Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.Write.variantB","base":"0x61b50000","rva":"0x13280","address":"0x61b63280","time":"2026-05-06T17:23:45.845Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.WriteSecured.variantA","base":"0x61b50000","rva":"0x12f24","address":"0x61b62f24","time":"2026-05-06T17:23:45.846Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.WriteSecured.variantB","base":"0x61b50000","rva":"0x135fe","address":"0x61b635fe","time":"2026-05-06T17:23:45.846Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.AddBufferedItem","base":"0x61b50000","rva":"0x1121d","address":"0x61b6121d","time":"2026-05-06T17:23:45.846Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.SetBufferedUpdateInterval","base":"0x61b50000","rva":"0xfc80","address":"0x61b5fc80","time":"2026-05-06T17:23:45.846Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.AdviseSupervisory","base":"0x61b50000","rva":"0x142b4","address":"0x61b642b4","time":"2026-05-06T17:23:45.846Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.Suspend","base":"0x61b50000","rva":"0x13d9c","address":"0x61b63d9c","time":"2026-05-06T17:23:45.846Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.Activate","base":"0x61b50000","rva":"0x14028","address":"0x61b64028","time":"2026-05-06T17:23:45.847Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CProxy_ILMXProxyServerEvents2.Fire_OnBufferedDataChange","base":"0x61b50000","rva":"0x163c0","address":"0x61b663c0","time":"2026-05-06T17:23:45.847Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CUserConnectionCallback.OnSetAttributeResult","base":"0x61b50000","rva":"0x16b50","address":"0x61b66b50","time":"2026-05-06T17:23:45.847Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CUserConnectionCallback.OperationComplete","base":"0x61b50000","rva":"0x16d4b","address":"0x61b66d4b","time":"2026-05-06T17:23:45.848Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.AuthenticateUser","base":"0x61b50000","rva":"0x1399f","address":"0x61b6399f","time":"2026-05-06T17:23:45.848Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"MxConnection.PrebindReference","base":"0x10000000","rva":"0xea780","address":"0x100ea780","time":"2026-05-06T17:23:51.188Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"MxConnection.UserRegisterPreboundReference","base":"0x10000000","rva":"0xe1920","address":"0x100e1920","time":"2026-05-06T17:23:51.189Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"IMxReference.GetMxHandle","base":"0x10000000","rva":"0x5f730","address":"0x1005f730","time":"2026-05-06T17:23:51.190Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","base":"0x10000000","rva":"0x8f8b0","address":"0x1008f8b0","time":"2026-05-06T17:23:51.190Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"PreboundReference.Resolve","base":"0x10000000","rva":"0x113d40","address":"0x10113d40","time":"2026-05-06T17:23:51.191Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"PreboundReference.OnPlatformResolveReferenceResults","base":"0x10000000","rva":"0x1155a0","address":"0x101155a0","time":"2026-05-06T17:23:51.192Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"PreboundReference.OnSetAttributeResult","base":"0x10000000","rva":"0x114a90","address":"0x10114a90","time":"2026-05-06T17:23:51.192Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.enter","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","accessManager":"0x91a72b0","outPtr":"0xd5e6c4","inWords":[65537,65537,0,0,0,0],"time":"2026-05-06T17:23:51.236Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.leave","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","outPtr":"0xd5e6c4","handle":{"raw":"01 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00","w0":65537,"w1":65537,"w2":0,"w3":0,"w4":0},"retval":"0xd5e6c4","time":"2026-05-06T17:23:51.236Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.enter","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","accessManager":"0x91a72b0","outPtr":"0xd5e6c4","inWords":[65537,65537,0,0,0,0],"time":"2026-05-06T17:23:51.237Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.leave","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","outPtr":"0xd5e6c4","handle":{"raw":"01 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00","w0":65537,"w1":65537,"w2":0,"w3":0,"w4":0},"retval":"0xd5e6c4","time":"2026-05-06T17:23:51.237Z"}
|
||||||
|
{"event":"lmx.prebind.enter","module":"Lmx.dll","name":"MxConnection.PrebindReference","self":"0x91aed2c","outPtr":"0xd5ec98","referencePtr":"0xd5eccc","reference":"TestChildObject.ScanState","time":"2026-05-06T17:23:51.255Z"}
|
||||||
|
{"event":"lmx.mxhandle.read","module":"Lmx.dll","name":"IMxReference.GetMxHandle","referencePtr":"0x91b3838","outPtr":"0xd5ec00","handle":{"raw":"01 00 01 00 02 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00","w0":65537,"w1":327682,"w2":186166,"w3":655465,"w4":37447},"retval":"0xd5ec00","time":"2026-05-06T17:23:51.256Z"}
|
||||||
|
{"event":"lmx.prebound-resolve.enter","module":"Lmx.dll","name":"PreboundReference.Resolve","prebound":{"ptr":"0x91af058","referenceString":{"length":25,"capacity":31,"value":"TestChildObject.ScanState"},"contextString":{"length":0,"capacity":7,"value":""},"auxString":{"length":0,"capacity":7,"value":""},"mxReference":"0x91b46f0","flags10":1124099840,"word14":2,"word4c":131073,"word54":134011636,"word58":0,"word5c":0,"word60":0,"word64":152728240,"word68":0,"word6c":0,"worda0":0,"worda4":0,"status":3,"flagb0":0,"errorText":"","raw":"08 64 19 10 f0 63 19 10 00 6f 00 6e e8 63 19 10 00 67 00 43 02 00 00 00 98 41 1b 09 00 65 00 00 00 02 00 00 00 00 00 02 19 00 00 00 1f 00 00 00 00 00 00 01 00 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 01 00 02 00 f0 46 1b 09 f4 da fc 07 00 00 00 00 00 00 00 00 00 00 00 00 b0 72 1a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ac 8a 31 01 00 00 00 00"},"time":"2026-05-06T17:23:51.257Z"}
|
||||||
|
{"event":"lmx.mxhandle.read","module":"Lmx.dll","name":"IMxReference.GetMxHandle","referencePtr":"0x91af0a8","outPtr":"0xd5eb90","handle":{"raw":"01 00 01 00 02 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00","w0":65537,"w1":327682,"w2":186166,"w3":655465,"w4":37447},"retval":"0xd5eb90","time":"2026-05-06T17:23:51.257Z"}
|
||||||
|
{"event":"lmx.mxhandle.read","module":"Lmx.dll","name":"IMxReference.GetMxHandle","referencePtr":"0x91af0a8","outPtr":"0xd5eb90","handle":{"raw":"01 00 01 00 02 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00","w0":65537,"w1":327682,"w2":186166,"w3":655465,"w4":37447},"retval":"0xd5eb90","time":"2026-05-06T17:23:51.257Z"}
|
||||||
|
{"event":"lmx.mxhandle.read","module":"Lmx.dll","name":"IMxReference.GetMxHandle","referencePtr":"0x91af0a8","outPtr":"0xd5eb90","handle":{"raw":"01 00 01 00 02 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00","w0":65537,"w1":327682,"w2":186166,"w3":655465,"w4":37447},"retval":"0xd5eb90","time":"2026-05-06T17:23:51.258Z"}
|
||||||
|
{"event":"lmx.prebound-resolve.leave","module":"Lmx.dll","name":"PreboundReference.Resolve","prebound":{"ptr":"0x91af058","referenceString":{"length":25,"capacity":31,"value":"TestChildObject.ScanState"},"contextString":{"length":0,"capacity":7,"value":""},"auxString":{"length":0,"capacity":7,"value":""},"mxReference":"0x91b46f0","flags10":1124099840,"word14":2,"word4c":131073,"word54":134011636,"word58":0,"word5c":0,"word60":0,"word64":152728240,"word68":0,"word6c":0,"worda0":0,"worda4":0,"status":3,"flagb0":0,"errorText":"","raw":"08 64 19 10 f0 63 19 10 00 6f 00 6e e8 63 19 10 00 67 00 43 02 00 00 00 98 41 1b 09 00 65 00 00 00 02 00 00 00 00 00 02 19 00 00 00 1f 00 00 00 00 00 00 01 00 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 01 00 02 00 f0 46 1b 09 f4 da fc 07 00 00 00 00 00 00 00 00 00 00 00 00 b0 72 1a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ac 8a 31 01 00 00 00 00"},"retval":"0x70d01e01","time":"2026-05-06T17:23:51.259Z"}
|
||||||
|
{"event":"lmx.prebind.leave","module":"Lmx.dll","name":"MxConnection.PrebindReference","handle":1,"time":"2026-05-06T17:23:51.259Z"}
|
||||||
|
{"event":"call.enter","module":"LmxProxy.dll","name":"CLMXProxyServer.AdviseSupervisory","address":"0x61b642b4","ecx":"0xd5ed50","args":["0x62492d0","0x1","0x1","0x55eabfd1","0x744d4704"],"time":"2026-05-06T17:23:51.261Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.enter","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","accessManager":"0x91a72b0","outPtr":"0xd5ebd0","inWords":[65537,327682,186166,655465,37447,0],"time":"2026-05-06T17:23:51.261Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.leave","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","outPtr":"0xd5ebd0","handle":{"raw":"01 00 01 00 02 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00","w0":65537,"w1":327682,"w2":186166,"w3":655465,"w4":37447},"retval":"0xd5ebd0","time":"2026-05-06T17:23:51.261Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.enter","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","accessManager":"0x91a72b0","outPtr":"0xd5d864","inWords":[65537,327682,186166,655465,37447,0],"time":"2026-05-06T17:23:51.262Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.leave","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","outPtr":"0xd5d864","handle":{"raw":"01 00 01 00 02 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00","w0":65537,"w1":327682,"w2":186166,"w3":655465,"w4":37447},"retval":"0xd5d864","time":"2026-05-06T17:23:51.262Z"}
|
||||||
|
{"event":"call.leave","module":"LmxProxy.dll","name":"CLMXProxyServer.AdviseSupervisory","retval":"0x0","time":"2026-05-06T17:23:51.262Z"}
|
||||||
|
{"event":"hook.installed","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","base":"0x63ae0000","rva":"0x10996","address":"0x63af0996","time":"2026-05-06T17:23:51.280Z"}
|
||||||
|
{"event":"hook.installed","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","base":"0x63ae0000","rva":"0x112da","address":"0x63af12da","time":"2026-05-06T17:23:51.280Z"}
|
||||||
|
{"event":"hook.installed","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","base":"0x63ae0000","rva":"0x15169","address":"0x63af5169","time":"2026-05-06T17:23:51.281Z"}
|
||||||
|
{"event":"hook.installed","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequestEx","base":"0x63ae0000","rva":"0x159c3","address":"0x63af59c3","time":"2026-05-06T17:23:51.281Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","address":"0x63af5169","ecx":"0x1","args":["0x91ac9d8","0x1","0x1","0x1","0x2","0x0","0x13a","0x91af118","0xd5ea14","0xfd3aeb5e"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":1,"ptr":"0x2","hex":""},{"sizeIndex":6,"ptrIndex":7,"size":314,"ptr":"0x91af118","hex":"17 01 00 01 01 00 01 00 00 00 65 00 71 00 0a 00 00 00 00 00 08 6a 00 00 00 40 00 00 81 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 2e 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 44 00 65 00 70 00 6c 00 6f 00 79 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 01 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 a0 e7 1a 09 1f 01 00 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 00 00 01 00 00 00 17 01 00 01 01 00 01 00 00 00 65 00 71 00 0a 00 00 00 00 00 08 76 00 00 00 4c 00 00 81 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 2e 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 43 00 6f 00 6e 00 66 00 69 00 67 00 43 00 68 00 61 00 6e 00 67 00 65 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 01 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 20 ee 1a 09 20 01 00 02 00 00 00"}],"time":"2026-05-06T17:23:51.371Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x91ac9d8","args":["0x1","0x1","0x1","0x168","0x9eb7020","0x9d860587","0x91aece4","0x91aecd4","0x63b0dd04","0x64"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":360,"ptr":"0x9eb7020","hex":"01 00 3a 01 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 02 00 00 30 75 00 00 17 01 00 01 01 00 01 00 00 00 65 00 71 00 0a 00 00 00 00 00 08 6a 00 00 00 40 00 00 81 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 2e 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 44 00 65 00 70 00 6c 00 6f 00 79 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 01 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 a0 e7 1a 09 1f 01 00 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 00 00 01 00 00 00 17 01 00 01 01 00 01 00 00 00 65 00 71 00 0a 00 00 00 00 00 08 76 00 00 00 4c 00 00 81 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 2e 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 43 00 6f 00 6e 00 66 00 69 00 67 00 43 00 68 00 61 00 6e 00 67 00 65 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 01 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 20 ee 1a 09 20 01 00 02 00 00 00"}],"time":"2026-05-06T17:23:51.373Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:23:51.374Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","retval":"0x0","time":"2026-05-06T17:23:51.374Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","address":"0x63af5169","ecx":"0x1","args":["0x91ac9d8","0x1","0x1","0x2","0x2","0x0","0x27","0x91af590","0xd5ea14","0xfd3aeb5e"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":2,"ptr":"0x2","hex":""},{"sizeIndex":6,"ptrIndex":7,"size":39,"ptr":"0x91af590","hex":"1f 01 00 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 00 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00 03 00 00 00"}],"time":"2026-05-06T17:23:51.375Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x91ac9d8","args":["0x1","0x1","0x2","0x55","0x9eb7020","0x9d860587","0x91b5dcc","0x91b5dbc","0x63b0dd04","0x64"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":85,"ptr":"0x9eb7020","hex":"01 00 27 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 02 00 00 00 01 02 00 00 30 75 00 00 1f 01 00 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 00 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00 03 00 00 00"}],"time":"2026-05-06T17:23:51.376Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:23:51.376Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","retval":"0x0","time":"2026-05-06T17:23:51.376Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","address":"0x63af12da","ecx":"0x91ac9d8","args":["0x2c2","0x7f44288","0x773eb08","0x769cedd8","0x91ac9e4","0x2c2","0x7f44288","0x206","0x3","0x7aa21cc"],"candidates":[{"sizeIndex":5,"ptrIndex":6,"size":706,"ptr":"0x7f44288","hex":"01 00 94 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 02 02 00 00 30 75 00 00 40 1f 50 80 08 a6 00 00 00 40 00 00 91 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 2e 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 44 00 65 00 70 00 6c 00 6f 00 79 00 00 00 18 00 00 00 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 00 00 28 00 00 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 44 00 65 00 70 00 6c 00 6f 00 79 00 00 00 02 00 00 00 00 00 01 01 00 01 00 01 00 53 f2 9a 00 6a 00 0a 00 5f f1 00 00 01 6c 00 00 00 41 00 6e 00 20 00 69 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 6f 00 63 00 63 00 75 00 72 00 72 00 65 00 64 00 20 00 69 00 6e 00 20 00 74 00 68 00 65 00 20 00 42 00 61 00 73 00 65 00 20 00 52 00 75 00 6e 00 74 00 69 00 6d 00 65 00 20 00 4f 00 62 00 6a 00 65 00 63 00 74 00 00 00 1f 00 00 50 80 01 00 01 00 01 00 30 75 00 00 4a 5a a3 cd 7a 87 96 43 83 2c b4 ba be 67 53 57 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 40 1f 50 80 08 be 00 00 00 4c 00 00 91 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 2e 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 43 00 6f 00 6e 00 66 00 69 00 67 00 43 00 68 00 61 00 6e 00 67 00 65 00 00 00 18 00 00 00 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 00 00 34 00 00 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 43 00 6f 00 6e 00 66 00 69 00 67 00 43 00 68 00 61 00 6e 00 67 00 65 00 00 00 02 00 00 00 00 00 01 01 00 01 00 01 00 53 f2 9a 00 6b 00 0a 00 87 3a 00 00 01 6c 00 00 00 41 00 6e 00 20 00 69 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 6f 00 63 00 63 00 75 00 72 00 72 00 65 00 64 00 20 00 69 00 6e 00 20 00 74 00 68 00 65 00 20 00 42 00 61 00 73 00 65 00 20 00 52 00 75 00 6e 00 74 00 69 00 6d 00 65 00 20 00 4f 00 62 00 6a 00 65 00 63 00 74 00 00 00 20 00 00 50 80 01 00 01 00 01 00 30 75 00 00"},{"sizeIndex":7,"ptrIndex":8,"size":518,"ptr":"0x3","hex":""},{"sizeIndex":8,"ptrIndex":9,"size":3,"ptr":"0x7aa21cc","hex":"f0 d7 01"}],"time":"2026-05-06T17:23:51.392Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","retval":"0x1","time":"2026-05-06T17:23:51.393Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","address":"0x63af12da","ecx":"0x91ac9d8","args":["0x97","0x7f38730","0x773eb08","0x769cedd8","0x91ac9e4","0x97","0x7f38730","0x206","0x3","0x7aa21cc"],"candidates":[{"sizeIndex":5,"ptrIndex":6,"size":151,"ptr":"0x7f38730","hex":"01 00 69 00 00 00 00 00 00 00 39 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 02 00 00 30 75 00 00 32 01 00 02 00 00 00 4a 5a a3 cd 7a 87 96 43 83 2c b4 ba be 67 53 57 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 01 00 00 00 03 00 00 00 c0 00 b0 fd 44 d6 75 dd dc 01 06 0a 00 00 00 00 99 8c 8a 6e da dc 01 00 00 02 00 00 00 03 00 00 00 c0 00 f0 99 45 d6 75 dd dc 01 06 0a 00 00 00 00 fb 56 ce 19 dd dc 01 00 00"},{"sizeIndex":7,"ptrIndex":8,"size":518,"ptr":"0x3","hex":""},{"sizeIndex":8,"ptrIndex":9,"size":3,"ptr":"0x7aa21cc","hex":"f0 d7 01"}],"time":"2026-05-06T17:23:51.394Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","retval":"0x1","time":"2026-05-06T17:23:51.394Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","address":"0x63af12da","ecx":"0x91ac9d8","args":["0x5c","0x7f43180","0x773eb08","0x769cedd8","0x91ac9e4","0x5c","0x7f43180","0x206","0x3","0x7aa21cc"],"candidates":[{"sizeIndex":5,"ptrIndex":6,"size":92,"ptr":"0x7f43180","hex":"01 00 2e 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 02 02 00 00 30 75 00 00 00 00 50 80 01 00 01 00 02 00 30 75 00 00 ad dd 62 fe a7 a0 e5 49 87 72 93 75 c6 f1 cc 86 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93"},{"sizeIndex":7,"ptrIndex":8,"size":518,"ptr":"0x3","hex":""},{"sizeIndex":8,"ptrIndex":9,"size":3,"ptr":"0x7aa21cc","hex":"f0 d7 01"}],"time":"2026-05-06T17:23:51.414Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","retval":"0x1","time":"2026-05-06T17:23:51.415Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","address":"0x63af12da","ecx":"0x91ac9d8","args":["0x69","0x7fb3ab0","0x773eb08","0x769cedd8","0x91ac9e4","0x69","0x7fb3ab0","0x206","0x3","0x7aa21cc"],"candidates":[{"sizeIndex":5,"ptrIndex":6,"size":105,"ptr":"0x7fb3ab0","hex":"01 00 3b 00 00 00 00 00 00 00 06 19 00 00 01 00 00 00 01 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 02 00 00 30 75 00 00 32 01 00 01 00 00 00 ad dd 62 fe a7 a0 e5 49 87 72 93 75 c6 f1 cc 86 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 03 00 00 00 00 00 00 00 c0 00 c0 3e 0b d8 75 dd dc 01 01 ff"},{"sizeIndex":7,"ptrIndex":8,"size":518,"ptr":"0x3","hex":""},{"sizeIndex":8,"ptrIndex":9,"size":3,"ptr":"0x7aa21cc","hex":"f0 d7 01"}],"time":"2026-05-06T17:23:51.416Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","retval":"0x1","time":"2026-05-06T17:23:51.416Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x91ac9d8","args":["0x1","0x1","0x1","0x2e","0x9eb7020","0x9d860473","0x91a72b0","0x0","0x0","0x64"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":46,"ptr":"0x9eb7020","hex":"01 00 00 00 00 00 00 00 00 00 39 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 01 00 00 00 02 02 00 00 30 75 00 00"}],"time":"2026-05-06T17:23:51.470Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:23:51.470Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x91ac9d8","args":["0x1","0x1","0x2","0x2e","0x9eb7020","0x9d860473","0x91a72b0","0x0","0x0","0x64"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":46,"ptr":"0x9eb7020","hex":"01 00 00 00 00 00 00 00 00 00 06 19 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 02 00 00 00 02 02 00 00 30 75 00 00"}],"time":"2026-05-06T17:23:51.488Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:23:51.489Z"}
|
||||||
|
{"event":"mx.suspend.begin","module":"LmxProxy.dll","name":"CLMXProxyServer.Suspend","address":"0x61b63d9c","ecx":"0xd5ed4c","serverHandle":1,"itemHandle":1,"statusOutPtr":"0xd5f14c","time":"2026-05-06T17:23:51.949Z"}
|
||||||
|
{"event":"mx.suspend.end","module":"LmxProxy.dll","name":"CLMXProxyServer.Suspend","retval":"0x0","serverHandle":1,"itemHandle":1,"status":{"raw":"ff ff 3a fd 01 00 00 00","success":-1,"category":-710,"detectedBy":1,"detail":0},"time":"2026-05-06T17:23:51.949Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","address":"0x63af5169","ecx":"0x1","args":["0x91ac9d8","0x1","0x1","0x2","0x2","0x0","0x29","0x91af980","0xd5ea14","0xfd3aeb5e"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":2,"ptr":"0x2","hex":""},{"sizeIndex":6,"ptrIndex":7,"size":41,"ptr":"0x91af980","hex":"2d 01 00 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 01 00 05 00 01 00 02 00 01 00 69 00 0a 00 47 92 00 00 03 00 00 00"}],"time":"2026-05-06T17:23:52.089Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x91ac9d8","args":["0x1","0x1","0x2","0x57","0x9eb7020","0x9d860587","0x91a829c","0x91a828c","0x63b0dd04","0x64"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":87,"ptr":"0x9eb7020","hex":"01 00 29 00 00 00 00 00 00 00 03 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 02 00 00 00 01 02 00 00 30 75 00 00 2d 01 00 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 01 00 05 00 01 00 02 00 01 00 69 00 0a 00 47 92 00 00 03 00 00 00"}],"time":"2026-05-06T17:23:52.089Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:23:52.090Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","retval":"0x0","time":"2026-05-06T17:23:52.090Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","address":"0x63af12da","ecx":"0x91ac9d8","args":["0x32","0x7f44288","0x773eb08","0x769cedd8","0x91ac9e4","0x32","0x7f44288","0x206","0x3","0x7aa21cc"],"candidates":[{"sizeIndex":5,"ptrIndex":6,"size":50,"ptr":"0x7f44288","hex":"01 00 04 00 00 00 00 00 00 00 03 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 02 02 00 00 30 75 00 00 00 00 10 80"},{"sizeIndex":7,"ptrIndex":8,"size":518,"ptr":"0x3","hex":""},{"sizeIndex":8,"ptrIndex":9,"size":3,"ptr":"0x7aa21cc","hex":"f0 d7 01"}],"time":"2026-05-06T17:23:52.123Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","retval":"0x1","time":"2026-05-06T17:23:52.123Z"}
|
||||||
|
{"event":"call.enter","module":"LmxProxy.dll","name":"CUserConnectionCallback.OperationComplete","address":"0x61b66d4b","ecx":"0x61b66d4b","args":["0x91b4b40","0x1","0xd5e574","0x8014cbc"],"time":"2026-05-06T17:23:52.183Z"}
|
||||||
|
{"event":"call.leave","module":"LmxProxy.dll","name":"CUserConnectionCallback.OperationComplete","retval":"0x0","time":"2026-05-06T17:23:52.185Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","address":"0x63af5169","ecx":"0x1","args":["0x91ac9d8","0x1","0x1","0x1","0x2","0x0","0x3a","0x91af470","0xd5ebd0","0xfd3ae89a"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":1,"ptr":"0x2","hex":""},{"sizeIndex":6,"ptrIndex":7,"size":58,"ptr":"0x91af470","hex":"21 01 00 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 01 00 53 f2 9a 00 6a 00 0a 00 5f f1 00 00 01 00 00 00 22 01 00 01 00 53 f2 9a 00 6b 00 0a 00 87 3a 00 00 02 00 00 00"}],"time":"2026-05-06T17:23:59.173Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x91ac9d8","args":["0x1","0x1","0x1","0x68","0x9eb7020","0x9d8607c3","0x91aec7c","0x91aec6c","0x63b0dd04","0x0"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":104,"ptr":"0x9eb7020","hex":"01 00 3a 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 02 00 00 30 75 00 00 21 01 00 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 01 00 53 f2 9a 00 6a 00 0a 00 5f f1 00 00 01 00 00 00 22 01 00 01 00 53 f2 9a 00 6b 00 0a 00 87 3a 00 00 02 00 00 00"}],"time":"2026-05-06T17:23:59.174Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:23:59.174Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","retval":"0x0","time":"2026-05-06T17:23:59.175Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","address":"0x63af5169","ecx":"0x1","args":["0x91ac9d8","0x1","0x1","0x2","0x2","0x0","0x25","0x91af590","0xd5ebd0","0xfd3ae89a"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":2,"ptr":"0x2","hex":""},{"sizeIndex":6,"ptrIndex":7,"size":37,"ptr":"0x91af590","hex":"21 01 00 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00 03 00 00 00"}],"time":"2026-05-06T17:23:59.175Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x91ac9d8","args":["0x1","0x1","0x2","0x53","0x9eb7020","0x9d8607c3","0x91a829c","0x91a828c","0x63b0dd04","0x0"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":83,"ptr":"0x9eb7020","hex":"01 00 25 00 00 00 00 00 00 00 05 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 02 00 00 00 01 02 00 00 30 75 00 00 21 01 00 cd 2a ee ec b2 76 06 4f b4 58 5c a0 2d f7 a8 93 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00 03 00 00 00"}],"time":"2026-05-06T17:23:59.175Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:23:59.176Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","retval":"0x0","time":"2026-05-06T17:23:59.176Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","address":"0x63af12da","ecx":"0x91ac9d8","args":["0x2e","0x7f43180","0x773eb08","0x769cedd8","0x91ac9e4","0x2e","0x7f43180","0x206","0x3","0x7aa21cc"],"candidates":[{"sizeIndex":5,"ptrIndex":6,"size":46,"ptr":"0x7f43180","hex":"01 00 00 00 00 00 00 00 00 00 05 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 02 02 00 00 30 75 00 00"},{"sizeIndex":7,"ptrIndex":8,"size":518,"ptr":"0x3","hex":""},{"sizeIndex":8,"ptrIndex":9,"size":3,"ptr":"0x7aa21cc","hex":"f0 d7 01"}],"time":"2026-05-06T17:23:59.184Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","retval":"0x1","time":"2026-05-06T17:23:59.184Z"}
|
||||||
|
Process terminated
|
||||||
|
|
||||||
|
Thank you for using Frida!
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
2026-05-06T17:23:45.7524803+00:00 harness.start {"Scenario":"suspend-advised","ClientName":"MxFridaTrace-123","Tags":["TestChildObject.ScanState"],"ItemContext":"","WriteType":"string","WriteValue":"","WriteValues":[],"UserId":0,"CurrentUserId":0,"VerifierUserId":0,"UserGuid":"","AuthUser":"","AuthenticateBeforeWrite":false,"UseAuthenticatedUserAsVerifier":false,"UsePlainAdvise":false,"WriteTimestamp":"","WriteDelayMilliseconds":750,"WriteIntervalMilliseconds":500,"BufferedUpdateInterval":1000,"DurationSeconds":8,"ProcessBitness":"x86","Runtime":"4.0.30319.42000"}
|
||||||
|
2026-05-06T17:23:51.0229176+00:00 mx.register.begin {"ClientName":"MxFridaTrace-123"}
|
||||||
|
2026-05-06T17:23:51.2542197+00:00 mx.register.end {"SessionHandle":1}
|
||||||
|
2026-05-06T17:23:51.2550786+00:00 mx.additem.begin {"Tag":"TestChildObject.ScanState"}
|
||||||
|
2026-05-06T17:23:51.2595630+00:00 mx.additem.end {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:23:51.2604744+00:00 mx.advise-supervisory.begin {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:23:51.2632070+00:00 mx.advise-supervisory.end {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:23:51.4863989+00:00 mx.event.data-change {"SessionHandle":1,"ItemHandle":1,"Value":{"Type":"System.Boolean","Value":"True"},"Quality":192,"Timestamp":{"Type":"System.String","Value":"5/6/2026 1:23:51.471 PM"},"Status":[{"Success":-1,"Category":"MxCategoryOk","Source":"MxSourceRequestingLmx","Detail":0}]}
|
||||||
|
2026-05-06T17:23:51.9480884+00:00 mx.suspend.begin {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:23:51.9499173+00:00 mx.suspend.end {"Tag":"TestChildObject.ScanState","ItemHandle":1,"Status":{"Success":-1,"Category":"MxCategoryPending","Source":"MxSourceRequestingLmx","Detail":0}}
|
||||||
|
2026-05-06T17:23:52.1856751+00:00 mx.event.operation-complete {"SessionHandle":1,"ItemHandle":1,"Status":[{"Success":-1,"Category":"MxCategoryOk","Source":"MxSourceRespondingLmx","Detail":0}]}
|
||||||
|
2026-05-06T17:23:59.1669817+00:00 mx.unadvise.begin {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:23:59.1678719+00:00 mx.unadvise.end {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:23:59.1678719+00:00 mx.removeitem.begin {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:23:59.1678719+00:00 mx.removeitem.end {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:23:59.1678719+00:00 mx.unregister.begin {"SessionHandle":1}
|
||||||
|
2026-05-06T17:24:03.0001612+00:00 mx.unregister.end {"SessionHandle":1}
|
||||||
|
2026-05-06T17:24:03.0046705+00:00 harness.stop {}
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
frida=C:\Users\dohertj2\AppData\Local\Programs\Python\Python312\Scripts\frida.exe
|
||||||
|
harness=C:\Users\dohertj2\Desktop\mxaccess\src\MxTraceHarness\bin\Release\net481\MxTraceHarness.exe
|
||||||
|
args=-f C:\Users\dohertj2\Desktop\mxaccess\src\MxTraceHarness\bin\Release\net481\MxTraceHarness.exe -l C:\Users\dohertj2\Desktop\mxaccess\analysis\frida\mx-nmx-trace.js -- --scenario=activate-advised --tag=TestChildObject.ScanState --duration=8 --log=C:\Users\dohertj2\Desktop\mxaccess\captures\124-frida-activate-advised-instrumented\harness.log --client=MxFridaTrace-124
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
1
|
||||||
@@ -0,0 +1,88 @@
|
|||||||
|
____
|
||||||
|
/ _ | Frida 17.9.1 - A world-class dynamic instrumentation toolkit
|
||||||
|
| (_| |
|
||||||
|
> _ | Commands:
|
||||||
|
/_/ |_| help -> Displays the help system
|
||||||
|
. . . . object? -> Display information about 'object'
|
||||||
|
. . . . exit/quit -> Exit
|
||||||
|
. . . .
|
||||||
|
. . . . More info at https://frida.re/docs/home/
|
||||||
|
. . . .
|
||||||
|
. . . . Connected to Local System (id=local)
|
||||||
|
Spawning `C:\Users\dohertj2\Desktop\mxaccess\src\MxTraceHarness\bin\Release\net481\MxTraceHarness.exe --scenario=activate-advised --tag=TestChildObject.ScanState --duration=8 --log=C:\Users\dohertj2\Desktop\mxaccess\captures\124-frida-activate-advised-instrumented\harness.log --client=MxFridaTrace-124`...
|
||||||
|
Spawned `C:\Users\dohertj2\Desktop\mxaccess\src\MxTraceHarness\bin\Release\net481\MxTraceHarness.exe --scenario=activate-advised --tag=TestChildObject.ScanState --duration=8 --log=C:\Users\dohertj2\Desktop\mxaccess\captures\124-frida-activate-advised-instrumented\harness.log --client=MxFridaTrace-124`. Resuming main thread!
|
||||||
|
[Local::MxTraceHarness.exe ]-> {"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.Write.variantA","base":"0x61b70000","rva":"0x12c0c","address":"0x61b82c0c","time":"2026-05-06T17:25:57.029Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.Write.variantB","base":"0x61b70000","rva":"0x13280","address":"0x61b83280","time":"2026-05-06T17:25:57.029Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.WriteSecured.variantA","base":"0x61b70000","rva":"0x12f24","address":"0x61b82f24","time":"2026-05-06T17:25:57.029Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.WriteSecured.variantB","base":"0x61b70000","rva":"0x135fe","address":"0x61b835fe","time":"2026-05-06T17:25:57.029Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.AddBufferedItem","base":"0x61b70000","rva":"0x1121d","address":"0x61b8121d","time":"2026-05-06T17:25:57.029Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.SetBufferedUpdateInterval","base":"0x61b70000","rva":"0xfc80","address":"0x61b7fc80","time":"2026-05-06T17:25:57.030Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.AdviseSupervisory","base":"0x61b70000","rva":"0x142b4","address":"0x61b842b4","time":"2026-05-06T17:25:57.030Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.Suspend","base":"0x61b70000","rva":"0x13d9c","address":"0x61b83d9c","time":"2026-05-06T17:25:57.030Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.Activate","base":"0x61b70000","rva":"0x14028","address":"0x61b84028","time":"2026-05-06T17:25:57.031Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CProxy_ILMXProxyServerEvents2.Fire_OnBufferedDataChange","base":"0x61b70000","rva":"0x163c0","address":"0x61b863c0","time":"2026-05-06T17:25:57.031Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CUserConnectionCallback.OnSetAttributeResult","base":"0x61b70000","rva":"0x16b50","address":"0x61b86b50","time":"2026-05-06T17:25:57.031Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CUserConnectionCallback.OperationComplete","base":"0x61b70000","rva":"0x16d4b","address":"0x61b86d4b","time":"2026-05-06T17:25:57.032Z"}
|
||||||
|
{"event":"hook.installed","module":"LmxProxy.dll","name":"CLMXProxyServer.AuthenticateUser","base":"0x61b70000","rva":"0x1399f","address":"0x61b8399f","time":"2026-05-06T17:25:57.032Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"MxConnection.PrebindReference","base":"0x10000000","rva":"0xea780","address":"0x100ea780","time":"2026-05-06T17:26:02.100Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"MxConnection.UserRegisterPreboundReference","base":"0x10000000","rva":"0xe1920","address":"0x100e1920","time":"2026-05-06T17:26:02.101Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"IMxReference.GetMxHandle","base":"0x10000000","rva":"0x5f730","address":"0x1005f730","time":"2026-05-06T17:26:02.101Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","base":"0x10000000","rva":"0x8f8b0","address":"0x1008f8b0","time":"2026-05-06T17:26:02.101Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"PreboundReference.Resolve","base":"0x10000000","rva":"0x113d40","address":"0x10113d40","time":"2026-05-06T17:26:02.102Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"PreboundReference.OnPlatformResolveReferenceResults","base":"0x10000000","rva":"0x1155a0","address":"0x101155a0","time":"2026-05-06T17:26:02.102Z"}
|
||||||
|
{"event":"hook.installed","module":"Lmx.dll","name":"PreboundReference.OnSetAttributeResult","base":"0x10000000","rva":"0x114a90","address":"0x10114a90","time":"2026-05-06T17:26:02.103Z"}
|
||||||
|
{"event":"hook.installed","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","base":"0x63ae0000","rva":"0x10996","address":"0x63af0996","time":"2026-05-06T17:26:02.191Z"}
|
||||||
|
{"event":"hook.installed","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","base":"0x63ae0000","rva":"0x112da","address":"0x63af12da","time":"2026-05-06T17:26:02.192Z"}
|
||||||
|
{"event":"hook.installed","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","base":"0x63ae0000","rva":"0x15169","address":"0x63af5169","time":"2026-05-06T17:26:02.192Z"}
|
||||||
|
{"event":"hook.installed","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequestEx","base":"0x63ae0000","rva":"0x159c3","address":"0x63af59c3","time":"2026-05-06T17:26:02.193Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.enter","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","accessManager":"0x8f272b0","outPtr":"0xafe224","inWords":[65537,65537,0,0,0,0],"time":"2026-05-06T17:26:02.227Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.leave","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","outPtr":"0xafe224","handle":{"raw":"01 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00","w0":65537,"w1":65537,"w2":0,"w3":0,"w4":0},"retval":"0xafe224","time":"2026-05-06T17:26:02.227Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.enter","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","accessManager":"0x8f272b0","outPtr":"0xafe224","inWords":[65537,65537,0,0,0,0],"time":"2026-05-06T17:26:02.228Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.leave","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","outPtr":"0xafe224","handle":{"raw":"01 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00","w0":65537,"w1":65537,"w2":0,"w3":0,"w4":0},"retval":"0xafe224","time":"2026-05-06T17:26:02.228Z"}
|
||||||
|
{"event":"lmx.prebind.enter","module":"Lmx.dll","name":"MxConnection.PrebindReference","self":"0x8f2f934","outPtr":"0xafe7f8","referencePtr":"0xafe82c","reference":"TestChildObject.ScanState","time":"2026-05-06T17:26:02.247Z"}
|
||||||
|
{"event":"lmx.mxhandle.read","module":"Lmx.dll","name":"IMxReference.GetMxHandle","referencePtr":"0x8f341e8","outPtr":"0xafe760","handle":{"raw":"01 00 01 00 02 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00","w0":65537,"w1":327682,"w2":186166,"w3":655465,"w4":37447},"retval":"0xafe760","time":"2026-05-06T17:26:02.247Z"}
|
||||||
|
{"event":"lmx.prebound-resolve.enter","module":"Lmx.dll","name":"PreboundReference.Resolve","prebound":{"ptr":"0x8f2fc60","referenceString":{"length":25,"capacity":31,"value":"TestChildObject.ScanState"},"contextString":{"length":0,"capacity":7,"value":""},"auxString":{"length":0,"capacity":7,"value":""},"mxReference":"0x8f34f50","flags10":1124099840,"word14":2,"word4c":131073,"word54":131786164,"word58":0,"word5c":0,"word60":0,"word64":150106800,"word68":0,"word6c":0,"worda0":0,"worda4":0,"status":3,"flagb0":0,"errorText":"","raw":"08 64 19 10 f0 63 19 10 00 6f 00 6e e8 63 19 10 00 67 00 43 02 00 00 00 c0 4e f3 08 00 65 00 00 00 02 00 00 00 00 00 02 19 00 00 00 1f 00 00 00 00 00 00 01 00 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 01 00 02 00 50 4f f3 08 b4 e5 da 07 00 00 00 00 00 00 00 00 00 00 00 00 b0 72 f2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 04 79 d4 00 00 00 00 00"},"time":"2026-05-06T17:26:02.247Z"}
|
||||||
|
{"event":"lmx.mxhandle.read","module":"Lmx.dll","name":"IMxReference.GetMxHandle","referencePtr":"0x8f2fcb0","outPtr":"0xafe6f0","handle":{"raw":"01 00 01 00 02 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00","w0":65537,"w1":327682,"w2":186166,"w3":655465,"w4":37447},"retval":"0xafe6f0","time":"2026-05-06T17:26:02.248Z"}
|
||||||
|
{"event":"lmx.mxhandle.read","module":"Lmx.dll","name":"IMxReference.GetMxHandle","referencePtr":"0x8f2fcb0","outPtr":"0xafe6f0","handle":{"raw":"01 00 01 00 02 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00","w0":65537,"w1":327682,"w2":186166,"w3":655465,"w4":37447},"retval":"0xafe6f0","time":"2026-05-06T17:26:02.248Z"}
|
||||||
|
{"event":"lmx.mxhandle.read","module":"Lmx.dll","name":"IMxReference.GetMxHandle","referencePtr":"0x8f2fcb0","outPtr":"0xafe6f0","handle":{"raw":"01 00 01 00 02 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00","w0":65537,"w1":327682,"w2":186166,"w3":655465,"w4":37447},"retval":"0xafe6f0","time":"2026-05-06T17:26:02.248Z"}
|
||||||
|
{"event":"lmx.prebound-resolve.leave","module":"Lmx.dll","name":"PreboundReference.Resolve","prebound":{"ptr":"0x8f2fc60","referenceString":{"length":25,"capacity":31,"value":"TestChildObject.ScanState"},"contextString":{"length":0,"capacity":7,"value":""},"auxString":{"length":0,"capacity":7,"value":""},"mxReference":"0x8f34f50","flags10":1124099840,"word14":2,"word4c":131073,"word54":131786164,"word58":0,"word5c":0,"word60":0,"word64":150106800,"word68":0,"word6c":0,"worda0":0,"worda4":0,"status":3,"flagb0":0,"errorText":"","raw":"08 64 19 10 f0 63 19 10 00 6f 00 6e e8 63 19 10 00 67 00 43 02 00 00 00 c0 4e f3 08 00 65 00 00 00 02 00 00 00 00 00 02 19 00 00 00 1f 00 00 00 00 00 00 01 00 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 01 00 02 00 50 4f f3 08 b4 e5 da 07 00 00 00 00 00 00 00 00 00 00 00 00 b0 72 f2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 04 79 d4 00 00 00 00 00"},"retval":"0x70d01e01","time":"2026-05-06T17:26:02.249Z"}
|
||||||
|
{"event":"lmx.prebind.leave","module":"Lmx.dll","name":"MxConnection.PrebindReference","handle":1,"time":"2026-05-06T17:26:02.250Z"}
|
||||||
|
{"event":"call.enter","module":"LmxProxy.dll","name":"CLMXProxyServer.AdviseSupervisory","address":"0x61b842b4","ecx":"0xafe8b0","args":["0x5f592d0","0x1","0x1","0xb68f4ff0","0x744d4704"],"time":"2026-05-06T17:26:02.251Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.enter","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","accessManager":"0x8f272b0","outPtr":"0xafe730","inWords":[65537,327682,186166,655465,37447,0],"time":"2026-05-06T17:26:02.251Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.leave","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","outPtr":"0xafe730","handle":{"raw":"01 00 01 00 02 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00","w0":65537,"w1":327682,"w2":186166,"w3":655465,"w4":37447},"retval":"0xafe730","time":"2026-05-06T17:26:02.252Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.enter","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","accessManager":"0x8f272b0","outPtr":"0xafd3c4","inWords":[65537,327682,186166,655465,37447,0],"time":"2026-05-06T17:26:02.252Z"}
|
||||||
|
{"event":"lmx.fixup-mxhandle.leave","module":"Lmx.dll","name":"AccessManager.FixUpMxHandle","outPtr":"0xafd3c4","handle":{"raw":"01 00 01 00 02 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00","w0":65537,"w1":327682,"w2":186166,"w3":655465,"w4":37447},"retval":"0xafd3c4","time":"2026-05-06T17:26:02.252Z"}
|
||||||
|
{"event":"call.leave","module":"LmxProxy.dll","name":"CLMXProxyServer.AdviseSupervisory","retval":"0x0","time":"2026-05-06T17:26:02.253Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","address":"0x63af5169","ecx":"0x1","args":["0x8f2c9d8","0x1","0x1","0x1","0x2","0x0","0x13a","0x8f2fd20","0xafe574","0x1c6cdd4e"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":1,"ptr":"0x2","hex":""},{"sizeIndex":6,"ptrIndex":7,"size":314,"ptr":"0x8f2fd20","hex":"17 01 00 01 01 00 01 00 00 00 65 00 71 00 0a 00 00 00 00 00 08 6a 00 00 00 40 00 00 81 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 2e 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 44 00 65 00 70 00 6c 00 6f 00 79 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 01 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 a8 f3 f2 08 1f 01 00 fb 41 af 3a 53 c9 17 4f b1 11 36 e0 d2 44 d5 22 00 00 01 00 00 00 17 01 00 01 01 00 01 00 00 00 65 00 71 00 0a 00 00 00 00 00 08 76 00 00 00 4c 00 00 81 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 2e 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 43 00 6f 00 6e 00 66 00 69 00 67 00 43 00 68 00 61 00 6e 00 67 00 65 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 01 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 28 fa f2 08 20 01 00 02 00 00 00"}],"time":"2026-05-06T17:26:02.360Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x8f2c9d8","args":["0x1","0x1","0x1","0x168","0xa4e9020","0x44e158a0","0x8f2f8ec","0x8f2f8dc","0x63b0dd04","0x64"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":360,"ptr":"0xa4e9020","hex":"01 00 3a 01 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 02 00 00 30 75 00 00 17 01 00 01 01 00 01 00 00 00 65 00 71 00 0a 00 00 00 00 00 08 6a 00 00 00 40 00 00 81 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 2e 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 44 00 65 00 70 00 6c 00 6f 00 79 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 01 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 a8 f3 f2 08 1f 01 00 fb 41 af 3a 53 c9 17 4f b1 11 36 e0 d2 44 d5 22 00 00 01 00 00 00 17 01 00 01 01 00 01 00 00 00 65 00 71 00 0a 00 00 00 00 00 08 76 00 00 00 4c 00 00 81 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 2e 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 43 00 6f 00 6e 00 66 00 69 00 67 00 43 00 68 00 61 00 6e 00 67 00 65 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 02 00 00 00 00 00 01 01 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 28 fa f2 08 20 01 00 02 00 00 00"}],"time":"2026-05-06T17:26:02.363Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:26:02.363Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","retval":"0x0","time":"2026-05-06T17:26:02.363Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","address":"0x63af5169","ecx":"0x1","args":["0x8f2c9d8","0x1","0x1","0x2","0x2","0x0","0x27","0x8f30810","0xafe574","0x1c6cdd4e"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":2,"ptr":"0x2","hex":""},{"sizeIndex":6,"ptrIndex":7,"size":39,"ptr":"0x8f30810","hex":"1f 01 00 fb 41 af 3a 53 c9 17 4f b1 11 36 e0 d2 44 d5 22 00 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00 03 00 00 00"}],"time":"2026-05-06T17:26:02.364Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x8f2c9d8","args":["0x1","0x1","0x2","0x55","0xa4e9020","0x44e158a0","0x8f369d4","0x8f369c4","0x63b0dd04","0x64"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":85,"ptr":"0xa4e9020","hex":"01 00 27 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 02 00 00 00 01 02 00 00 30 75 00 00 1f 01 00 fb 41 af 3a 53 c9 17 4f b1 11 36 e0 d2 44 d5 22 00 00 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00 03 00 00 00"}],"time":"2026-05-06T17:26:02.364Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:26:02.364Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","retval":"0x0","time":"2026-05-06T17:26:02.365Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","address":"0x63af12da","ecx":"0x8f2c9d8","args":["0x2c2","0x7855de0","0x763e9c0","0x769cedd8","0x8f2c9e4","0x2c2","0x7855de0","0x206","0x3","0x7890dbc"],"candidates":[{"sizeIndex":5,"ptrIndex":6,"size":706,"ptr":"0x7855de0","hex":"01 00 94 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 02 02 00 00 30 75 00 00 40 1f 50 80 08 a6 00 00 00 40 00 00 91 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 2e 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 44 00 65 00 70 00 6c 00 6f 00 79 00 00 00 18 00 00 00 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 00 00 28 00 00 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 44 00 65 00 70 00 6c 00 6f 00 79 00 00 00 02 00 00 00 00 00 01 01 00 01 00 01 00 53 f2 9a 00 6a 00 0a 00 5f f1 00 00 01 6c 00 00 00 41 00 6e 00 20 00 69 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 6f 00 63 00 63 00 75 00 72 00 72 00 65 00 64 00 20 00 69 00 6e 00 20 00 74 00 68 00 65 00 20 00 42 00 61 00 73 00 65 00 20 00 52 00 75 00 6e 00 74 00 69 00 6d 00 65 00 20 00 4f 00 62 00 6a 00 65 00 63 00 74 00 00 00 1f 00 00 50 80 01 00 01 00 01 00 30 75 00 00 c1 7f b2 2c 25 f4 17 42 bc df 76 e6 78 49 01 0e fb 41 af 3a 53 c9 17 4f b1 11 36 e0 d2 44 d5 22 40 1f 50 80 08 be 00 00 00 4c 00 00 91 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 2e 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 43 00 6f 00 6e 00 66 00 69 00 67 00 43 00 68 00 61 00 6e 00 67 00 65 00 00 00 18 00 00 00 44 00 65 00 76 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 00 00 34 00 00 00 47 00 52 00 2e 00 54 00 69 00 6d 00 65 00 4f 00 66 00 4c 00 61 00 73 00 74 00 43 00 6f 00 6e 00 66 00 69 00 67 00 43 00 68 00 61 00 6e 00 67 00 65 00 00 00 02 00 00 00 00 00 01 01 00 01 00 01 00 53 f2 9a 00 6b 00 0a 00 87 3a 00 00 01 6c 00 00 00 41 00 6e 00 20 00 69 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 6f 00 63 00 63 00 75 00 72 00 72 00 65 00 64 00 20 00 69 00 6e 00 20 00 74 00 68 00 65 00 20 00 42 00 61 00 73 00 65 00 20 00 52 00 75 00 6e 00 74 00 69 00 6d 00 65 00 20 00 4f 00 62 00 6a 00 65 00 63 00 74 00 00 00 20 00 00 50 80 01 00 01 00 01 00 30 75 00 00"},{"sizeIndex":7,"ptrIndex":8,"size":518,"ptr":"0x3","hex":""},{"sizeIndex":8,"ptrIndex":9,"size":3,"ptr":"0x7890dbc","hex":"90 f9 db"}],"time":"2026-05-06T17:26:02.379Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","retval":"0x1","time":"2026-05-06T17:26:02.380Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","address":"0x63af12da","ecx":"0x8f2c9d8","args":["0x97","0x7cfca08","0x763e9c0","0x769cedd8","0x8f2c9e4","0x97","0x7cfca08","0x206","0x3","0x7890dbc"],"candidates":[{"sizeIndex":5,"ptrIndex":6,"size":151,"ptr":"0x7cfca08","hex":"01 00 69 00 00 00 00 00 00 00 3b 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 02 00 00 30 75 00 00 32 01 00 02 00 00 00 c1 7f b2 2c 25 f4 17 42 bc df 76 e6 78 49 01 0e fb 41 af 3a 53 c9 17 4f b1 11 36 e0 d2 44 d5 22 01 00 00 00 03 00 00 00 c0 00 b0 fd 44 d6 75 dd dc 01 06 0a 00 00 00 00 99 8c 8a 6e da dc 01 00 00 02 00 00 00 03 00 00 00 c0 00 f0 99 45 d6 75 dd dc 01 06 0a 00 00 00 00 fb 56 ce 19 dd dc 01 00 00"},{"sizeIndex":7,"ptrIndex":8,"size":518,"ptr":"0x3","hex":""},{"sizeIndex":8,"ptrIndex":9,"size":3,"ptr":"0x7890dbc","hex":"90 f9 db"}],"time":"2026-05-06T17:26:02.381Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","retval":"0x1","time":"2026-05-06T17:26:02.381Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","address":"0x63af12da","ecx":"0x8f2c9d8","args":["0x5c","0xd67de8","0x763e9c0","0x769cedd8","0x8f2c9e4","0x5c","0xd67de8","0x206","0x3","0x7890dbc"],"candidates":[{"sizeIndex":5,"ptrIndex":6,"size":92,"ptr":"0xd67de8","hex":"01 00 2e 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 02 02 00 00 30 75 00 00 00 00 50 80 01 00 01 00 02 00 30 75 00 00 17 59 01 a9 16 2a 80 40 99 d9 d4 80 28 2c b7 2a fb 41 af 3a 53 c9 17 4f b1 11 36 e0 d2 44 d5 22"},{"sizeIndex":7,"ptrIndex":8,"size":518,"ptr":"0x3","hex":""},{"sizeIndex":8,"ptrIndex":9,"size":3,"ptr":"0x7890dbc","hex":"90 f9 db"}],"time":"2026-05-06T17:26:02.412Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","retval":"0x1","time":"2026-05-06T17:26:02.412Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","address":"0x63af12da","ecx":"0x8f2c9d8","args":["0x69","0x7872b38","0x763e9c0","0x769cedd8","0x8f2c9e4","0x69","0x7872b38","0x206","0x3","0x7890dbc"],"candidates":[{"sizeIndex":5,"ptrIndex":6,"size":105,"ptr":"0x7872b38","hex":"01 00 3b 00 00 00 00 00 00 00 3c 1a 00 00 01 00 00 00 01 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 02 00 00 30 75 00 00 32 01 00 01 00 00 00 17 59 01 a9 16 2a 80 40 99 d9 d4 80 28 2c b7 2a fb 41 af 3a 53 c9 17 4f b1 11 36 e0 d2 44 d5 22 03 00 00 00 00 00 00 00 c0 00 c0 3e 0b d8 75 dd dc 01 01 ff"},{"sizeIndex":7,"ptrIndex":8,"size":518,"ptr":"0x3","hex":""},{"sizeIndex":8,"ptrIndex":9,"size":3,"ptr":"0x7890dbc","hex":"90 f9 db"}],"time":"2026-05-06T17:26:02.414Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.ProcessDataReceived","retval":"0x1","time":"2026-05-06T17:26:02.414Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x8f2c9d8","args":["0x1","0x1","0x1","0x2e","0xa4e9020","0x44e15894","0x8f272b0","0x0","0x0","0x64"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":46,"ptr":"0xa4e9020","hex":"01 00 00 00 00 00 00 00 00 00 3b 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 01 00 00 00 02 02 00 00 30 75 00 00"}],"time":"2026-05-06T17:26:02.458Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:26:02.459Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x8f2c9d8","args":["0x1","0x1","0x2","0x2e","0xa4e9020","0x44e15894","0x8f272b0","0x0","0x0","0x64"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":46,"ptr":"0xa4e9020","hex":"01 00 00 00 00 00 00 00 00 00 3c 1a 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 02 00 00 00 02 02 00 00 30 75 00 00"}],"time":"2026-05-06T17:26:02.475Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:26:02.476Z"}
|
||||||
|
{"event":"mx.activate.begin","module":"LmxProxy.dll","name":"CLMXProxyServer.Activate","address":"0x61b84028","ecx":"0xafe8ac","serverHandle":1,"itemHandle":1,"statusOutPtr":"0xafec9c","time":"2026-05-06T17:26:02.982Z"}
|
||||||
|
{"event":"mx.activate.end","module":"LmxProxy.dll","name":"CLMXProxyServer.Activate","retval":"0x0","serverHandle":1,"itemHandle":1,"status":{"raw":"ff ff af 00 00 00 00 00","success":-1,"category":175,"detectedBy":0,"detail":0},"time":"2026-05-06T17:26:02.982Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","address":"0x63af5169","ecx":"0x1","args":["0x8f2c9d8","0x1","0x1","0x1","0x2","0x0","0x3a","0x8f30348","0xafe730","0x1c6cdf8a"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":1,"ptr":"0x2","hex":""},{"sizeIndex":6,"ptrIndex":7,"size":58,"ptr":"0x8f30348","hex":"21 01 00 fb 41 af 3a 53 c9 17 4f b1 11 36 e0 d2 44 d5 22 01 00 53 f2 9a 00 6a 00 0a 00 5f f1 00 00 01 00 00 00 22 01 00 01 00 53 f2 9a 00 6b 00 0a 00 87 3a 00 00 02 00 00 00"}],"time":"2026-05-06T17:26:10.206Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x8f2c9d8","args":["0x1","0x1","0x1","0x68","0xa4e9020","0x44e15ae4","0x8f36fac","0x8f36f9c","0x63b0dd04","0x0"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":104,"ptr":"0xa4e9020","hex":"01 00 3a 00 00 00 00 00 00 00 03 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 02 00 00 30 75 00 00 21 01 00 fb 41 af 3a 53 c9 17 4f b1 11 36 e0 d2 44 d5 22 01 00 53 f2 9a 00 6a 00 0a 00 5f f1 00 00 01 00 00 00 22 01 00 01 00 53 f2 9a 00 6b 00 0a 00 87 3a 00 00 02 00 00 00"}],"time":"2026-05-06T17:26:10.207Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:26:10.207Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","retval":"0x0","time":"2026-05-06T17:26:10.207Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","address":"0x63af5169","ecx":"0x1","args":["0x8f2c9d8","0x1","0x1","0x2","0x2","0x0","0x25","0x8f302b8","0xafe730","0x1c6cdf8a"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":2,"ptr":"0x2","hex":""},{"sizeIndex":6,"ptrIndex":7,"size":37,"ptr":"0x8f302b8","hex":"21 01 00 fb 41 af 3a 53 c9 17 4f b1 11 36 e0 d2 44 d5 22 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00 03 00 00 00"}],"time":"2026-05-06T17:26:10.208Z"}
|
||||||
|
{"event":"nmx.enter","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","address":"0x63af0996","ecx":"0x8f2c9d8","args":["0x1","0x1","0x2","0x53","0xa4e9020","0x44e15ae4","0x8f36e2c","0x8f36e1c","0x63b0dd04","0x0"],"candidates":[{"sizeIndex":3,"ptrIndex":4,"size":83,"ptr":"0xa4e9020","hex":"01 00 25 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 01 00 00 00 fc 7f 00 00 01 00 00 00 01 00 00 00 02 00 00 00 01 02 00 00 30 75 00 00 21 01 00 fb 41 af 3a 53 c9 17 4f b1 11 36 e0 d2 44 d5 22 05 00 36 d7 02 00 69 00 0a 00 47 92 00 00 03 00 00 00"}],"time":"2026-05-06T17:26:10.209Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.TransferData","retval":"0x0","time":"2026-05-06T17:26:10.210Z"}
|
||||||
|
{"event":"nmx.leave","module":"NmxAdptr.dll","name":"CNmxAdapter.PutRequest","retval":"0x0","time":"2026-05-06T17:26:10.210Z"}
|
||||||
|
Process terminated
|
||||||
|
|
||||||
|
Thank you for using Frida!
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
2026-05-06T17:25:56.9336608+00:00 harness.start {"Scenario":"activate-advised","ClientName":"MxFridaTrace-124","Tags":["TestChildObject.ScanState"],"ItemContext":"","WriteType":"string","WriteValue":"","WriteValues":[],"UserId":0,"CurrentUserId":0,"VerifierUserId":0,"UserGuid":"","AuthUser":"","AuthenticateBeforeWrite":false,"UseAuthenticatedUserAsVerifier":false,"UsePlainAdvise":false,"WriteTimestamp":"","WriteDelayMilliseconds":750,"WriteIntervalMilliseconds":500,"BufferedUpdateInterval":1000,"DurationSeconds":8,"ProcessBitness":"x86","Runtime":"4.0.30319.42000"}
|
||||||
|
2026-05-06T17:26:02.0166476+00:00 mx.register.begin {"ClientName":"MxFridaTrace-124"}
|
||||||
|
2026-05-06T17:26:02.2451960+00:00 mx.register.end {"SessionHandle":1}
|
||||||
|
2026-05-06T17:26:02.2451960+00:00 mx.additem.begin {"Tag":"TestChildObject.ScanState"}
|
||||||
|
2026-05-06T17:26:02.2506300+00:00 mx.additem.end {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:26:02.2506300+00:00 mx.advise-supervisory.begin {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:26:02.2533435+00:00 mx.advise-supervisory.end {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:26:02.4738071+00:00 mx.event.data-change {"SessionHandle":1,"ItemHandle":1,"Value":{"Type":"System.Boolean","Value":"True"},"Quality":192,"Timestamp":{"Type":"System.String","Value":"5/6/2026 1:26:02.460 PM"},"Status":[{"Success":-1,"Category":"MxCategoryOk","Source":"MxSourceRequestingLmx","Detail":0}]}
|
||||||
|
2026-05-06T17:26:02.9814081+00:00 mx.activate.begin {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:26:02.9832463+00:00 mx.activate.end {"Tag":"TestChildObject.ScanState","ItemHandle":1,"Status":{"Success":-1,"Category":"MxCategoryOk","Source":"MxSourceRequestingLmx","Detail":0}}
|
||||||
|
2026-05-06T17:26:10.2003645+00:00 mx.unadvise.begin {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:26:10.2012649+00:00 mx.unadvise.end {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:26:10.2012649+00:00 mx.removeitem.begin {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:26:10.2012649+00:00 mx.removeitem.end {"Tag":"TestChildObject.ScanState","ItemHandle":1}
|
||||||
|
2026-05-06T17:26:10.2012649+00:00 mx.unregister.begin {"SessionHandle":1}
|
||||||
|
2026-05-06T17:26:12.7977621+00:00 mx.unregister.end {"SessionHandle":1}
|
||||||
|
2026-05-06T17:26:12.8031645+00:00 harness.stop {}
|
||||||
@@ -111,10 +111,13 @@ Findings, layer by layer (the wire bytes flow inward; the synthesis flows outwar
|
|||||||
|
|
||||||
**Reopen when:** a fresh capture proves a synthesis rule for a specific 1-byte completion code under a specific operation context (e.g. via Frida pairs `LmxProxy.dll!FUN_10003f60` input vs. observed event payload). At that point file a sub-followup with the captured `(byte, context, observed status)` triple and decide whether to add a typed mapping.
|
**Reopen when:** a fresh capture proves a synthesis rule for a specific 1-byte completion code under a specific operation context (e.g. via Frida pairs `LmxProxy.dll!FUN_10003f60` input vs. observed event payload). At that point file a sub-followup with the captured `(byte, context, observed status)` triple and decide whether to add a typed mapping.
|
||||||
|
|
||||||
### R5 — Activate / Suspend behaviour **(partially observed — F44 documented client-side trigger; wire-side residual gap filed as F46, hook landed pending live re-run)**
|
### R5 — Activate / Suspend behaviour **(SETTLED 2026-05-06 — F50 live capture proves Suspend is server-side wire op `0x2D`; Activate against a non-suspended item is client-side only)**
|
||||||
|
|
||||||
**Severity: P2** (downgraded from P1 — client-side acceptance criteria are
|
**Severity: P3** (downgraded from P2 — wire behaviour now characterised, no implementation gap blocking M6 / V1 since `Session::suspend` / `Session::activate` aren't part of the public API today; if/when added, the `0x2D` opcode is the encoder target).
|
||||||
now documented; LMX-proxy wire emission remains unconfirmed)
|
|
||||||
|
**Settled (2026-05-06):** F50 captured `123-frida-suspend-advised-instrumented/` and `124-frida-activate-advised-instrumented/`. See `docs/F50-suspend-activate-evidence.md` for the byte-level evidence. Summary:
|
||||||
|
- **Suspend** emits NMX `PutRequest` with command byte `0x2D` ~140ms after the LMX-proxy entry hook, body shape matches AdviseSupervisory's `<command:1> <version:2> <correlation_id:16> <body:22>` family.
|
||||||
|
- **Activate** (against a non-suspended item, the only scenario the harness sequences) returns synchronously client-side with no wire traffic; same client-side behaviour F44 documented for capture 077.
|
||||||
|
|
||||||
**Status (2026-05-06): PARTIALLY OBSERVED — Frida hooks ready, live capture pending.**
|
**Status (2026-05-06): PARTIALLY OBSERVED — Frida hooks ready, live capture pending.**
|
||||||
F44's evidence walk on
|
F44's evidence walk on
|
||||||
|
|||||||
@@ -12,6 +12,12 @@ move to `## Resolved` with a date + commit hash.
|
|||||||
If this changes (e.g. internal consumer wants registry-style versioning via a private cargo registry), the V1 publish recipe in `design/F48-publish-dry-run.md` describes the steps. For now: no work needed.
|
If this changes (e.g. internal consumer wants registry-style versioning via a private cargo registry), the V1 publish recipe in `design/F48-publish-dry-run.md` describes the steps. For now: no work needed.
|
||||||
|
|
||||||
### F50 — Run the F46 Suspend/Activate Frida capture live
|
### F50 — Run the F46 Suspend/Activate Frida capture live
|
||||||
|
**Status:** **Resolved 2026-05-06.** Two captures landed under `captures/123-frida-suspend-advised-instrumented/` (suspend-advised scenario) and `captures/124-frida-activate-advised-instrumented/` (activate-advised scenario). Per-byte evidence in `docs/F50-suspend-activate-evidence.md`; R5 in `design/70-risks-and-open-questions.md` moved to settled.
|
||||||
|
|
||||||
|
**Verdict:**
|
||||||
|
- **Suspend** is server-side: emits NMX `PutRequest` with command `0x2D` ~140ms after the LMX-proxy entry, body `2d 01 00 + correlation_id + 22 bytes` (same shape family as `0x1F` AdviseSupervisory).
|
||||||
|
- **Activate** against a non-suspended item is client-side only — no wire traffic, returns Success synchronously. The harness `activate-advised` scenario doesn't sequence Suspend-then-Activate; if direct evidence for Activate-after-Suspend is needed later, add a new scenario to `MxTraceHarness/Program.cs`.
|
||||||
|
|
||||||
**Severity:** P3 — residual from F46 (script ready, capture not yet run).
|
**Severity:** P3 — residual from F46 (script ready, capture not yet run).
|
||||||
**Source:** F46 closeout (`design/followups.md`) + `analysis/frida/mx-nmx-trace.js` header procedure.
|
**Source:** F46 closeout (`design/followups.md`) + `analysis/frida/mx-nmx-trace.js` header procedure.
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,72 @@
|
|||||||
|
# F50 Suspend / Activate live evidence — 2026-05-06
|
||||||
|
|
||||||
|
Live re-run of `analysis/frida/mx-nmx-trace.js` (with the F46 hook additions for `LmxProxy.dll!CLMXProxyServer.Suspend` / `.Activate`) against `MxTraceHarness.exe` on the local AVEVA install. Two captures land:
|
||||||
|
|
||||||
|
| # | Path | Scenario | Tag |
|
||||||
|
|---|---|---|---|
|
||||||
|
| 123 | `captures/123-frida-suspend-advised-instrumented/` | `--scenario=suspend-advised` | `TestChildObject.ScanState` |
|
||||||
|
| 124 | `captures/124-frida-activate-advised-instrumented/` | `--scenario=activate-advised` | `TestChildObject.ScanState` |
|
||||||
|
|
||||||
|
## Capture 123 — `Suspend` IS server-side
|
||||||
|
|
||||||
|
After `mx.suspend.begin` fires at `17:23:51.949Z`, NMX wire traffic appears within ~140ms:
|
||||||
|
|
||||||
|
```text
|
||||||
|
17:23:51.949Z mx.suspend.begin (CLMXProxyServer.Suspend, serverHandle=1, itemHandle=1)
|
||||||
|
17:23:51.949Z mx.suspend.end (Status: Success=-1 / MxCategoryPending / MxSourceRequestingLmx / Detail=0)
|
||||||
|
17:23:52.089Z nmx.enter PutRequest body=
|
||||||
|
2d 01 00 ← command 0x2D, version 0x0001
|
||||||
|
cd 2a ee ee b2 76 06 4f b4 58 5c a0 2d f7 a8 93 ← 16-byte correlation_id (matches the prior AdviseSupervisory)
|
||||||
|
01 00 05 00 01 00 02 00 01 00 ← reserved / engine + handle context
|
||||||
|
69 00 0a 00 47 92 00 00 ← attribute / property ids
|
||||||
|
03 00 00 00 ← trailer
|
||||||
|
17:23:52.089Z nmx.enter TransferData (envelope wraps the above 41-byte body, target_galaxy=1, target_platform=1, target_engine=2)
|
||||||
|
17:23:52.090Z nmx.leave TransferData (HRESULT 0 = success)
|
||||||
|
17:23:52.090Z nmx.leave PutRequest (HRESULT 0 = success)
|
||||||
|
17:23:52.123Z nmx.enter ProcessDataReceived (50-byte op-status frame back from engine)
|
||||||
|
17:23:52.183Z call.enter CUserConnectionCallback.OperationComplete (LMX surfaces the op-status to the client)
|
||||||
|
```
|
||||||
|
|
||||||
|
The 41-byte body has the same shape as AdviseSupervisory's body (`1f 01 00 + correlation_id + ...`) — same family of `INmxService2` item-control ops. The opcode `0x2D` is what `LmxProxy.dll!CLMXProxyServer.Suspend` puts on the wire.
|
||||||
|
|
||||||
|
## Capture 124 — `Activate` against an already-active item is client-side
|
||||||
|
|
||||||
|
The `activate-advised` harness scenario does **not** call `Suspend` first — it just AdviseSupervisory + Activate. So the Activate is invoked on an already-active item.
|
||||||
|
|
||||||
|
After `mx.activate.begin` fires at `17:26:02.982Z`, the next NMX traffic is at `17:26:10.20Z` (7+ seconds later — that's the harness's UnAdvise / Unregister at scenario teardown). No wire op fires for the Activate itself.
|
||||||
|
|
||||||
|
```text
|
||||||
|
17:26:02.982Z mx.activate.begin (CLMXProxyServer.Activate, serverHandle=1, itemHandle=1)
|
||||||
|
17:26:02.982Z mx.activate.end (Status: Success=-1 / category=175 / Detail=0) ← returns instantly client-side
|
||||||
|
17:26:10.206Z nmx.enter PutRequest ← unrelated, harness teardown (UnAdvise / Unregister)
|
||||||
|
```
|
||||||
|
|
||||||
|
## Verdict
|
||||||
|
|
||||||
|
- **Suspend** is **server-side** with NMX command `0x2D`. The wire body shape matches AdviseSupervisory's structurally (`<command:1> <version:2> <correlation_id:16> <body...>`). The full body decode (engine / handle / attribute id meanings of bytes 19–40) is left for a future codec port — the M6 F50 deliverable is the existence + opnum + correlation-id evidence.
|
||||||
|
- **Activate** (against a non-suspended item) is **client-side only** in this scenario — the LMX proxy returns success without emitting wire traffic. We don't have direct evidence for Activate-after-Suspend (the harness's `activate-advised` scenario doesn't sequence them); circumstantial reasoning is that since Suspend goes server-side, Activate likely also does when it has a suspension to revert. If a future capture is needed, add a `suspend-then-activate` scenario to `MxTraceHarness/Program.cs`.
|
||||||
|
|
||||||
|
## What this changes
|
||||||
|
|
||||||
|
- R5 in `design/70-risks-and-open-questions.md` moves to "settled — Suspend is wire op `0x2D`, Activate behaviour is conditional."
|
||||||
|
- A future codec follow-up could port the `0x2D` body shape into a typed encoder/decoder under `crates/mxaccess-codec/src/`. Not blocking M6 / V1 — `Session::suspend` / `Session::activate` aren't part of the public API today; they'd be additions.
|
||||||
|
- `analysis/proxy/nmxsvcps-procedures.tsv` could grow a row for opnum `0x2D` once someone correlates the Frida capture against the `INmxService2` MIDL. Out of scope for F50.
|
||||||
|
|
||||||
|
## Reproducing
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$frida = "C:\Users\dohertj2\AppData\Local\Programs\Python\Python312\Scripts\frida.exe"
|
||||||
|
$harness = "C:\Users\dohertj2\Desktop\mxaccess\src\MxTraceHarness\bin\Release\net481\MxTraceHarness.exe"
|
||||||
|
$script = "C:\Users\dohertj2\Desktop\mxaccess\analysis\frida\mx-nmx-trace.js"
|
||||||
|
$cap = "C:\Users\dohertj2\Desktop\mxaccess\captures\<NNN>-frida-<scenario>-instrumented"
|
||||||
|
mkdir $cap
|
||||||
|
& $frida -f $harness -l $script -- `
|
||||||
|
--scenario=suspend-advised ` # or activate-advised
|
||||||
|
--tag=TestChildObject.ScanState `
|
||||||
|
--duration=8 `
|
||||||
|
--log="$cap\harness.log" `
|
||||||
|
--client="MxFridaTrace-<NNN>" `
|
||||||
|
> "$cap\frida.stdout.jsonl" 2> "$cap\frida.stderr.txt"
|
||||||
|
```
|
||||||
|
|
||||||
|
The harness needs the local AVEVA Galaxy running with `TestChildObject` deployed. Frida 17.x; Python 3.12. The `MxTraceHarness.exe` is the x86 / net481 build at `bin/Release/net481/` — `dotnet build src/MxTraceHarness/MxTraceHarness.csproj /p:Configuration=Release` produces it.
|
||||||
Reference in New Issue
Block a user