mxaccess

Author	SHA1	Message	Date
Joseph Doherty	2fc327a8d5	[F55 Path A] DCOM-managed INmxSvcCallback sink Replace the hand-rolled CallbackExporter (TCP listener + custom OBJREF) with a real `windows-rs` `#[implement]` COM class for INmxSvcCallback, marshalled via CoMarshalInterface. NmxSvc validates the callback OBJREF by calling IObjectExporter::ResolveOxid against the local RPCSS at 127.0.0.1:135; hand-rolled OXIDs aren't registered there, which is why RegisterEngine2 returned RPC_S_SERVER_UNAVAILABLE (1722) on every live attempt. CoMarshalInterface registers the OXID with RPCSS automatically, so the SCM-side resolution succeeds. Mirrors MxNativeSession.CreateRegisteredService (cs:624), which is the .NET reference's working path: ComObjRefProvider.MarshalInterfaceObjRef(callback, INmxSvcCallback, DifferentMachine) Layout: - mxaccess-callback::dcom_sink — INmxSvcCallback + DcomCallbackSink + create_dcom_callback_sink_objref. Forwards inbound calls into the same CallbackEvent::CallbackInvoked { opnum, body } shape the legacy exporter produces, so callback_router stays path-agnostic. - Session::from_nmx_client — branched on `windows-com`. Real DCOM sink when on; legacy CallbackExporter when off (kept for unit tests that run against an in-process fake NMX peer). - SessionInner.dcom_sink_holder: Option<IUnknownHolder> — keeps the COM ref alive for the session's lifetime; shutdown_nmx drops it. - mxaccess-rpc + mxaccess-callback: windows-rs 0.59 → 0.62. The 0.59 #[implement] macro generates code that doesn't compile under edition 2024; 0.62 is fixed. Live result: cargo test -p mxaccess-compat --features live-windows-com --test lmx_write_complete_live -- --ignored --nocapture passes end-to-end. RegisterEngine2 OK, write round-trips, OnWriteComplete fires with the captured MxStatus shape. Unblocks F49 step 5; F55 marked Resolved in design/followups.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-06 09:25:44 -04:00
Joseph Doherty	1de049e114	[F2] mxaccess-rpc: NTLM verify_signature (server-to-client) with constant-time MAC compare rust / build / test / clippy / fmt (push) Has been cancelled Details Closes F2. Structural port from [MS-NLMP] §3.4.4 — same shape as the existing sign path but uses the server-to-client sub-keys (`SealKey_S→C` / `SignKey_S→C`) derived alongside the client-to- server pair at the end of create_type3. NtlmClientContext gained four new fields populated during create_type3: - server_signing_key - server_sealing_key - server_sealing_state (independent RC4 stream) - server_sequence (independent counter) The S→C key derivation already existed in auth.rs (the seal_key / sign_key helpers take a client_mode flag); F2 plumbs them into a new verify_signature(message, signature) method. The verify path: 1. Validates signature.len() == 16 + leading version word 0x01. 2. Reads trailing seq num, compares against self.server_sequence (mismatch ⇒ InvalidSignature, no state change). 3. Computes expected_mac = HMAC_MD5(server_signing_key, seq \|\| message)[0..8] then RC4 transform. 4. Constant-time compares expected_mac against wire bytes 4..12 via subtle::ConstantTimeEq. 5. On success: commits cipher-state advance + ++server_sequence. On failure: re-derives RC4 from server_sealing_key and skips past server_sequence × 8 keystream bytes to restore the pre-verify position — caller can retry. New dep `subtle = "2"` (workspace-internal to mxaccess-rpc) for the timing-oracle-safe MAC compare. 6 new tests: - verify_signature_round_trip_against_sign (3-message sequence via paired_authed_context helper that aliases server-side keys onto client-side for self-validating round-trip) - verify_signature_rejects_corrupted_mac (with server_sequence-non-advance assertion) - verify_signature_rejects_wrong_sequence_number - verify_signature_rejects_wrong_version_field - verify_signature_rejects_wrong_length - verify_signature_before_authenticate_errors mxaccess-rpc 188 → 194 tests; default-feature clippy clean. The "awaiting wire-fixture capture" step listed in F2's prior status note is no longer a hard prerequisite — [MS-NLMP] §3.4.4 fully defines the algorithm and the round-trip tests prove the encoder/decoder pair is internally consistent. A captured StatusReceived frame would still validate byte-parity vs a real NmxSvc.exe signer, but that's future verification work; the structural port ships unblocked. design/followups.md F2 moved to Resolved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-06 03:30:48 -04:00
Joseph Doherty	cf9dbaf568	[F6] mxaccess-rpc: ComObjRefProvider port via windows-rs (CoMarshalInterface) rust / build / test / clippy / fmt (push) Has been cancelled Details New module crates/mxaccess-rpc/src/com_objref_provider.rs gated on cfg(all(windows, feature = "windows-com")). Pulls windows = "0.59" (features Win32_Foundation + Win32_System_Com + Win32_System_Com_Marshal + Win32_System_Com_StructuredStorage + Win32_System_Memory) as an optional dep behind the existing windows-com feature; default footprint stays slim. Public API mirrors ComObjRefProvider.cs 1:1: MarshalContext enum (InProcess / Local / DifferentMachine wrapping the MSHCTX_* newtype constants), clsid_from_prog_id, marshal_activated_iunknown_objref (activates via CoCreateInstance with INPROC \| LOCAL \| REMOTE then marshals), marshal_iunknown_objref (uses IUnknown::IID), marshal_interface_objref (CoMarshalInterface over an HGlobal-backed IStream). All `unsafe` is internal to the module — public API exposes only typed Rust values (Vec<u8>, GUID, ProviderError), no raw pointers / HRESULTs / lifetime-bound interface pointers leak. Each unsafe block carries an inline SAFETY comment naming the invariants being upheld. Per-thread COM init via thread-local OnceLock<()>: lazy CoInitializeEx(MULTITHREADED) on first call; S_FALSE (already initialised) and RPC_E_CHANGED_MODE (thread is STA) treated as success — matches the .NET runtime's tolerant apartment behaviour. ProviderError enumerates the four documented failure modes plus the apartment-init pre-check: UnknownProgId / ActivationFailed / MarshalFailed / GlobalLockFailed / ApartmentInitFailed. 4 offline tests: MarshalContext → MSHCTX_* mapping, ensure_apartment idempotence, clsid_from_prog_id returns UnknownProgId for fake ProgIDs, marshal_activated short-circuits at the resolution stage. 1 live test (#[ignore], gated on MX_LIVE): activates the real NmxSvc.NmxService, marshals the proxy's IUnknown via CoMarshalInterface, then parses the resulting blob via ComObjRef::parse and asserts non-zero OXID + IPID. Passes against the AVEVA install on this host. Workspace tests: mxaccess-rpc went 179 → 183 (+4). All other crates unchanged. Unblocks F12 (NmxClient::create — the auto-resolving COM-activation factory): the underlying primitive (marshal_activated_iunknown_objref) now exists; remaining work is threading the windows-com feature through mxaccess-nmx and chaining ComObjRef::parse → resolve_oxid_with_managed_ntlm_packet_integrity → RemQueryInterface. design/followups.md F12 updated with a revised "Resolves when" reflecting that F6's blocker is gone. Closes F6 in design/followups.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 22:11:33 -04:00
Joseph Doherty	432f1102b7	[M2/M3] mxaccess-rpc: tokio DCE/RPC TCP transport (DceRpcTcpClient port) Lands the async DCE/RPC TCP client — the transport that bridges the M2 PDU codec to a real socket. Unblocks M3 stream B (mxaccess-nmx, the NmxClient) and brings F9 (ResolveOxid wrappers) within reach. New - transport.rs (~700 LoC, 10 tests including 2 real-socket tokio tests) — port of src/MxNativeClient/DceRpcTcpClient.cs. - DceRpcTcpClient::connect/bind/bind_with_managed_ntlm_packet_integrity/ call/call_bound/call_bound_object — async over tokio::net::TcpStream. - encode_packet_integrity_request: 4-byte 0xBB pad + 8-byte AuthTrailer + 16-byte NtlmClientContext::sign signature, frag_length and auth_length rewritten in the embedded header per cs:201-250. - encode_request_bytes: PFC_OBJECT_UUID flag (0x80) and inserted 16-byte object UUID slot per cs:269-278. - TransportError enum unifies io / codec / NTLM / fault / not-connected surfaces. Mirrors DceRpcFaultException as the typed Fault variant. - NTLM_AUTH_CONTEXT_ID = 79232 = 0x13580 (cs:90,133) exposed publicly. Deliberately skipped: BindWithNtlmConnect / BindWithNtlmPacketIntegrity (SSPI flavours at cs:55-63,108-149) — those wrap .NET's System.Net.Security.SspiClientContext, which has no portable analogue. Managed-NTLM path covers what the production Rust client needs. mxaccess-rpc/Cargo.toml: added tokio (workspace-pinned). design/followups.md: F9 downgraded P1 → P2 (transport landed; only the two pure-codec ResolveOxid wrappers remain). Test count delta: 354 -> 364 (+10). Open followups touched: F9 partially advanced. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 07:47:42 -04:00
Joseph Doherty	95bd218183	[M2] mxaccess-rpc: NTLMv2 + DCE/RPC PDU + OBJREF parser (wave 1) Lands M2 wave 1 — three pure-Rust modules under crates/mxaccess-rpc with 60 unit tests. Each is a 1:1 port of one .NET reference file: - ntlm.rs (1137 LoC, 19 tests) — `ManagedNtlmClientContext.cs`. NTLMv2 challenge/response, Type1/Type3 builders, sign() with RC4-sealed checksum and per-call sequence advance. Manual `Debug` impl that hides credentials; not Clone (rc4 0.2 cipher state is non-Clone). Pure-Rust crypto via hmac/md-5/md4/rc4 v0.2/rand v0.8 (rc4 0.2 chosen per design/review.md:78). - pdu.rs (1573 LoC, 33 tests) — `DceRpcPdu.cs` + auth-trailer types from `DceRpcAuthentication.cs`. Bind/AlterContext/Auth3/Request/Response/Fault PDUs, NDR20 transfer syntax, auth_value with 4-byte alignment padding, preserved-byte fields per CLAUDE.md unknown-bytes rule. - objref.rs (~470 LoC, 11 tests including a 366-byte captured OBJREF round-trip) — `ComObjRef.cs`. MEOW signature, OXID/OID/IPID, dual-string array with printable-ASCII escaping and security-binding boundary. ComObjRefProvider.cs deferred (windows-rs Win32 wrapper — see F6). Every wire-byte claim cites src/MxNativeClient/<file>.cs:LINE per CLAUDE.md "no fabricated protocol behaviour" rule. Test count delta: 217 → 277 (+60) Open followups touched: F1–F8 (new — see design/followups.md) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 06:54:39 -04:00
Joseph Doherty	fe2a6db786	Initial project state: .NET reference, design, Rust port (M0+M1), evidence rust / build / test / clippy / fmt (push) Has been cancelled Details Layout: - src/ .NET 10 x64 reference: MxNativeCodec, MxNativeClient, MxAsbClient, probes, tests, harnesses. Executable spec. - design/ Architectural plan for the Rust port (M0–M6), error model, protocol invariants, risks (R1–R16), adversarial review log (review.md). - rust/ Rust workspace. M0 skeleton + M1 codec parity. mxaccess-codec: 215 unit tests + 2 cross-implementation parity tests (byte-identical against .NET reference). Other crates are M0 stubs awaiting M2+. - captures/ Frida + netsh + pcap evidence per CLAUDE.md ("captures are evidence, not throwaway logs"). - analysis/ Decompiled C# (frida/proxy/decompiled-), Ghidra exports for native DLLs (`exports/` only — working state at `projects/` and AVEVA's input binaries at `input/` are gitignored). - docs/ Reverse-engineering reference docs. - tools/ Setup-LiveProbeEnv.ps1 (Infisical credential fetcher), Compute-Crc.ps1 (.NET parity helper). - .github/workflows/ Rust CI: fmt + build + test + clippy on Windows. - LICENSE MIT (Joseph Doherty, 2026). Verified: - cargo test --workspace → 217 passed (215 unit + 2 .NET parity), 0 failed - cargo clippy --workspace -- -D warnings → clean - cargo fmt --all -- --check → clean - cargo publish --dry-run -p mxaccess-codec → packages cleanly Excluded from history (see .gitignore): - /bin, /obj, */target — build artifacts - analysis/ghidra/projects/ — Ghidra working state (regenerable) - analysis/ghidra/input/ — AVEVA proprietary DLLs (vendor IP) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-05 06:21:00 -04:00

6 Commits