This is a stub for something more detailed that I want to write. Code-reuse in thick clients is an important technique in testing. We often crave for scriptability when working with binaries. If only we can exercise and invoke specific sections in the binary without having to reverse it and then coding it up. You might want to invoke an exported function in DLL, call arbitrary functions within Java classes or instantiate a .NET class. Especially when working with non HTTP/custom protocols, you will be able just write scripts on top of existing DLL, jar to execute a specific test case. It could be for decoding a packet, decrypting a file, bruteforcing a password etc.
- Native(C/C++) Binaries – Python ctypes can be used to call functions exported by a DLL. Exported C++ functions cannot be called using ctypes. However you can still write a loader and invoke a function in the binary if you know the offset. Note that you might have to worry about calling convention when you are invoking such a function and use the appropriate declaration for function signature to ensure we are not corrupting the stack.
- Java Binaries – Jython can be used to instantiate classes and call functions in Jar files. This is especially useful when you are testing a custom protocol and you are writing a burp plugin to decode packet. You can just use the application’s classes to decode and encode the packet on the fly. You can also construct and send arbitrary requests to the server by using existing app’s jar files
- .NET binaries – IronPython can be used to instantiate class and invoke functions from managed DLL(.NET). Below is a small sample code to get you started. The code quickly shows reflection to access private members of a class:
import clr import os
#add the binaries clr.AddReferenceToFile(“xxx.dll”) clr.AddReferenceToFile(“yyy.exe”)
from System.Reflection import BindingFlags
object.GetType().GetField(“fieldname”,BindingFlags.NonPublic | BindingFlags.Instance).GetValue(object) |
Note that reflection can also be used in jython to invoke private methods as shown below:
|