Saturday, June 4, 2011

Railgun Update: Milestone 1 Reached!

This is a well overdue post and I apologise for my lateness. However, I have some cool stuff to point out on the horizon.


Milestone 1, as a reminder, was to increase test coverage. Well, the ticket tracking it (https://dev.metasploit.com/redmine/issues/4015) is now officially closed. In other words, I am satisfied with railgun test coverage to an extent that I feel comfortable moving on to implementing features again. (As for that matter, I have already started to do so.) This certainly doesn't mean I wont stop writing new test cases; it just means that I wont feel like I am constantly "playing catch-up."

One of the coolest new additions is "mock_magic.rb". I will dedicate the rest of this blog post to talking about it, in fact. Railgun::MockMagic is a mixin that provides mock objects and staging to help facilitate thorough (and easy) testing.

Open lib/rex/post/meterpreter/extensions/stdapi/railgun/mock_magic.rb up and take a look! I would like to draw your attention particularly to the function "mock_function_descriptions". This method returns an array of hashes each representing a function. The hash contains everything needed to recreate the function and full lifecycle of it being called. This is remarkably useful when testing. It obviates the need for a living client when testing! It also provides an input and output snapshot of sorts, giving us some level of confidence that changes in how we encode/decode values is backwards compatible. Quality here, however, is dependent on quantity and diversity therein.

So how are such snapshots generated and how can you help expand them or make sure I don't break your changes?
  1. edit lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb
  2. Search for "=== START of proccess_function_call snapshot ==="
  3. Uncomment from the start of the "puts" call to its end
  4. Make some Railgun calls in your Metasploit post modules
  5. Add the output to mock_magic.rb and/or email it to me
Okay, enough of this for now.

Finally, I conclude this post with a sample of some output:
chao@blog:/opt/framework3/lib/rex/post/meterpreter/extensions/stdapi/railgun$ ls *.ut.rb | while read x; do ruby $x; done
Loaded suite api_constants.rb.ut
Started
.
Finished in 0.045200 seconds.

1 tests, 1 assertions, 0 failures, 0 errors, 0 skips

Test run options: --seed 16551
Loaded suite buffer_item.rb.ut
Started
.
Finished in 0.000417 seconds.

1 tests, 4 assertions, 0 failures, 0 errors, 0 skips

Test run options: --seed 3861
Loaded suite dll_function.rb.ut
Started
.
Finished in 0.000417 seconds.

1 tests, 0 assertions, 0 failures, 0 errors, 0 skips

Test run options: --seed 36917
Loaded suite dll_helper.rb.ut
Started
......
Finished in 0.000889 seconds.

6 tests, 15 assertions, 0 failures, 0 errors, 0 skips

Test run options: --seed 56098
Loaded suite dll.rb.ut
Started
..
Finished in 0.001357 seconds.

2 tests, 18 assertions, 0 failures, 0 errors, 0 skips

Test run options: --seed 15811
Loaded suite railgun.rb.ut
Started
..
Finished in 0.001458 seconds.

2 tests, 4 assertions, 0 failures, 0 errors, 0 skips

Test run options: --seed 5062
Loaded suite win_const_manager.rb.ut
Started
....
Finished in 0.000555 seconds.

4 tests, 10 assertions, 0 failures, 0 errors, Any ways, I will ping you again when I update 0 skips

Test run options: --seed 5801