Expose ActiveX Controls to Silverlight

So I recently (yesterday to be exact) gave a presentation on Silverlight Security. My overall conclusion was that, yeah, it was pretty darn good. I did, however, have a couple ideas on ways to circumvent some small bit of the protection primarily using JavaScript. It ended up that I didn't even need the JavaScript and could just use the HTML DOM.

I can't post the code because I'm not at liberty to distribute the ActiveX controls I used to test it but I can (and have below) post the gist of it.

Now I do have to put a disclaimer in before anyone starts in on me, this is NOT a Silverlight hack and could very easily be ported into any other webpage using simple JavaScript, not only that but it isn't necessarily a bad thing.

Remember the key is the access to HTML DOM which is the exposure point.

Also, remember that the ActiveX control has to be made available to the DOM to be accessable... so the user must download it and install it which, by the way, is ABSOLUTLY not possible to do through Silverlight.

So on with the code...

The first step, obviously, would be to have a Silverlight app open in VS.

Go to your html host page ([MyApp]TestPage.aspx or the like) and add an object reference to the html source:

<object id="MyCoolActiveX" classid="CLSID:123E1234-12AB-123A-AB1D-12341234ABCD"></object>

 
Got that setup? Okay, now we need to get a reference to that object in Silverlight.

HtmlDocument doc = HtmlPage.Document;
HtmlElement MyCoolActiveX = doc.GetElementById("MyCoolActiveX");

 
Hmm... that wasn't hard, but how do I call into the control when all I have is an HtmlElement?

object result = MyCoolActiveX.Invoke("DoSomething");
return (string)result;

 
In my case the expected result is a string so I do a cast before returning the value.

Not too difficult huh? I have a cool little ActiveX control that lets me get a list of all the system processes and it's working great.

MIX and SDWest in one week!

This week was intense... I started off the week juggling office time with SD West on monday and managed to catch some post-session goodness. Day two I couldn't quite get there in time for the end of day sessions and was frantically searching for an extra MIX 08 ticket.

Well, my luck turned (and so did Rich's) around 8:30 when I got the 'Dude I can't make it, you want my spot?' call which, of course, I did. So, booked a plane and flew to Sin City at 6:15 AM.

I can't even count anymore the number of times I talked with someone for half an hour just to find out I already knew them, or happened upon a fellow session attendee to discover it was none other than Scott Ha (aka. Your Ha-ness). Lets just say that what started out as a solo trip turned into a whirlwind networking extravaganza that ranged from most of the ASP.Net (MVC/Sivlerlight/UIX/etc) product teams [you guys rock by the way, I'll party with you any time] to Component One's dev team [Good times at Treasure Island] to old friends I haven't seen in years [Ping back to you James].

So anyways, if you're reading this and are from Microsoft can you have the MIX board people let me know what topic I'm picking up for next years conference? No, seriously... I'm making it a personal goal to present at MIX by 2011, I've already got SDWest and VSLive this year so it's only natural.

I need to recoup a bit tonight but will try to get a tech post up in the next day or two... my problem at the moment is simply indecision on which topic to start on!