Anthropic-Cybersecurity-Skills/skills/performing-thick-client-application-penetration-test/references/api-reference.md

API Reference: Thick Client Penetration Testing

Analysis Tools

Tool	Purpose	Target
dnSpy	.NET decompilation and debugging	.NET Framework/Core apps
ILSpy	.NET decompilation (read-only)	.NET assemblies
JD-GUI / JADX	Java decompilation	JAR/APK files
Ghidra / IDA Pro	Native binary reverse engineering	C/C++ executables
Procmon	File/registry/network activity monitoring	Any Windows app
Process Hacker	Process inspection, memory, DLLs	Running processes
Burp Suite	HTTP/HTTPS traffic interception	Client-server communication
Echo Mirage	TCP/UDP traffic interception	Non-HTTP protocols
Frida	Dynamic instrumentation	Any platform

Static Analysis Targets

Target	Search Pattern	Risk
Hardcoded credentials	password, secret, apikey in strings	Critical
Connection strings	jdbc:, Server=, mongodb://	Critical
SQL queries	SELECT, INSERT, UPDATE	Medium
URLs and endpoints	http://, https://	Info
Disabled SSL validation	ServerCertificateValidationCallback	High

DLL Hijacking Detection

Step	Tool	Action
1	Procmon	Filter: Result = NAME NOT FOUND, Path ends with .dll
2	Check	Verify if DLL search path includes writable directories
3	Validate	Test with benign DLL in writable directory

Local Storage Locations

Location	Type	Risk
%APPDATA%\<app>	Config, SQLite	Credential storage
%LOCALAPPDATA%\<app>	Cache, logs	Data leakage
HKCU\Software\<app>	Registry settings	Stored credentials
App install directory	Config files	Hardcoded secrets

Python Libraries

Library	Version	Purpose
sqlite3	stdlib	Audit local SQLite databases
re	stdlib	Pattern matching for credentials/URLs
subprocess	stdlib	Execute system analysis tools
pathlib	stdlib	File system traversal

References

• OWASP Thick Client Top 10: https://owasp.org/www-project-thick-client-top-10/
• dnSpy: https://github.com/dnSpy/dnSpy
• Procmon: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
• Frida: https://frida.re/docs/home/