Content here is by:
Michael Still
mikal@stillhq.com

All my Open Source projects
Extracted view of CVS
Home
Site map

See recent comments. RSS feed of all comments. Raw dump of all comments for research purposes.

ImageMagick book
MythTV book

Snoopy Pro is a USB sniffer application / driver which you run on Windows machines to reverse engineer what the Windows driver for a device is doing. I first got into it when I was playing with support for the ICM532 web cam under Linux.



Sat, 18 Dec 2004


Compiling SnoopyPro

    Once again I had a need to compile SnoopyPro, and once again after about 45 minutes of effort I gave up. I came to the simple conclusion that because I have the log files already, and just want to step through the analysis of those, I have no real need to almost all of the code in the project... I just need the SnoopyPro bit to compile so I can run it in the debugger.

    To get SnoopyPro itself to compile, all I needed to do was edit the resource file so that there were no references to the .sys files which the driver builds. You can put anything here really, so long as it is a real file on disc... I used readme.txt.

    Magically, now I have a Visual Studio 2003 solution with just SnoopyPro, which compiles nicely for me. I've made it available for download here in case I need it again.

    (You'll still need the device driver kit from MSDN installed, as you need usbioctl.h. For Windows Server 2003, this is in the c:\winddk\3790\inc\wnet directory, and needs to be added to the list of directories found at Tools / Options / Projects / VC++ Directories / Include files.)

posted at: 14:19 | path: /snoopypro | permanent link to this entry


Mon, 26 May 2003


Building Snoopy Pro from the source distribution

    Unfortunately, I couldn't get Snoopy Pro to always work for me. It would say that the device was being sniffed, but no traffic would be logged. Obviously, the thing to do was download the source code, and run it in a debugger. Here's the steps I went through to get the code to compile on my Windows XP machine running Visual Studio .NET...

    • Download the source package from http://sourceforge.net/projects/usbsnoop
    • Open it in Visual Studio. Depending on the version of the IDE you're using, you might be asked to upgrade the project files. I certainly was.
    • The project complained about a missing header wdm.h when I tried to compile. It turns out that WDM is a Windows device driver abstraction layer. I downloaded the Windows XP device driver kit (130 MB) from the MSDN subscriber downloads page. If you're not a subscriber this might be a little hard. Microsoft isn't freely distributing this, and you wont be getting it from me. I guess that's one of the reasons Open Source is better -- it seems a little wierd that you have to pay to write drivers to support someone's platform.

        Order the Windows DDK. The Microsoft® Windows® Driver Development Kit (DDK) is available now. We will not be offering this kit as a download on this Web site. However, it is part of the standard MSDN® subscription download and ships with the standard edition.
        http://www.microsoft.com/whdc/ddk/winddk.mspx
    • Wait for the 130 mb download
    • Install the DDK. This takes a long time.
    • TODO ADDING LIBARY AND INCLUDE PATHS
    • Now I did a build within Visual Studio .NET, and got: 
      (Indents show where I have manually broken lines)

UsbSnoop error LNK2001: unresolved external symbol __RTC_CheckEsp
UsbSnoop error LNK2001: unresolved external symbol __RTC_CheckEsp
UsbSnoop error LNK2001: unresolved external symbol __RTC_InitBase
UsbSnoop error LNK2001: unresolved external symbol __RTC_InitBase
UsbSnoop error LNK2001: unresolved external symbol __RTC_InitBase
UsbSnoop error LNK2001: unresolved external symbol __RTC_Shutdown
UsbSnoop error LNK2001: unresolved external symbol __RTC_Shutdown
UsbSnoop error LNK2001: unresolved external symbol __RTC_Shutdown
UsbSnoop error LNK2019: unresolved external symbol @__security_check_cookie@4 
   referenced in function "long __stdcall AddDevice(struct _DRIVER_OBJECT *,
   struct _DEVICE_OBJECT *)" 
   (?AddDevice@@YGJPAU_DRIVER_OBJECT@@PAU_DEVICE_OBJECT@@@Z)
UsbSnoop error LNK2019: unresolved external symbol @_RTC_CheckStackVars@8 
   referenced in function "long __stdcall GetRegistryDword(unsigned short *,
   unsigned short *,unsigned long *)" (?GetRegistryDword@@YGJPAG0PAK@Z)
UsbSnoop error LNK2019: unresolved external symbol ___security_cookie 
   referenced in function "long __stdcall AddDevice(struct _DRIVER_OBJECT *,
   struct _DEVICE_OBJECT *)" 
   (?AddDevice@@YGJPAU_DRIVER_OBJECT@@PAU_DEVICE_OBJECT@@@Z)
UsbSnoop error LNK2019: unresolved external symbol __RTC_CheckEsp referenced in 
   function "long __stdcall GetRegistryDword(unsigned short *,unsigned short *,
   unsigned long *)" (?GetRegistryDword@@YGJPAG0PAK@Z)
UsbSnoop fatal error LNK1120: 6 unresolved externals
UsbSnoop warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
   specification
    • CheckEsp() is something which the debug builds do for you so that you're aware when you have mucked up a call. ESP is the stack pointer on the x86 CPU.
    • Changing to a release build (that was a debug build obviously), got this error list down to: 
      UsbSnoop error LNK2019: unresolved external symbol @__security_check_cookie@4 
   referenced in function "long __stdcall AddDevice(struct _DRIVER_OBJECT *,
   struct _DEVICE_OBJECT *)" 
   (?AddDevice@@YGJPAU_DRIVER_OBJECT@@PAU_DEVICE_OBJECT@@@Z)
UsbSnoop error LNK2019: unresolved external symbol ___security_cookie 
   referenced in function "long __stdcall AddDevice(struct _DRIVER_OBJECT *,
   struct _DEVICE_OBJECT *)" 
   (?AddDevice@@YGJPAU_DRIVER_OBJECT@@PAU_DEVICE_OBJECT@@@Z)
UsbSnoop fatal error LNK1120: 2 unresolved externals
    • A little big of grepping later, and I have: 
      ./wxp/i386/BufferOverflow.lib: [ 92](sec 21)(fl 0x00)(ty  20)(scl   2) (nx 1) 
   0x00000000 @__security_check_cookie@4
./wxp/i386/BufferOverflow.lib: @__security_check_cookie@4 :
    • This is objdump output, and it tells me that the call I need is in the library called BufferOverflow.lib, in wxp/1386. Wow, I didn't know there was a need to implement buffer overflows in a separate library, I thought you got the for free with most code!
    • TODO ADDING LIBRARY
    • It never ends, because then we get (I'm compiling this on a Windows XP machine): 
      UsbSnoop error PRJ0019: A tool returned an error code: "Performing Custom Build 
   Step"
UsbSnoop warning LNK4096: /BASE value '0x10000' is invalid for Windows 95 and 
   Windows 98; image may not run
UsbSnoop warning LNK4210: .CRT section exists; there may be unhandled static 
   initializers or terminators


posted at: 07:00 | path: /snoopypro | permanent link to this entry
Archives: 2008 2007 2006 2005 2004 2003 2002 2001 2000

Feeds for the entire site:
RSS feed | RSS 2.0 feed
RSS feed without microblogging
RSS feed of recent comments
Feeds for just this post or category:
RSS feed | RSS 2.0 feed | RSS feed without microblogging


Site design by the rather capable Rhys. This page generated on camaro at Sun Nov 22 00:00:19 2009.