Building Snoopy Pro from the source distribution

    Unfortunately, I couldn't get Snoopy Pro to always work for me. It would say that the device was being sniffed, but no traffic would be logged. Obviously, the thing to do was download the source code, and run it in a debugger. Here's the steps I went through to get the code to compile on my Windows XP machine running Visual Studio .NET...

    • Download the source package from http://sourceforge.net/projects/usbsnoop
    • Open it in Visual Studio. Depending on the version of the IDE you're using, you might be asked to upgrade the project files. I certainly was.
    • The project complained about a missing header wdm.h when I tried to compile. It turns out that WDM is a Windows device driver abstraction layer. I downloaded the Windows XP device driver kit (130 MB) from the MSDN subscriber downloads page. If you're not a subscriber this might be a little hard. Microsoft isn't freely distributing this, and you wont be getting it from me. I guess that's one of the reasons Open Source is better -- it seems a little wierd that you have to pay to write drivers to support someone's platform.

        Order the Windows DDK. The Microsoft® Windows® Driver Development Kit (DDK) is available now. We will not be offering this kit as a download on this Web site. However, it is part of the standard MSDN® subscription download and ships with the standard edition.
        http://www.microsoft.com/whdc/ddk/winddk.mspx
    • Wait for the 130 mb download
    • Install the DDK. This takes a long time.
    • TODO ADDING LIBARY AND INCLUDE PATHS
    • Now I did a build within Visual Studio .NET, and got: 
      (Indents show where I have manually broken lines)

UsbSnoop error LNK2001: unresolved external symbol __RTC_CheckEsp
UsbSnoop error LNK2001: unresolved external symbol __RTC_CheckEsp
UsbSnoop error LNK2001: unresolved external symbol __RTC_InitBase
UsbSnoop error LNK2001: unresolved external symbol __RTC_InitBase
UsbSnoop error LNK2001: unresolved external symbol __RTC_InitBase
UsbSnoop error LNK2001: unresolved external symbol __RTC_Shutdown
UsbSnoop error LNK2001: unresolved external symbol __RTC_Shutdown
UsbSnoop error LNK2001: unresolved external symbol __RTC_Shutdown
UsbSnoop error LNK2019: unresolved external symbol @__security_check_cookie@4 
   referenced in function "long __stdcall AddDevice(struct _DRIVER_OBJECT *,
   struct _DEVICE_OBJECT *)" 
   (?AddDevice@@YGJPAU_DRIVER_OBJECT@@PAU_DEVICE_OBJECT@@@Z)
UsbSnoop error LNK2019: unresolved external symbol @_RTC_CheckStackVars@8 
   referenced in function "long __stdcall GetRegistryDword(unsigned short *,
   unsigned short *,unsigned long *)" (?GetRegistryDword@@YGJPAG0PAK@Z)
UsbSnoop error LNK2019: unresolved external symbol ___security_cookie 
   referenced in function "long __stdcall AddDevice(struct _DRIVER_OBJECT *,
   struct _DEVICE_OBJECT *)" 
   (?AddDevice@@YGJPAU_DRIVER_OBJECT@@PAU_DEVICE_OBJECT@@@Z)
UsbSnoop error LNK2019: unresolved external symbol __RTC_CheckEsp referenced in 
   function "long __stdcall GetRegistryDword(unsigned short *,unsigned short *,
   unsigned long *)" (?GetRegistryDword@@YGJPAG0PAK@Z)
UsbSnoop fatal error LNK1120: 6 unresolved externals
UsbSnoop warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
   specification
    • CheckEsp() is something which the debug builds do for you so that you're aware when you have mucked up a call. ESP is the stack pointer on the x86 CPU.
    • Changing to a release build (that was a debug build obviously), got this error list down to: 
      UsbSnoop error LNK2019: unresolved external symbol @__security_check_cookie@4 
   referenced in function "long __stdcall AddDevice(struct _DRIVER_OBJECT *,
   struct _DEVICE_OBJECT *)" 
   (?AddDevice@@YGJPAU_DRIVER_OBJECT@@PAU_DEVICE_OBJECT@@@Z)
UsbSnoop error LNK2019: unresolved external symbol ___security_cookie 
   referenced in function "long __stdcall AddDevice(struct _DRIVER_OBJECT *,
   struct _DEVICE_OBJECT *)" 
   (?AddDevice@@YGJPAU_DRIVER_OBJECT@@PAU_DEVICE_OBJECT@@@Z)
UsbSnoop fatal error LNK1120: 2 unresolved externals
    • A little big of grepping later, and I have: 
      ./wxp/i386/BufferOverflow.lib: [ 92](sec 21)(fl 0x00)(ty  20)(scl   2) (nx 1) 
   0x00000000 @__security_check_cookie@4
./wxp/i386/BufferOverflow.lib: @__security_check_cookie@4 :
    • This is objdump output, and it tells me that the call I need is in the library called BufferOverflow.lib, in wxp/1386. Wow, I didn't know there was a need to implement buffer overflows in a separate library, I thought you got the for free with most code!
    • TODO ADDING LIBRARY
    • It never ends, because then we get (I'm compiling this on a Windows XP machine): 
      UsbSnoop error PRJ0019: A tool returned an error code: "Performing Custom Build 
   Step"
UsbSnoop warning LNK4096: /BASE value '0x10000' is invalid for Windows 95 and 
   Windows 98; image may not run
UsbSnoop warning LNK4210: .CRT section exists; there may be unhandled static 
   initializers or terminators


posted at: 07:00 | path: /snoopypro | permanent link to this entry