Compiling SnoopyPro

Sat, 18 Dec 2004 14:19:00 GMT

Once again I had a need to compile SnoopyPro, and once again after about 45 minutes of effort I gave up. I came to the simple conclusion that because I have the log files already, and just want to step through the analysis of those, I have no real need to almost all of the code in the project... I just need the SnoopyPro bit to compile so I can run it in the debugger.

To get SnoopyPro itself to compile, all I needed to do was edit the resource file so that there were no references to the .sys files which the driver builds. You can put anything here really, so long as it is a real file on disc... I used readme.txt.

Magically, now I have a Visual Studio 2003 solution with just SnoopyPro, which compiles nicely for me. I've made it available for download here in case I need it again.

(You'll still need the device driver kit from MSDN installed, as you need usbioctl.h. For Windows Server 2003, this is in the c:\winddk\3790\inc\wnet directory, and needs to be added to the list of directories found at Tools / Options / Projects / VC++ Directories / Include files.)

Comment

Building Snoopy Pro from the source distribution

Mon, 26 May 2003 07:00:00 GMT

Unfortunately, I couldn't get Snoopy Pro to always work for me. It would say that the device was being sniffed, but no traffic would be logged. Obviously, the thing to do was download the source code, and run it in a debugger. Here's the steps I went through to get the code to compile on my Windows XP machine running Visual Studio .NET...

Download the source package from http://sourceforge.net/projects/usbsnoop
Open it in Visual Studio. Depending on the version of the IDE you're using, you might be asked to upgrade the project files. I certainly was.
The project complained about a missing header wdm.h when I tried to compile. It turns out that WDM is a Windows device driver abstraction layer. I downloaded the Windows XP device driver kit (130 MB) from the MSDN subscriber downloads page. If you're not a subscriber this might be a little hard. Microsoft isn't freely distributing this, and you wont be getting it from me. I guess that's one of the reasons Open Source is better -- it seems a little wierd that you have to pay to write drivers to support someone's platform.
Wait for the 130 mb download
Install the DDK. This takes a long time.
TODO ADDING LIBARY AND INCLUDE PATHS

Now I did a build within Visual Studio .NET, and got:

(Indents show where I have manually broken lines)

UsbSnoop error LNK2001: unresolved external symbol __RTC_CheckEsp
UsbSnoop error LNK2001: unresolved external symbol __RTC_CheckEsp
UsbSnoop error LNK2001: unresolved external symbol __RTC_InitBase
UsbSnoop error LNK2001: unresolved external symbol __RTC_InitBase
UsbSnoop error LNK2001: unresolved external symbol __RTC_InitBase
UsbSnoop error LNK2001: unresolved external symbol __RTC_Shutdown
UsbSnoop error LNK2001: unresolved external symbol __RTC_Shutdown
UsbSnoop error LNK2001: unresolved external symbol __RTC_Shutdown
UsbSnoop error LNK2019: unresolved external symbol @__security_check_cookie@4 
   referenced in function "long __stdcall AddDevice(struct _DRIVER_OBJECT *,
   struct _DEVICE_OBJECT *)" 
   (?AddDevice@@YGJPAU_DRIVER_OBJECT@@PAU_DEVICE_OBJECT@@@Z)
UsbSnoop error LNK2019: unresolved external symbol @_RTC_CheckStackVars@8 
   referenced in function "long __stdcall GetRegistryDword(unsigned short *,
   unsigned short *,unsigned long *)" (?GetRegistryDword@@YGJPAG0PAK@Z)
UsbSnoop error LNK2019: unresolved external symbol ___security_cookie 
   referenced in function "long __stdcall AddDevice(struct _DRIVER_OBJECT *,
   struct _DEVICE_OBJECT *)" 
   (?AddDevice@@YGJPAU_DRIVER_OBJECT@@PAU_DEVICE_OBJECT@@@Z)
UsbSnoop error LNK2019: unresolved external symbol __RTC_CheckEsp referenced in 
   function "long __stdcall GetRegistryDword(unsigned short *,unsigned short *,
   unsigned long *)" (?GetRegistryDword@@YGJPAG0PAK@Z)
UsbSnoop fatal error LNK1120: 6 unresolved externals
UsbSnoop warning LNK4075: ignoring '/INCREMENTAL' due to '/RELEASE' 
   specification

CheckEsp() is something which the debug builds do for you so that you're aware when you have mucked up a call. ESP is the stack pointer on the x86 CPU.

Changing to a release build (that was a debug build obviously), got this error list down to:

UsbSnoop error LNK2019: unresolved external symbol @__security_check_cookie@4 
   referenced in function "long __stdcall AddDevice(struct _DRIVER_OBJECT *,
   struct _DEVICE_OBJECT *)" 
   (?AddDevice@@YGJPAU_DRIVER_OBJECT@@PAU_DEVICE_OBJECT@@@Z)
UsbSnoop error LNK2019: unresolved external symbol ___security_cookie 
   referenced in function "long __stdcall AddDevice(struct _DRIVER_OBJECT *,
   struct _DEVICE_OBJECT *)" 
   (?AddDevice@@YGJPAU_DRIVER_OBJECT@@PAU_DEVICE_OBJECT@@@Z)
UsbSnoop fatal error LNK1120: 2 unresolved externals

A little big of grepping later, and I have:

./wxp/i386/BufferOverflow.lib: [ 92](sec 21)(fl 0x00)(ty  20)(scl   2) (nx 1) 
   0x00000000 @__security_check_cookie@4
./wxp/i386/BufferOverflow.lib: @__security_check_cookie@4 :

This is objdump output, and it tells me that the call I need is in the library called BufferOverflow.lib, in wxp/1386. Wow, I didn't know there was a need to implement buffer overflows in a separate library, I thought you got the for free with most code!
TODO ADDING LIBRARY

It never ends, because then we get (I'm compiling this on a Windows XP machine):

UsbSnoop error PRJ0019: A tool returned an error code: "Performing Custom Build 
   Step"
UsbSnoop warning LNK4096: /BASE value '0x10000' is invalid for Windows 95 and 
   Windows 98; image may not run
UsbSnoop warning LNK4210: .CRT section exists; there may be unhandled static 
   initializers or terminators

Comment

stillhq.com : Mikal, a geek from Canberra living in Silicon Valley (no blather posts)

Compiling SnoopyPro

Building Snoopy Pro from the source distribution