end
end


Related posts:

1. feiq2008.2.5.0.0
2. QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS
3. 2012

end
end


Related posts:

1. simple version of 2012-0158
2. QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS
3. Internet Explorer Aurora Exploit

PDF:
数据流：
http://www.ccf.org.cn/sites/ccf/weekly/papers/王铁磊1.pdf

flash:

aslr bypass

http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf

http://kernelfun.blogspot.com/

http://browserfun.blogspot.com/

http://projects.info-pull.com/mokb/

http://www.abysssec.com/blog/2010/09/01/moaub-1/

Related posts:

1. android-adb-shell-cookie
2. Blogs, Feeds, Guides & Links[zz]

同时看到个PYTHON的POChere,什么叫“chinese shit”,那不是一个文明人应该说的话。

ANOTHER POC

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\Minidump\031512-48641-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\sym*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16905.x86fre.win7_gdr.111025-1503
Machine Name:
Kernel base = 0×84813000 PsLoadedModuleList = 0x8495b810
Debug session time: Thu Mar 15 00:09:37.977 2012 (UTC + 8:00)
System Uptime: 0 days 4:51:31.285
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
……………………………………………………….
……
Loading User Symbols
Loading unloaded module list
………
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 939a0987, b43d9804, 0}

*** WARNING: Unable to verify timestamp for Hookport.sys
*** ERROR: Module load completed but symbols could not be loaded for Hookport.sys
Probably caused by : termdd.sys ( termdd!IcaBufferAllocEx+1b )

Followup: MachineOwner
———

1: kd> k
ChildEBP RetAddr
b43d9884 a4a11232 termdd!IcaBufferAllocEx+0x1b
b43d98a4 a4a2b405 RDPWD!WDICART_IcaBufferAllocEx+0×24
b43d98c8 a4a2b46e RDPWD!StackBufferAllocEx+0x5c
b43d98f4 a4a1c722 RDPWD!MCSDetachUserRequest+0×29
b43d9908 a4a170ff RDPWD!NMDetachUserReq+0×14
b43d9914 a4a1666c RDPWD!NM_Disconnect+0×16
b43d9920 a4a1c821 RDPWD!SM_Disconnect+0×27
b43d9930 a4a1c762 RDPWD!SM_OnConnected+0×70
b43d9950 a4a174d3 RDPWD!NMAbortConnect+0×23
b43d9990 a4a16f3c RDPWD!NM_Connect+0×68
b43d99b0 a4a14f64 RDPWD!SM_Connect+0x11d
b43d99ec a4a15764 RDPWD!WDWConnect+0×557
b43d9a28 a4a108df RDPWD!WDLIB_TShareConfConnect+0xa0
b43d9a3c 939a45f1 RDPWD!WDSYS_Ioctl+0x6c9
b43d9a58 939a4aa9 termdd!_IcaCallSd+0×37
b43d9a78 939a4f68 termdd!_IcaCallStack+0×57
b43d9ac0 939a2e91 termdd!IcaDeviceControlStack+0×466
b43d9af0 939a3065 termdd!IcaDeviceControl+0×59
b43d9b08 8484f4bc termdd!IcaDispatch+0x13f
b43d9b20 84a5144e nt!IofCallDriver+0×63
b43d9b40 84a6e23f nt!IopSynchronousServiceTail+0x1f8
b43d9bdc 84a70a1a nt!IopXxxControlFile+0x6aa
b43d9c10 855d0e7d nt!NtDeviceIoControlFile+0x2a
WARNING: Stack unwind information not available. Following frames may be wrong.
b43d9d04 8485648a Hookport+0x4e7d
b43d9d04 775d6194 nt!KiFastCallEntry+0x12a
02f0e7e8 00000000 0x775d6194
1: kd> r
eax=0a0b05ff ebx=a431f8f0 ecx=00000151 edx=00640075 esi=0a0b05ff edi=d7abdb00
eip=939a0987 esp=b43d9878 ebp=b43d9884 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
termdd!IcaBufferAllocEx+0x1b:
939a0987 8b4618 mov eax,dword ptr [esi+18h] ds:0023:0a0b0617=????????
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0×80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 939a0987, The address that the exception occurred at
Arg3: b43d9804, Trap Frame
Arg4: 00000000

Debugging Details:
——————

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 – 0x%08lx

FAULTING_IP:
termdd!IcaBufferAllocEx+1b
939a0987 8b4618 mov eax,dword ptr [esi+18h]

TRAP_FRAME: b43d9804 — (.trap 0xffffffffb43d9804)
ErrCode = 00000000
eax=0a0b05ff ebx=a431f8f0 ecx=00000151 edx=00640075 esi=0a0b05ff edi=d7abdb00
eip=939a0987 esp=b43d9878 ebp=b43d9884 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
termdd!IcaBufferAllocEx+0x1b:
939a0987 8b4618 mov eax,dword ptr [esi+18h] ds:0023:0a0b0617=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from a4a11232 to 939a0987

STACK_TEXT:
b43d9884 a4a11232 d7abdb00 00000000 00d800b1 termdd!IcaBufferAllocEx+0x1b
b43d98a4 a4a2b405 d7abdb00 00000000 00d800b1 RDPWD!WDICART_IcaBufferAllocEx+0×24
b43d98c8 a4a2b46e b7a30c88 d7abdb00 00000000 RDPWD!StackBufferAllocEx+0x5c
b43d98f4 a4a1c722 c1edd270 00000010 a431f604 RDPWD!MCSDetachUserRequest+0×29
b43d9908 a4a170ff a431f8f0 b43d9920 a4a1666c RDPWD!NMDetachUserReq+0×14
b43d9914 a4a1666c a431f8f0 b43d9930 a4a1c821 RDPWD!NM_Disconnect+0×16
b43d9920 a4a1c821 a431f604 a431f8f0 b43d9950 RDPWD!SM_Disconnect+0×27
b43d9930 a4a1c762 a431f604 00000000 00000001 RDPWD!SM_OnConnected+0×70
b43d9950 a4a174d3 a431f8f0 00000002 a431f604 RDPWD!NMAbortConnect+0×23
b43d9990 a4a16f3c 0031f8f0 00000001 a431f3fe RDPWD!NM_Connect+0×68
b43d99b0 a4a14f64 a431f604 89e8cdc0 89e8cdcc RDPWD!SM_Connect+0x11d
b43d99ec a4a15764 a431f008 89e8ccdc 89e8cdc0 RDPWD!WDWConnect+0×557
b43d9a28 a4a108df a431f008 00000000 87a11260 RDPWD!WDLIB_TShareConfConnect+0xa0
b43d9a3c 939a45f1 a431f008 b43d9a98 8a6f0678 RDPWD!WDSYS_Ioctl+0x6c9
b43d9a58 939a4aa9 87a11260 00000005 b43d9a98 termdd!_IcaCallSd+0×37
b43d9a78 939a4f68 8a6f0670 00000005 b43d9a98 termdd!_IcaCallStack+0×57
b43d9ac0 939a2e91 8a6f0670 86eb0798 86eb0808 termdd!IcaDeviceControlStack+0×466
b43d9af0 939a3065 86eb0798 86eb0808 87a4a038 termdd!IcaDeviceControl+0×59
b43d9b08 8484f4bc 87fe48f8 86eb0798 86eb0798 termdd!IcaDispatch+0x13f
b43d9b20 84a5144e 87a4a038 86eb0798 86eb0808 nt!IofCallDriver+0×63
b43d9b40 84a6e23f 87fe48f8 87a4a038 00000000 nt!IopSynchronousServiceTail+0x1f8
b43d9bdc 84a70a1a 87fe48f8 86eb0798 00000000 nt!IopXxxControlFile+0x6aa
b43d9c10 855d0e7d 00000754 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
WARNING: Stack unwind information not available. Following frames may be wrong.
b43d9d04 8485648a 00000754 00000000 00000000 Hookport+0x4e7d
b43d9d04 775d6194 00000754 00000000 00000000 nt!KiFastCallEntry+0x12a
02f0e7e8 00000000 00000000 00000000 00000000 0x775d6194

STACK_COMMAND: kb

FOLLOWUP_IP:
termdd!IcaBufferAllocEx+1b
939a0987 8b4618 mov eax,dword ptr [esi+18h]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: termdd!IcaBufferAllocEx+1b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: termdd

IMAGE_NAME: termdd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bcadf

FAILURE_BUCKET_ID: 0x8E_termdd!IcaBufferAllocEx+1b

BUCKET_ID: 0x8E_termdd!IcaBufferAllocEx+1b

Followup: MachineOwner
———

Related posts:

1. 2012
2. simple version of 2012-0158
3. darungrim

https://www.corelan.be/index.php/2012/02/29/debugging-fun-putting-a-process-to-sleep/

内存补丁

http://ifsec.blogspot.com/2011/06/memory-disclosure-technique-for.html

信息泄露，基质查找技术

通过覆盖JAVASRIPT内存结构的长度，完成读取不应该读取的内存

http://leetmore.ctf.su/CODEGATE2012

BIN500  2层VM解码+PYTHON解码。其实只用带一个就OK。。作者小粗心了下。。

BIN400 好怀念，，此处为暴力模拟键盘，autohotkey script,nice！

BIN300就是UNPACK+分析+识别

for500 又见trid,参见mark0.net/soft-trid-e.html

最近觉得BIN什么的也蛮好玩啦，VUL出题的话太难了。

No related posts.

各种怀念啊！

新年要有新计划，还是写下来约束力大点。

1.OS,BROWSER,MUTIL PLAYER 3个重点方向要有成果

2.完善理论，开发自用工具，向大虾学习。

3.忘记一些东东，稳定下来，培养新习惯。

4.实践新技术方向

Related posts:

1. 2012-0002
2. simple version of 2012-0158

http://115.com/file/cl3naedv

http://115.com/file/aqu3qzmk

# Exploit Title: QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS
# Date: 2011,11,21
# Author: hellok(warptencq[at]gmail.com)
# Software Link: http://dl_dir.qq.com/invc/qqplayer/QQPlayer_Setup_32_845.exe
# Version: 32_845(lastest)
# Tested on: WIN7
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::FILEFORMAT

file_create(sploit)
end
end


Related posts:

1. simple version of 2012-0158
2. feiq2008.2.5.0.0
3. 记事

http://www.darungrim.org/

另转贴几篇文，墙什么的真DT。
原文在这里：http://exploitshop.wordpress.com/2011/10/12/ms11-077-vulnerabilities-in-windows-kernel-mode-drivers-could-allow-remote-code-execution-2567053/
MS11-077: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)
Posted: 2011/10/12 | Author: lifeasageek | Filed under: Uncategorized |Leave a comment »
Download MS11-077 .fon buffer overrun exploit : my.fon.tar.gz
Download very simple *.fon* fuzzer like tool : ms11-077-fon-exploit.tar.gz

Related CVEs
Font Library File Buffer Overrun Vulnerability – CVE-2011-2003

Diffing Binary Information
win32k.sys win32k.dll: 6.1.7601.21744 (win7sp1_ldr.110610-1504) VS 6.1.7601.21811 (win7sp1_ldr.110905-1505) (on Windows 7, 32bit)

Descriptions
This posting is no technical analysis, but it is driven by hardcore & intuition based analysis to make 1-day exploit.

MS11-077 was confusing at the first time. Because it involves 4 different vulnerabilities, we should try to match up these vulnerabilities whenever we reverse engineer the function. This time I will not show the DarunGrim diffing results cause it showed around 50 different functions! Don’t get frustrated though. It’s not going to take that long time to take a look all of them. Within 10 secs for each of the function, you might be able to decide whether the function is interesting or not.

Before getting to the details, you may also look into these. Three functions seem to be related to the null dereference bugs (_NtUserfnINLBOXSTRING(), _NtUserfnSENTDDEMSG(), _InterQueueMsgCleanup()). The function, _ConvertToAndFromWideChar(), seem to be related to “Win32k Use After Free Vulnerability – CVE-2011-2011″. You must be able to understand what I am meaning by here as soon as you open up these functions with DarunGrim.

What I want to focus in this post is .FON buffer overrun bug (CVE-2011-2003). From DarunGrim diffing result, _BmfdOpenFontContext() showed the different point below.

What ??? Patched version only adds immediate value ’5′ to some value (add eax, 5), and that computed value is related to decide the size of allocation. Seems interesting but strange. It is time to see the details to understand the contexts. Here goes the disassembly around the changed BB of the old win32k.sys.

.text:90857F82 loc_90857F82: ; CODE XREF: BmfdOpenFontContext(x)+E2j
.text:90857F82 mov eax, [ebp+numElement]
.text:90857F85 add eax, 7
.text:90857F88 shr eax, 3
.text:90857F8B mov [ebp+var_4], ecx
.text:90857F8E cmp eax, 100h
.text:90857F93 jbe short loc_90857FA1
.text:90857F95 add eax, 28h
.text:90857F98 mov [ebp+var_4], 3
.text:90857F9F jmp short loc_90857FA4
.text:90857FA1
.text:90857FA1 loc_90857FA1: ; CODE XREF: BmfdOpenFontContext(x)+E7j
.text:90857FA1 ; BmfdOpenFontContext(x)+FAj
.text:90857FA1 mov eax, [ebp+preDefinedSize]
.text:90857FA4
.text:90857FA4 loc_90857FA4: ; CODE XREF: BmfdOpenFontContext(x)+106j
.text:90857FA4 push 64666D42h ; Tag
.text:90857FA9 push eax ; int
.text:90857FAA push 0 ; char
.text:90857FAC call _EngAllocMem@12 ; EngAllocMem(x,x,x)

This is the pseudo-code of these assembly. The variable naming was done at my convenience.

uint preDefinedSize = 0×28; // mov dword ptr [ebp-14h], 28h
sizeToAllocate = (numElement + 7) / 8;

if( sizeToAllocate <= 0×100)
sizeToAllocate = preDefinedSize;
else
sizeToAllocate += 0×28;

EngAllocMem(0, sizeToAllocate, 0x64666d42);

All right. In the patched version, the sizeToAllocate variable would be computed as “((numElement + 7) / 8 ) + 5″. After spending some time, we suspected some range of the values, which should have taken ‘else’ branch, mistakenly took ‘then’ branch. Because it took ‘then’ branch, the allocated size was too small and this small size of allocation would lead to buffer overrun later (We understand this interpretation is far from scientific or logical reverse engineering, but you should know that this sloppy logic is enough to write an 1-day exploit.)

More specifically, we suspected the numElement values, satisfying 0xaa <= (numElement +7) /8 <= 0×100, would cause trouble (though we don’t know why and how !). We got this false fail idea in the patched binary from D. Brumeley et al.’s paper, “Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications” (http://www.cs.berkeley.edu/~dawnsong/papers/apeg.pdf).

Things are getting clear. Our goal should be to find the input which satisfies the above statement. From the MS technet description, “improper handling of a specially crafted .fon font file”, and the function name _BmfdOpenFontContext(), which implies bitmap font driver something, we decided to manipulate .fon file. To play with .fon files, we implemented very simple ‘.fon’ file format recognizing fuzzer like tool. Using this tool, we figured ‘width’ field is related (see our *fuzzer* for details) to control numElement variable, and it leads to ‘heap overflow’ when the variable satisfies the vulnerable condition. What’s the interesting is that you only need to visit the directly containing .fon file to trigger bitmap font driver routines

I am attaching the .fon font file generated by our python codes (upon mkwinfont by Simon Tatham) and windbg crash dumps. We are not sure this bug can actually be used to execute the arbitrary codes, but we’d like to leave this question to you guys.

Download MS11-077 .fon buffer overrun exploit : my.fon.tar.gz
Download very simple *.fon* fuzzer like tool : ms11-077-fon-exploit.tar.gz

Breakpoint 1 hit
win32k!BmfdOpenFontContext+0xec:
90857f85 83c007 add eax,7
kd> r
eax=00000730 ebx=fe9aacf0 ecx=00000001 edx=00000001 esi=00000028 edi=fe7fc1f8
eip=90857f85 esp=8a2af8d0 ebp=8a2af904 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
win32k!BmfdOpenFontContext+0xec:
90857f85 83c007 add eax,7
kd> r eax
eax=00000730
kd> p
win32k!BmfdOpenFontContext+0xef:
90857f88 c1e803 shr eax,3
kd> p
win32k!BmfdOpenFontContext+0xf2:
90857f8b 894dfc mov dword ptr [ebp-4],ecx
kd> r eax
eax=000000e6
kd> g

*** Fatal System Error: 0×00000019
(0×00000020,0xFE1ED440,0xFE1ED5A0,0x4A2C000C)

Break instruction exception – code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7600 x86 compatible target at (Wed Oct 12 18:38:42.012 2011 (UTC – 4:00)), ptr64 FALSE
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
…………………..
Loading User Symbols
…………….
Loading unloaded module list
…..
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 19, {20, fe1ed440, fe1ed5a0, 4a2c000c}

Probably caused by : win32k.sys ( win32k!EngFreeMem+1f )

Followup: MachineOwner
———

nt!RtlpBreakWithStatusInstruction:
828be394 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: fe1ed440, The pool entry we were looking for within the page.
Arg3: fe1ed5a0, The next pool entry.
Arg4: 4a2c000c, (reserved)

Debugging Details:
——————

BUGCHECK_STR: 0x19_20

POOL_ADDRESS: fe1ed440 Paged session pool

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: csrss.exe

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from 8292fe71 to 828be394

STACK_TEXT:
8a2af3b4 8292fe71 00000003 dda0d4a7 00000065 nt!RtlpBreakWithStatusInstruction
8a2af404 8293096d 00000003 fe1ed440 000001ff nt!KiBugCheckDebugBreak+0x1c
8a2af7c8 829721b6 00000019 00000020 fe1ed440 nt!KeBugCheck2+0x68b
8a2af844 9088c189 fe1ed448 00000000 fe7fc1d8 nt!ExFreePoolWithTag+0x1b1
8a2af858 90950204 fe1ed458 90959cdf fe40f480 win32k!EngFreeMem+0x1f
8a2af86c 90959cf5 fe1ed458 8a2af8d8 8a2af8b4 win32k!BmfdCloseFontContext+0×41
8a2af87c 90965501 fe40f480 00000000 8a2af930 win32k!BmfdDestroyFont+0×16
8a2af8b4 90965554 fe40f480 00000000 8a2afc70 win32k!PDEVOBJ::DestroyFont+0×67
8a2af8e4 908d0d1e 00000000 8a2af910 00000001 win32k!RFONTOBJ::vDeleteRFONT+0×33
8a2af928 908d2d15 fe40f480 050a071e 8a2afc70 win32k!RFONTOBJ::bMakeInactiveHelper+0x25a
8a2af984 908fba77 00000000 8a2afc70 00000000 win32k!RFONTOBJ::vMakeInactive+0×72
8a2afa04 908fbd74 8a2afc3c 00000000 00000004 win32k!RFONTOBJ::bInit+0xe3
8a2afa1c 908a4b2b 8a2afc3c 00000000 00000004 win32k!RFONTOBJ::vInit+0×16
8a2afcb8 908a4a2f 69010742 00000340 00000040 win32k!GreGetCharABCWidthsW+0×86
8a2afd14 8289642a 69010742 00000340 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
8a2afd14 76f864f4 69010742 00000340 00000040 nt!KiFastCallEntry+0x12a
0435e9ac 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet

STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!EngFreeMem+1f
9088c189 5e pop esi

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: win32k!EngFreeMem+1f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc2a2

FAILURE_BUCKET_ID: 0x19_20_win32k!EngFreeMem+1f

BUCKET_ID: 0x19_20_win32k!EngFreeMem+1f

Followup: MachineOwner

Related posts:

1. WAR3格式

No related posts.

如他所说。更新SDK，最新的DIRECTSHOW  SDK包含在WINDOWS SDK里面了。而非以往的DIRECTX 的SDK里面，或者是什么DirectX EXTRA SDK里面。

之前缺少strmbase.lib或是streams.h也是因为如此。strmbase.lib来自SAMPLE的第一个项目，编译下后面的添加引用就OK了。 

里面几个水印的例子很犀利啊！

They are located under the path [SDK Root] \Samples\Multimedia\DirectShow.

If there is additional documentation for a sample, the first column of this table links to it.

Additional Dependencies

Some of the samples link to the DirectShow base class library. To build these samples, you must first build the base class library. For more information, see DirectShow Base Classes. The base class library is required for all of the sample filters.

A few of the samples also require the DirectX SDK, in addition to the Windows SDK. To build these samples, you must install the DirectX SDK and set the %DXSDK_DIR% environment variable equal to your DirectX SDK installation path.

Many of the DirectShow samples use a set of common headers and source files located in the directrory [SDK Root]\Samples\Multimedia\DirectShow\Common. If you copy a sample folder to another directory, make sure to copy the Common folder as well.

Related posts:

1. 微软一站式示例代码库 4 月小结
2. jGrowl
3. Windows API Code Pack for Microsoft .NET Framework