c++ code anti GG...
but for some reaso idk why i cant compilate or make it work
say i have some missing files " ntoskrnl.h and driver.h "
btw maybe someone here can make it works or explain the code...
Code:
//prevents GameMon from deleting dump_wmimmc.sys
//by hooking of ZwCreateFile
//
//Fyyre
//http://fyyre.l2-fashion.de
//
//
#define UNICODE
#define VER_PRODUCTBUILD 2600
#define _X86_
#include "ntoskrnl.h"
#include "driver.h"
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
typedef NTSTATUS (__stdcall *ZWCREATEFILE)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize ,ULONG FileAttributes,ULONG ShareAccess,ULONG CreateDisposition,ULONG CreateOptions,PVOID EaBuffer ,ULONG EaLength);
ZWCREATEFILE ntoskrnl_ZwCreateFile;
PDEVICE_OBJECT ThisDevice;
PDRIVER_OBJECT ThisDriver;
UNICODE_STRING DeviceNameString;
UNICODE_STRING DestinationString;
PEPROCESS pProcess = 0;
ULONG NtosBase;
NTSTATUS
NewZwCreateFile(PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength)
{
PEPROCESS pProcess = PsGetCurrentProcess();
PCHAR FileName = (PCHAR) pProcess->ImageFileName;
//Determine the name of the calling process, is it GameMon.des...
if(strcmpinA("GameMon.des", FileName, \
strlenA("GameMon.des")) == NULL)
{
//and does he want to create/obtain handle of dump_wmimmc.sys?
if(strcmpW(ObjectAttributes->ObjectName->Buffer, L"dump_wmimmc"))
{
DbgPrint("GameMon sent CreateFile request...\r\n");
//filter for: CreateOptions FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE | FILE_DELETE_ON_CLOSE
//DesiredAccess: GENERIC_READ | READ_ATTRIBUTES | DELETE
if ((DesiredAccess == 0x400100D0) || (CreateOptions == 0x1060))
{
DbgPrint("ZwCreateFile: FileHandle: %x DesiredAccess: %x AllocationSize: %x ShareAccess: %x\r\n CreateDisposition: %x CreateOptions: %x\r\n", FileHandle, DesiredAccess, AllocationSize, ShareAccess, CreateDisposition, CreateOptions);
//GameMon will not delete dump_wmimmc.sys now =))
return ntoskrnl_ZwCreateFile(FileHandle,
GENERIC_READ | READ_ATTRIBUTES,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE,
EaBuffer,
EaLength);
}
}
}
return ntoskrnl_ZwCreateFile(FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength);
}
VOID DoStuff()
{
//NtosBase = (ULONG)FindNtosBase();
//DbgPrint("ntoskrnl base address: %x\r\n", NtosBase);
memopen();
ntoskrnl_ZwCreateFile = (ZWCREATEFILE)i386InterlockedExchangeUlong((PULONG)&SYSTEMSERVICE(ZwCreateFile),
(ULONG)NewZwCreateFile);
memclose();
}
VOID __stdcall Unload(IN PDRIVER_OBJECT DriverObject)
{
memopen();
i386InterlockedExchangeUlong((PULONG)&SYSTEMSERVICE(ZwCreateFile), (ULONG)ntoskrnl_ZwCreateFile);
memclose();
IoDeleteDevice(DriverObject->DeviceObject);
}
NTSTATUS __stdcall HandleCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = NULL;
IofCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS __stdcall DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
NTSTATUS Status;
UNREFERENCED_PARAMETER(RegistryPath);
RtlInitUnicodeString(&DeviceNameString, L"\\Device\\this");
Status = IoCreateDevice(DriverObject, NULL, &DeviceNameString, FILE_DEVICE_UNKNOWN, NULL, FALSE, &ThisDevice);
if (Status == STATUS_SUCCESS)
{
DriverObject->DriverUnload = &Unload;
DriverObject->MajorFunction[IRP_MJ_CREATE] = &HandleCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = &HandleCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &HandleCreateClose;
}
DoStuff();
return STATUS_SUCCESS;
}
