c++ code anti GG...

11/17/2011 22:20 sheik_gray#1
hi found this code from "Fyyre"...
but for some reaso idk why i cant compilate or make it work
say i have some missing files " ntoskrnl.h and driver.h "
btw maybe someone here can make it works or explain the code...
Code:
//prevents GameMon from deleting dump_wmimmc.sys
//by hooking of ZwCreateFile
//
//Fyyre
//http://fyyre.l2-fashion.de
//
//

#define UNICODE
#define VER_PRODUCTBUILD 2600
#define _X86_

#include "ntoskrnl.h"
#include "driver.h"

#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]

typedef NTSTATUS (__stdcall *ZWCREATEFILE)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES  ObjectAttributes, PIO_STATUS_BLOCK  IoStatusBlock, PLARGE_INTEGER  AllocationSize ,ULONG  FileAttributes,ULONG  ShareAccess,ULONG  CreateDisposition,ULONG  CreateOptions,PVOID  EaBuffer ,ULONG  EaLength);

ZWCREATEFILE ntoskrnl_ZwCreateFile;

PDEVICE_OBJECT	ThisDevice;
PDRIVER_OBJECT	ThisDriver;

UNICODE_STRING	DeviceNameString;
UNICODE_STRING	DestinationString;

PEPROCESS pProcess = 0;

ULONG NtosBase;

NTSTATUS
NewZwCreateFile(PHANDLE FileHandle,
				ACCESS_MASK DesiredAccess,
				POBJECT_ATTRIBUTES ObjectAttributes,
				PIO_STATUS_BLOCK IoStatusBlock,
				PLARGE_INTEGER AllocationSize,
				ULONG FileAttributes,
				ULONG ShareAccess,
				ULONG CreateDisposition,
				ULONG CreateOptions,
				PVOID EaBuffer,
				ULONG EaLength)
{
	PEPROCESS pProcess = PsGetCurrentProcess();
	PCHAR FileName = (PCHAR) pProcess->ImageFileName;

	//Determine the name of the calling process, is it GameMon.des...
	if(strcmpinA("GameMon.des", FileName, \
		strlenA("GameMon.des")) == NULL)
	{
		//and does he want to create/obtain handle of dump_wmimmc.sys?
		if(strcmpW(ObjectAttributes->ObjectName->Buffer, L"dump_wmimmc"))
		{
			DbgPrint("GameMon sent CreateFile request...\r\n");

			//filter for: CreateOptions FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE | FILE_DELETE_ON_CLOSE
			//DesiredAccess: GENERIC_READ | READ_ATTRIBUTES | DELETE
 			if ((DesiredAccess == 0x400100D0) || (CreateOptions == 0x1060))
 			{
 				DbgPrint("ZwCreateFile: FileHandle: %x DesiredAccess: %x AllocationSize: %x ShareAccess: %x\r\n CreateDisposition: %x CreateOptions: %x\r\n", FileHandle, DesiredAccess, AllocationSize, ShareAccess, CreateDisposition, CreateOptions);
 				//GameMon will not delete dump_wmimmc.sys now =))
 				return ntoskrnl_ZwCreateFile(FileHandle,
 									GENERIC_READ | READ_ATTRIBUTES,
 									ObjectAttributes,
 									IoStatusBlock,
 									AllocationSize,
 									FileAttributes,
 									ShareAccess,
 									CreateDisposition,
 									FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE,
 									EaBuffer,
 									EaLength);
 			}
		}
	}
	return ntoskrnl_ZwCreateFile(FileHandle,
								 DesiredAccess,
								 ObjectAttributes,
								 IoStatusBlock,
								 AllocationSize,
								 FileAttributes,
								 ShareAccess,
								 CreateDisposition,
								 CreateOptions,
								 EaBuffer,
								 EaLength);
}


VOID DoStuff()
{
	//NtosBase = (ULONG)FindNtosBase();
	//DbgPrint("ntoskrnl base address: %x\r\n", NtosBase);

		memopen();

	ntoskrnl_ZwCreateFile = (ZWCREATEFILE)i386InterlockedExchangeUlong((PULONG)&SYSTEMSERVICE(ZwCreateFile),
					(ULONG)NewZwCreateFile);

		memclose();
}


VOID __stdcall Unload(IN PDRIVER_OBJECT DriverObject)
{
	memopen();
	i386InterlockedExchangeUlong((PULONG)&SYSTEMSERVICE(ZwCreateFile), (ULONG)ntoskrnl_ZwCreateFile);
	memclose();

	IoDeleteDevice(DriverObject->DeviceObject);

}


NTSTATUS __stdcall HandleCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
	UNREFERENCED_PARAMETER(DeviceObject);

	Irp->IoStatus.Status = STATUS_SUCCESS;
	Irp->IoStatus.Information = NULL;
	IofCompleteRequest(Irp, IO_NO_INCREMENT);
	return STATUS_SUCCESS;
}


NTSTATUS __stdcall DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
	NTSTATUS Status;
	UNREFERENCED_PARAMETER(RegistryPath);
	
	RtlInitUnicodeString(&DeviceNameString, L"\\Device\\this");
	Status = IoCreateDevice(DriverObject, NULL, &DeviceNameString, FILE_DEVICE_UNKNOWN, NULL, FALSE, &ThisDevice);

	if (Status == STATUS_SUCCESS)
	{
		DriverObject->DriverUnload							=	&Unload;
		DriverObject->MajorFunction[IRP_MJ_CREATE]			=	&HandleCreateClose;
		DriverObject->MajorFunction[IRP_MJ_CLOSE]			=	&HandleCreateClose;
		DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]	=	&HandleCreateClose;
	}

	DoStuff();


	return STATUS_SUCCESS;
}