保护电脑系统时间不被修改

下载源代码

本文通过WH_SHELL钩子配合HookAPI远程线程,以windows service形式来保证系统时间不被修改。

其中

关于service程序编写参考了http://www.vckbase.com/。

HookApi、远程线程技术来源于网络。


本文HOOK如下函数:

OpenProcess(保护进程不被结束)

SetLocalTime(禁止修改时间)

 CreateProcessW(CreateProcessA底层调用CreateProcessW,拦截SHELL创建的所有进程)

CreateProcessInternalW(拦截cmd创建的所有进程)


对于GUI进程,WH_SHELL钩子会自动将HookAPI模块注入该进程。

对于SHELL和cmd创建的CUI进程,我们需要自己注入HookAPII模块(本文通过创建远程线程)。


为了保证Hook有效,程序主体为service程序(system创建,在explorer.exe运行之前)。

程序分为两个部分,主体service程序、Hook模块。

好了,见代码了。

以下为service程序主要代码

// timeprotects.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <stdio.h>
#include "service.h"

#pragma warning(disable:4101)

#pragma comment(lib,"timeprotect")


int main(int argc,char* argv[])
{
	static const char *szServiceName="TimeProtect";
	
	if(argc==2)
	{
		if(!lstrcmpiA("install",argv[1]))
		{
			char szPath[MAX_PATH]="";
			GetModuleFileNameA(NULL,szPath,MAX_PATH);
			
			if(!ServiceManger::InstallService(szServiceName,szPath))//安装并以自动启动方式启动服务
				MessageBox(NULL,"服务启动失败","提示",MB_OK);
		}
		else if(!lstrcmpiA("uninstall",argv[1]))
		{
            ServiceManger::UninstallService(szServiceName);//停止并删除服务
		}
	}
	else
	{
		if(!ServiceManger::CheckServiceIsRunning(szServiceName))
		{
			ServiceManger::Services service;
			service.RunService(szServiceName);
		}
	}
	
	return 0;
}
//---------------------------------------------------------------------------

以下HookAPI模块主要代码,HookAPI方法:替换目标函数前5个字节、修改第一个字节为0xe9(jmp)跳转自定义处理函数处理。

// timeprotect.cpp : Defines the entry point for the DLL application.
//

#include "stdafx.h"
#include "timeprotect.h"

#pragma comment(linker,"/EXPORT:_RemoveApplicationMonitor,@1,NONAME")
#pragma comment(linker,"/EXPORT:_AddApplicatinMonitor,@2,NONAME")

#pragma data_seg (".shared")  
HHOOK g_hShellHook=NULL;
DWORD g_dwProcessId=0;
char  g_szModule[MAX_PATH]="";
#pragma data_seg ()  

#pragma comment(linker, "/SECTION:.shared,RWS") 


HINSTANCE g_hIns=NULL;

const int HOOKAPICOUNT=4;

CHOOKAPI HookItem[HOOKAPICOUNT];


HANDLE WINAPI MyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
{
	CHookapiManager manager(&HookItem[0]);
	lpfn_OpenProcess fOpenProcess=(lpfn_OpenProcess)manager.get()->GetOldFunEntry();
	HANDLE hRet=NULL;
	if(dwProcessId!=g_dwProcessId)
	hRet=fOpenProcess(dwDesiredAccess,bInheritHandle,dwProcessId);
	return hRet;
}
BOOL WINAPI MySetLocalTime(IN CONST SYSTEMTIME *lpSystemTime)
{
    return FALSE;
}

BOOL WINAPI MyCreateProcessW(IN LPCWSTR lpApplicationName,
							 IN LPWSTR lpCommandLine,
							 IN LPSECURITY_ATTRIBUTES lpProcessAttributes,
							 IN LPSECURITY_ATTRIBUTES lpThreadAttributes,
							 IN BOOL bInheritHandles,
							 IN DWORD dwCreationFlags,
							 IN LPVOID lpEnvironment,
							 IN LPCWSTR lpCurrentDirectory,
							 IN LPSTARTUPINFOW lpStartupInfo,
							 OUT LPPROCESS_INFORMATION lpProcessInformation
							 )
{
    CHookapiManager manager(&HookItem[2]);
	
    lpfn_CreateProcessW fCreateProcessW=(lpfn_CreateProcessW)manager.get()->GetOldFunEntry();
    BOOL bRet=fCreateProcessW(lpApplicationName,
		lpCommandLine,
		lpProcessAttributes,
		lpThreadAttributes,
		bInheritHandles,
		dwCreationFlags,
		lpEnvironment,
		lpCurrentDirectory,
		lpStartupInfo,
		lpProcessInformation);
	if(bRet)
	{
		InjectModuleToProcessById(lpProcessInformation->dwProcessId,g_szModule);
    }
	return bRet;
}
BOOL WINAPI MyCreateProcessInternalW(HANDLE hToken,
                                     LPCWSTR lpApplicationName,
                                     LPWSTR lpCommandLine,
                                     LPSECURITY_ATTRIBUTES lpProcessAttributes,
                                     LPSECURITY_ATTRIBUTES lpThreadAttributes,
                                     BOOL bInheritHandles,
                                     DWORD dwCreationFlags,
                                     LPVOID lpEnvironment,
                                     LPCWSTR lpCurrentDirectory,
                                     LPSTARTUPINFOW lpStartupInfo,
                                     LPPROCESS_INFORMATION lpProcessInformation,
                                     PHANDLE hNewToken)
{
    CHookapiManager manager(&HookItem[3]);
	
	lpfn_CreateProcessInternalW fCreateProcessInternalW=(lpfn_CreateProcessInternalW)manager.get()->GetOldFunEntry();
    BOOL bRet=fCreateProcessInternalW(  hToken,
		lpApplicationName,
		lpCommandLine,
		lpProcessAttributes,
		lpThreadAttributes,
		bInheritHandles,
		dwCreationFlags,
		lpEnvironment,
		lpCurrentDirectory,
		lpStartupInfo,
		lpProcessInformation,
		hNewToken
		);
	
	if(bRet)
	{
		InjectModuleToProcessById(lpProcessInformation->dwProcessId,g_szModule);
	} 
	return bRet;
} 


void Start()
{
    HookItem[0].Hook("kernel32.dll","OpenProcess",(FARPROC)MyOpenProcess);
    HookItem[1].Hook("kernel32.dll","SetLocalTime",(FARPROC)MySetLocalTime);
	HookItem[2].Hook("kernel32.dll","CreateProcessW",(FARPROC)MyCreateProcessW);
	HookItem[3].Hook("kernel32.dll","CreateProcessInternalW",(FARPROC)MyCreateProcessInternalW);
}
void End()
{
    HookItem[0].UnHook();
    HookItem[1].UnHook();
	HookItem[2].UnHook();
	HookItem[3].UnHook();
}
LRESULT CALLBACK ShellProc(
						   int nCode,      // hook code
						   WPARAM wParam,  // event-specific information
						   LPARAM lParam   // event-specific information
						   )
{
	return CallNextHookEx(g_hShellHook,nCode,wParam,lParam);
}
extern "C"
{
	void RemoveApplicationMonitor()
	{
		if(UnhookWindowsHookEx(g_hShellHook))
			g_hShellHook=NULL;
	}
	bool AddApplicatinMonitor()
	{
		g_dwProcessId=GetCurrentProcessId();
		
		GetModuleFileName(g_hIns,g_szModule,MAX_PATH);
		
		if(g_hShellHook)
		{
			RemoveApplicationMonitor();
		}
		g_hShellHook = SetWindowsHookEx(WH_SHELL,ShellProc,g_hIns,0);
		return g_hShellHook!=NULL;
	}
}
BOOL APIENTRY DllMain( HANDLE hModule, 
					  DWORD  ul_reason_for_call, 
					  LPVOID lpReserved
					  )
{
	g_hIns=(HINSTANCE)hModule;
	switch(ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		Start();
		break;
	case DLL_PROCESS_DETACH:
		End();
		break;
	}
    return TRUE;
}






你可能感兴趣的:(保护电脑系统时间不被修改)