下载源代码
本文通过WH_SHELL钩子配合HookAPI、远程线程,以windows service形式来保证系统时间不被修改。
其中
关于service程序编写参考了http://www.vckbase.com/。
HookApi、远程线程技术来源于网络。
本文HOOK如下函数:
OpenProcess(保护进程不被结束)
SetLocalTime(禁止修改时间)
CreateProcessW(CreateProcessA底层调用CreateProcessW,拦截SHELL创建的所有进程)
CreateProcessInternalW(拦截cmd创建的所有进程)
对于GUI进程,WH_SHELL钩子会自动将HookAPI模块注入该进程。
对于SHELL和cmd创建的CUI进程,我们需要自己注入HookAPII模块(本文通过创建远程线程)。
为了保证Hook有效,程序主体为service程序(system创建,在explorer.exe运行之前)。
程序分为两个部分,主体service程序、Hook模块。
好了,见代码了。
以下为service程序主要代码
// timeprotects.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include <stdio.h> #include "service.h" #pragma warning(disable:4101) #pragma comment(lib,"timeprotect") int main(int argc,char* argv[]) { static const char *szServiceName="TimeProtect"; if(argc==2) { if(!lstrcmpiA("install",argv[1])) { char szPath[MAX_PATH]=""; GetModuleFileNameA(NULL,szPath,MAX_PATH); if(!ServiceManger::InstallService(szServiceName,szPath))//安装并以自动启动方式启动服务 MessageBox(NULL,"服务启动失败","提示",MB_OK); } else if(!lstrcmpiA("uninstall",argv[1])) { ServiceManger::UninstallService(szServiceName);//停止并删除服务 } } else { if(!ServiceManger::CheckServiceIsRunning(szServiceName)) { ServiceManger::Services service; service.RunService(szServiceName); } } return 0; } //---------------------------------------------------------------------------
// timeprotect.cpp : Defines the entry point for the DLL application. // #include "stdafx.h" #include "timeprotect.h" #pragma comment(linker,"/EXPORT:_RemoveApplicationMonitor,@1,NONAME") #pragma comment(linker,"/EXPORT:_AddApplicatinMonitor,@2,NONAME") #pragma data_seg (".shared") HHOOK g_hShellHook=NULL; DWORD g_dwProcessId=0; char g_szModule[MAX_PATH]=""; #pragma data_seg () #pragma comment(linker, "/SECTION:.shared,RWS") HINSTANCE g_hIns=NULL; const int HOOKAPICOUNT=4; CHOOKAPI HookItem[HOOKAPICOUNT]; HANDLE WINAPI MyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId) { CHookapiManager manager(&HookItem[0]); lpfn_OpenProcess fOpenProcess=(lpfn_OpenProcess)manager.get()->GetOldFunEntry(); HANDLE hRet=NULL; if(dwProcessId!=g_dwProcessId) hRet=fOpenProcess(dwDesiredAccess,bInheritHandle,dwProcessId); return hRet; } BOOL WINAPI MySetLocalTime(IN CONST SYSTEMTIME *lpSystemTime) { return FALSE; } BOOL WINAPI MyCreateProcessW(IN LPCWSTR lpApplicationName, IN LPWSTR lpCommandLine, IN LPSECURITY_ATTRIBUTES lpProcessAttributes, IN LPSECURITY_ATTRIBUTES lpThreadAttributes, IN BOOL bInheritHandles, IN DWORD dwCreationFlags, IN LPVOID lpEnvironment, IN LPCWSTR lpCurrentDirectory, IN LPSTARTUPINFOW lpStartupInfo, OUT LPPROCESS_INFORMATION lpProcessInformation ) { CHookapiManager manager(&HookItem[2]); lpfn_CreateProcessW fCreateProcessW=(lpfn_CreateProcessW)manager.get()->GetOldFunEntry(); BOOL bRet=fCreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation); if(bRet) { InjectModuleToProcessById(lpProcessInformation->dwProcessId,g_szModule); } return bRet; } BOOL WINAPI MyCreateProcessInternalW(HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, PHANDLE hNewToken) { CHookapiManager manager(&HookItem[3]); lpfn_CreateProcessInternalW fCreateProcessInternalW=(lpfn_CreateProcessInternalW)manager.get()->GetOldFunEntry(); BOOL bRet=fCreateProcessInternalW( hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, hNewToken ); if(bRet) { InjectModuleToProcessById(lpProcessInformation->dwProcessId,g_szModule); } return bRet; } void Start() { HookItem[0].Hook("kernel32.dll","OpenProcess",(FARPROC)MyOpenProcess); HookItem[1].Hook("kernel32.dll","SetLocalTime",(FARPROC)MySetLocalTime); HookItem[2].Hook("kernel32.dll","CreateProcessW",(FARPROC)MyCreateProcessW); HookItem[3].Hook("kernel32.dll","CreateProcessInternalW",(FARPROC)MyCreateProcessInternalW); } void End() { HookItem[0].UnHook(); HookItem[1].UnHook(); HookItem[2].UnHook(); HookItem[3].UnHook(); } LRESULT CALLBACK ShellProc( int nCode, // hook code WPARAM wParam, // event-specific information LPARAM lParam // event-specific information ) { return CallNextHookEx(g_hShellHook,nCode,wParam,lParam); } extern "C" { void RemoveApplicationMonitor() { if(UnhookWindowsHookEx(g_hShellHook)) g_hShellHook=NULL; } bool AddApplicatinMonitor() { g_dwProcessId=GetCurrentProcessId(); GetModuleFileName(g_hIns,g_szModule,MAX_PATH); if(g_hShellHook) { RemoveApplicationMonitor(); } g_hShellHook = SetWindowsHookEx(WH_SHELL,ShellProc,g_hIns,0); return g_hShellHook!=NULL; } } BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { g_hIns=(HINSTANCE)hModule; switch(ul_reason_for_call) { case DLL_PROCESS_ATTACH: Start(); break; case DLL_PROCESS_DETACH: End(); break; } return TRUE; }