保护电脑系统时间不被修改
下载源代码
本文通过WH_SHELL钩子配合HookAPI、远程线程,以windows service形式来保证系统时间不被修改。
其中
关于service程序编写参考了http://www.vckbase.com/。
HookApi、远程线程技术来源于网络。
本文HOOK如下函数:
OpenProcess(保护进程不被结束)
SetLocalTime(禁止修改时间)
CreateProcessW(CreateProcessA底层调用CreateProcessW,拦截SHELL创建的所有进程)
CreateProcessInternalW(拦截cmd创建的所有进程)
对于GUI进程,WH_SHELL钩子会自动将HookAPI模块注入该进程。
对于SHELL和cmd创建的CUI进程,我们需要自己注入HookAPII模块(本文通过创建远程线程)。
为了保证Hook有效,程序主体为service程序(system创建,在explorer.exe运行之前)。
程序分为两个部分,主体service程序、Hook模块。
好了,见代码了。
以下为service程序主要代码
// timeprotects.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdio.h>
#include "service.h"
#pragma warning(disable:4101)
#pragma comment(lib,"timeprotect")
int main(int argc,char* argv[])
{
static const char *szServiceName="TimeProtect";
if(argc==2)
{
if(!lstrcmpiA("install",argv[1]))
{
char szPath[MAX_PATH]="";
GetModuleFileNameA(NULL,szPath,MAX_PATH);
if(!ServiceManger::InstallService(szServiceName,szPath))//安装并以自动启动方式启动服务
MessageBox(NULL,"服务启动失败","提示",MB_OK);
}
else if(!lstrcmpiA("uninstall",argv[1]))
{
ServiceManger::UninstallService(szServiceName);//停止并删除服务
}
}
else
{
if(!ServiceManger::CheckServiceIsRunning(szServiceName))
{
ServiceManger::Services service;
service.RunService(szServiceName);
}
}
return 0;
}
//---------------------------------------------------------------------------
以下HookAPI模块主要代码,HookAPI方法:替换目标函数前5个字节、修改第一个字节为0xe9(jmp)跳转自定义处理函数处理。
// timeprotect.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
#include "timeprotect.h"
#pragma comment(linker,"/EXPORT:_RemoveApplicationMonitor,@1,NONAME")
#pragma comment(linker,"/EXPORT:_AddApplicatinMonitor,@2,NONAME")
#pragma data_seg (".shared")
HHOOK g_hShellHook=NULL;
DWORD g_dwProcessId=0;
char g_szModule[MAX_PATH]="";
#pragma data_seg ()
#pragma comment(linker, "/SECTION:.shared,RWS")
HINSTANCE g_hIns=NULL;
const int HOOKAPICOUNT=4;
CHOOKAPI HookItem[HOOKAPICOUNT];
HANDLE WINAPI MyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
{
CHookapiManager manager(&HookItem[0]);
lpfn_OpenProcess fOpenProcess=(lpfn_OpenProcess)manager.get()->GetOldFunEntry();
HANDLE hRet=NULL;
if(dwProcessId!=g_dwProcessId)
hRet=fOpenProcess(dwDesiredAccess,bInheritHandle,dwProcessId);
return hRet;
}
BOOL WINAPI MySetLocalTime(IN CONST SYSTEMTIME *lpSystemTime)
{
return FALSE;
}
BOOL WINAPI MyCreateProcessW(IN LPCWSTR lpApplicationName,
IN LPWSTR lpCommandLine,
IN LPSECURITY_ATTRIBUTES lpProcessAttributes,
IN LPSECURITY_ATTRIBUTES lpThreadAttributes,
IN BOOL bInheritHandles,
IN DWORD dwCreationFlags,
IN LPVOID lpEnvironment,
IN LPCWSTR lpCurrentDirectory,
IN LPSTARTUPINFOW lpStartupInfo,
OUT LPPROCESS_INFORMATION lpProcessInformation
)
{
CHookapiManager manager(&HookItem[2]);
lpfn_CreateProcessW fCreateProcessW=(lpfn_CreateProcessW)manager.get()->GetOldFunEntry();
BOOL bRet=fCreateProcessW(lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation);
if(bRet)
{
InjectModuleToProcessById(lpProcessInformation->dwProcessId,g_szModule);
}
return bRet;
}
BOOL WINAPI MyCreateProcessInternalW(HANDLE hToken,
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation,
PHANDLE hNewToken)
{
CHookapiManager manager(&HookItem[3]);
lpfn_CreateProcessInternalW fCreateProcessInternalW=(lpfn_CreateProcessInternalW)manager.get()->GetOldFunEntry();
BOOL bRet=fCreateProcessInternalW( hToken,
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation,
hNewToken
);
if(bRet)
{
InjectModuleToProcessById(lpProcessInformation->dwProcessId,g_szModule);
}
return bRet;
}
void Start()
{
HookItem[0].Hook("kernel32.dll","OpenProcess",(FARPROC)MyOpenProcess);
HookItem[1].Hook("kernel32.dll","SetLocalTime",(FARPROC)MySetLocalTime);
HookItem[2].Hook("kernel32.dll","CreateProcessW",(FARPROC)MyCreateProcessW);
HookItem[3].Hook("kernel32.dll","CreateProcessInternalW",(FARPROC)MyCreateProcessInternalW);
}
void End()
{
HookItem[0].UnHook();
HookItem[1].UnHook();
HookItem[2].UnHook();
HookItem[3].UnHook();
}
LRESULT CALLBACK ShellProc(
int nCode, // hook code
WPARAM wParam, // event-specific information
LPARAM lParam // event-specific information
)
{
return CallNextHookEx(g_hShellHook,nCode,wParam,lParam);
}
extern "C"
{
void RemoveApplicationMonitor()
{
if(UnhookWindowsHookEx(g_hShellHook))
g_hShellHook=NULL;
}
bool AddApplicatinMonitor()
{
g_dwProcessId=GetCurrentProcessId();
GetModuleFileName(g_hIns,g_szModule,MAX_PATH);
if(g_hShellHook)
{
RemoveApplicationMonitor();
}
g_hShellHook = SetWindowsHookEx(WH_SHELL,ShellProc,g_hIns,0);
return g_hShellHook!=NULL;
}
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
g_hIns=(HINSTANCE)hModule;
switch(ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
Start();
break;
case DLL_PROCESS_DETACH:
End();
break;
}
return TRUE;
}