保护电脑系统时间不被修改

下载源代码

本文通过WH_SHELL钩子配合HookAPI、远程线程，以windows service形式来保证系统时间不被修改。

其中

关于service程序编写参考了http://www.vckbase.com/。

HookApi、远程线程技术来源于网络。

本文HOOK如下函数：

OpenProcess（保护进程不被结束）

SetLocalTime（禁止修改时间）

 CreateProcessW（CreateProcessA底层调用CreateProcessW，拦截SHELL创建的所有进程）

CreateProcessInternalW（拦截cmd创建的所有进程）

对于GUI进程，WH_SHELL钩子会自动将HookAPI模块注入该进程。

对于SHELL和cmd创建的CUI进程，我们需要自己注入HookAPII模块（本文通过创建远程线程）。

为了保证Hook有效，程序主体为service程序（system创建，在explorer.exe运行之前）。

程序分为两个部分，主体service程序、Hook模块。

好了，见代码了。

以下为service程序主要代码

// timeprotects.cpp : Defines the entry point for the console application.//#include "stdafx.h"#include <stdio.h>#include "service.h"#pragma warning(disable:4101)#pragma comment(lib,"timeprotect")int main(int argc,char* argv[]){static const char *szServiceName="TimeProtect";if(argc==2){if(!lstrcmpiA("install",argv[1])){char szPath[MAX_PATH]="";GetModuleFileNameA(NULL,szPath,MAX_PATH);if(!ServiceManger::InstallService(szServiceName,szPath))//安装并以自动启动方式启动服务MessageBox(NULL,"服务启动失败","提示",MB_OK);}else if(!lstrcmpiA("uninstall",argv[1])){            ServiceManger::UninstallService(szServiceName);//停止并删除服务}}else{if(!ServiceManger::CheckServiceIsRunning(szServiceName)){ServiceManger::Services service;service.RunService(szServiceName);}}return 0;}//---------------------------------------------------------------------------

以下HookAPI模块主要代码，HookAPI方法：替换目标函数前5个字节、修改第一个字节为0xe9（jmp）跳转自定义处理函数处理。

// timeprotect.cpp : Defines the entry point for the DLL application.//#include "stdafx.h"#include "timeprotect.h"#pragma comment(linker,"/EXPORT:_RemoveApplicationMonitor,@1,NONAME")#pragma comment(linker,"/EXPORT:_AddApplicatinMonitor,@2,NONAME")#pragma data_seg (".shared")  HHOOK g_hShellHook=NULL;DWORD g_dwProcessId=0;char  g_szModule[MAX_PATH]="";#pragma data_seg ()  #pragma comment(linker, "/SECTION:.shared,RWS") HINSTANCE g_hIns=NULL;const int HOOKAPICOUNT=4;CHOOKAPI HookItem[HOOKAPICOUNT];HANDLE WINAPI MyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId){CHookapiManager manager(&HookItem[0]);lpfn_OpenProcess fOpenProcess=(lpfn_OpenProcess)manager.get()->GetOldFunEntry();HANDLE hRet=NULL;if(dwProcessId!=g_dwProcessId)hRet=fOpenProcess(dwDesiredAccess,bInheritHandle,dwProcessId);return hRet;}BOOL WINAPI MySetLocalTime(IN CONST SYSTEMTIME *lpSystemTime){    return FALSE;}BOOL WINAPI MyCreateProcessW(IN LPCWSTR lpApplicationName, IN LPWSTR lpCommandLine, IN LPSECURITY_ATTRIBUTES lpProcessAttributes, IN LPSECURITY_ATTRIBUTES lpThreadAttributes, IN BOOL bInheritHandles, IN DWORD dwCreationFlags, IN LPVOID lpEnvironment, IN LPCWSTR lpCurrentDirectory, IN LPSTARTUPINFOW lpStartupInfo, OUT LPPROCESS_INFORMATION lpProcessInformation ){    CHookapiManager manager(&HookItem[2]);    lpfn_CreateProcessW fCreateProcessW=(lpfn_CreateProcessW)manager.get()->GetOldFunEntry();    BOOL bRet=fCreateProcessW(lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation);if(bRet){InjectModuleToProcessById(lpProcessInformation->dwProcessId,g_szModule);    }return bRet;}BOOL WINAPI MyCreateProcessInternalW(HANDLE hToken,                                     LPCWSTR lpApplicationName,                                     LPWSTR lpCommandLine,                                     LPSECURITY_ATTRIBUTES lpProcessAttributes,                                     LPSECURITY_ATTRIBUTES lpThreadAttributes,                                     BOOL bInheritHandles,                                     DWORD dwCreationFlags,                                     LPVOID lpEnvironment,                                     LPCWSTR lpCurrentDirectory,                                     LPSTARTUPINFOW lpStartupInfo,                                     LPPROCESS_INFORMATION lpProcessInformation,                                     PHANDLE hNewToken){    CHookapiManager manager(&HookItem[3]);lpfn_CreateProcessInternalW fCreateProcessInternalW=(lpfn_CreateProcessInternalW)manager.get()->GetOldFunEntry();    BOOL bRet=fCreateProcessInternalW(  hToken,lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation,hNewToken);if(bRet){InjectModuleToProcessById(lpProcessInformation->dwProcessId,g_szModule);} return bRet;} void Start(){    HookItem[0].Hook("kernel32.dll","OpenProcess",(FARPROC)MyOpenProcess);    HookItem[1].Hook("kernel32.dll","SetLocalTime",(FARPROC)MySetLocalTime);HookItem[2].Hook("kernel32.dll","CreateProcessW",(FARPROC)MyCreateProcessW);HookItem[3].Hook("kernel32.dll","CreateProcessInternalW",(FARPROC)MyCreateProcessInternalW);}void End(){    HookItem[0].UnHook();    HookItem[1].UnHook();HookItem[2].UnHook();HookItem[3].UnHook();}LRESULT CALLBACK ShellProc(   int nCode,      // hook code   WPARAM wParam,  // event-specific information   LPARAM lParam   // event-specific information   ){return CallNextHookEx(g_hShellHook,nCode,wParam,lParam);}extern "C"{void RemoveApplicationMonitor(){if(UnhookWindowsHookEx(g_hShellHook))g_hShellHook=NULL;}bool AddApplicatinMonitor(){g_dwProcessId=GetCurrentProcessId();GetModuleFileName(g_hIns,g_szModule,MAX_PATH);if(g_hShellHook){RemoveApplicationMonitor();}g_hShellHook = SetWindowsHookEx(WH_SHELL,ShellProc,g_hIns,0);return g_hShellHook!=NULL;}}BOOL APIENTRY DllMain( HANDLE hModule,   DWORD  ul_reason_for_call,   LPVOID lpReserved  ){g_hIns=(HINSTANCE)hModule;switch(ul_reason_for_call){case DLL_PROCESS_ATTACH:Start();break;case DLL_PROCESS_DETACH:End();break;}    return TRUE;}