保护电脑系统时间不被修改
下载源码:/2012/0606/20120606105353115.zip
本文通过WH_SHELL钩子配合HookAPI、远程线程,以windows service形式来保证系统时间不被修改。
其中
关于service程序编写参考了http://www.vckbase.com/。
HookApi、远程线程技术来源于网络。
本文HOOK如下函数:
OpenProcess(保护进程不被结束)
SetLocalTime(禁止修改时间)
CreateProcessW(CreateProcessA底层调用CreateProcessW,拦截SHELL创建的所有进程)
CreateProcessInternalW(拦截cmd创建的所有进程)
对于GUI进程,WH_SHELL钩子会自动将HookAPI模块注入该进程。
对于SHELL和cmd创建的CUI进程,我们需要自己注入HookAPII模块(本文通过创建远程线程)。
为了保证Hook有效,程序主体为service程序(system创建,在explorer.exe运行之前)。
程序分为两个部分,主体service程序、Hook模块。
好了,见代码了。
以下为service程序主要代码
[cpp] // timeprotects.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdio.h>
#include "service.h"
#pragma warning(disable:4101)
#pragma comment(lib,"timeprotect")
int main(int argc,char* argv[])
{
static const char *szServiceName="TimeProtect";
if(argc==2)
{
if(!lstrcmpiA("install",argv[1]))
{
char szPath[MAX_PATH]="";
GetModuleFileNameA(NULL,szPath,MAX_PATH);
if(!ServiceManger::InstallService(szServiceName,szPath))//安装并以自动启动方式启动服务
MessageBox(NULL,"服务启动失败","提示",MB_OK);
}
else if(!lstrcmpiA("uninstall",argv[1]))
{
ServiceManger::UninstallService(szServiceName);//停止并删除服务
}
}
else
{
if(!ServiceManger::CheckServiceIsRunning(szServiceName))
{
ServiceManger::Services service;
service.RunService(szServiceName);
}
}
return 0;
}
//---------------------------------------------------------------------------
// timeprotects.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdio.h>
#include "service.h"
#pragma warning(disable:4101)
#pragma comment(lib,"timeprotect")
int main(int argc,char* argv[])
{
static const char *szServiceName="TimeProtect";
if(argc==2)
{
if(!lstrcmpiA("install",argv[1]))
{
char szPath[MAX_PATH]="";
GetModuleFileNameA(NULL,szPath,MAX_PATH);
if(!ServiceManger::InstallService(szServiceName,szPath))//安装并以自动启动方式启动服务
MessageBox(NULL,"服务启动失败","提示",MB_OK);
}
else if(!lstrcmpiA("uninstall",argv[1]))
{
ServiceManger::UninstallService(szServiceName);//停止并删除服务
}
}
else
{
if(!ServiceManger::CheckServiceIsRunning(szServiceName))
{
ServiceManger::Services service;
service.RunService(szServiceName);
}
}
return 0;
}
//---------------------------------------------------------------------------
以下HookAPI模块主要代码,HookAPI方法:替换目标函数前5个字节、修改第一个字节为0xe9(jmp)跳转自定义处理函数处理。
[cpp] // timeprotect.cpp : Defines the entry point for the DLL application.
//
#include "stdafx.h"
#include "timeprotect.h"
#pragma comment(linker,"/EXPORT:_RemoveApplicationMonitor,@1,NONAME")
#pragma comment(linker,"/EXPORT:_AddApplicatinMonitor,@2,NONAME")
#pragma data_seg (".shared")
HHOOK g_hShellHook=NULL;
DWORD g_dwProcessId=0;
char g_szModule[MAX_PATH]="";
#pragma data_seg ()
#pragma comment(linker, "/SECTION:.shared,RWS")
HINSTANCE g_hIns=NULL;
const int HOOKAPICOUNT=4;
CHOOKAPI HookItem[HOOKAPICOUNT];
HANDLE WINAPI MyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
{
CHookapiManager manager(&HookItem[0]);
lpfn_OpenProcess fOpenProcess=(lpfn_OpenProcess)manager.get()->GetOldFunEntry();
HANDLE hRet=NULL;
if(dwProcessId!=g_dwProcessId)
hRet=fOpenProcess(dwDesiredAccess,bInheritHandle,dwProcessId);
return hRet;
}
BOOL WINAPI MySetLocalTime(IN CONST SYSTEMTIME *lpSystemTime)
{
return FALSE;
}
BOOL WINAPI MyCreateProcessW(IN LPCWSTR lpApplicationName,
IN LPWSTR lpCommandLine,
IN LPSECURITY_ATTRIBUTES lpProcessAttributes,
IN LPSECURITY_ATTRIBUTES lpThreadAttributes,
补充:软件开发 , 其他 ,
