本文通过WH_SHELL钩子配合HookAPI、远程线程,以windows service形式来保证系统时间不被修改。
其中
关于service程序编写参考了http://www.vckbase.com/。
HookApi、远程线程技术来源于网络。
本文HOOK如下函数:
OpenProcess(保护进程不被结束)
SetLocalTime(禁止修改时间)
CreateProcessW(CreateProcessA底层调用CreateProcessW,拦截SHELL创建的所有进程)
CreateProcessInternalW(拦截cmd创建的所有进程)
对于GUI进程,WH_SHELL钩子会自动将HookAPI模块注入该进程。
对于SHELL和cmd创建的CUI进程,我们需要自己注入HookAPII模块(本文通过创建远程线程)。
为了保证Hook有效,程序主体为service程序(system创建,在explorer.exe运行之前)。
程序分为两个部分,主体service程序、Hook模块。
好了,见代码了。
以下为service程序主要代码
- // timeprotects.cpp : Defines the entry point for the console application.
- //
- #include "stdafx.h"
- #include <stdio.h>
- #include "service.h"
- #pragma warning(disable:4101)
- #pragma comment(lib,"timeprotect")
- int main(int argc,char* argv[])
- {
- static const char *szServiceName="TimeProtect";
- if(argc==2)
- {
- if(!lstrcmpiA("install",argv[1]))
- {
- char szPath[MAX_PATH]="";
- GetModuleFileNameA(NULL,szPath,MAX_PATH);
- if(!ServiceManger::InstallService(szServiceName,szPath))//安装并以自动启动方式启动服务
- MessageBox(NULL,"服务启动失败","提示",MB_OK);
- }
- else if(!lstrcmpiA("uninstall",argv[1]))
- {
- ServiceManger::UninstallService(szServiceName);//停止并删除服务
- }
- }
- else
- {
- if(!ServiceManger::CheckServiceIsRunning(szServiceName))
- {
- ServiceManger::Services service;
- service.RunService(szServiceName);
- }
- }
- return 0;
- }
- //---------------------------------------------------------------------------
以下HookAPI模块主要代码,HookAPI方法:替换目标函数前5个字节、修改第一个字节为0xe9(jmp)跳转自定义处理函数处理。
- // timeprotect.cpp : Defines the entry point for the DLL application.
- //
- #include "stdafx.h"
- #include "timeprotect.h"
- #pragma comment(linker,"/EXPORT:_RemoveApplicationMonitor,@1,NONAME")
- #pragma comment(linker,"/EXPORT:_AddApplicatinMonitor,@2,NONAME")
- #pragma data_seg (".shared")
- HHOOK g_hShellHook=NULL;
- DWORD g_dwProcessId=0;
- char g_szModule[MAX_PATH]="";
- #pragma data_seg ()
- #pragma comment(linker, "/SECTION:.shared,RWS")
- HINSTANCE g_hIns=NULL;
- const int HOOKAPICOUNT=4;
- CHOOKAPI HookItem[HOOKAPICOUNT];
- HANDLE WINAPI MyOpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
- {
- CHookapiManager manager(&HookItem[0]);
- lpfn_OpenProcess fOpenProcess=(lpfn_OpenProcess)manager.get()->GetOldFunEntry();
- HANDLE hRet=NULL;
- if(dwProcessId!=g_dwProcessId)
- hRet=fOpenProcess(dwDesiredAccess,bInheritHandle,dwProcessId);
- return hRet;
- }
- BOOL WINAPI MySetLocalTime(IN CONST SYSTEMTIME *lpSystemTime)
- {
- return FALSE;
- }
- BOOL WINAPI MyCreateProcessW(IN LPCWSTR lpApplicationName,
- IN LPWSTR lpCommandLine,
- IN LPSECURITY_ATTRIBUTES lpProcessAttributes,
- IN LPSECURITY_ATTRIBUTES lpThreadAttributes,
- IN BOOL bInheritHandles,
- IN DWORD dwCreationFlags,
- IN LPVOID lpEnvironment,
- IN LPCWSTR lpCurrentDirectory,
- IN LPSTARTUPINFOW lpStartupInfo,
- OUT LPPROCESS_INFORMATION lpProcessInformation
- )
- {
- CHookapiManager manager(&HookItem[2]);
- lpfn_CreateProcessW fCreateProcessW=(lpfn_CreateProcessW)manager.get()->GetOldFunEntry();
- BOOL bRet=fCreateProcessW(lpApplicationName,
- lpCommandLine,
- lpProcessAttributes,
- lpThreadAttributes,
- bInheritHandles,
- dwCreationFlags,
- lpEnvironment,
- lpCurrentDirectory,
- lpStartupInfo,
- lpProcessInformation);
- if(bRet)
- {
- InjectModuleToProcessById(lpProcessInformation->dwProcessId,g_szModule);
- }
- return bRet;
- }
- BOOL WINAPI MyCreateProcessInternalW(HANDLE hToken,
- LPCWSTR lpApplicationName,
- LPWSTR lpCommandLine,
- LPSECURITY_ATTRIBUTES lpProcessAttributes,
- LPSECURITY_ATTRIBUTES lpThreadAttributes,
- BOOL bInheritHandles,
- DWORD dwCreationFlags,
- LPVOID lpEnvironment,
- LPCWSTR lpCurrentDirectory,
- LPSTARTUPINFOW lpStartupInfo,
- LPPROCESS_INFORMATION lpProcessInformation,
- PHANDLE hNewToken)
- {
- CHookapiManager manager(&HookItem[3]);
- lpfn_CreateProcessInternalW fCreateProcessInternalW=(lpfn_CreateProcessInternalW)manager.get()->GetOldFunEntry();
- BOOL bRet=fCreateProcessInternalW( hToken,
- lpApplicationName,
- lpCommandLine,
- lpProcessAttributes,
- lpThreadAttributes,
- bInheritHandles,
- dwCreationFlags,
- lpEnvironment,
- lpCurrentDirectory,
- lpStartupInfo,
- lpProcessInformation,
- hNewToken
- );
- if(bRet)
- {
- InjectModuleToProcessById(lpProcessInformation->dwProcessId,g_szModule);
- }
- return bRet;
- }
- void Start()
- {
- HookItem[0].Hook("kernel32.dll","OpenProcess",(FARPROC)MyOpenProcess);
- HookItem[1].Hook("kernel32.dll","SetLocalTime",(FARPROC)MySetLocalTime);
- HookItem[2].Hook("kernel32.dll","CreateProcessW",(FARPROC)MyCreateProcessW);
- HookItem[3].Hook("kernel32.dll","CreateProcessInternalW",(FARPROC)MyCreateProcessInternalW);
- }
- void End()
- {
- HookItem[0].UnHook();
- HookItem[1].UnHook();
- HookItem[2].UnHook();
- HookItem[3].UnHook();
- }
- LRESULT CALLBACK ShellProc(
- int nCode, // hook code
- WPARAM wParam, // event-specific information
- LPARAM lParam // event-specific information
- )
- {
- return CallNextHookEx(g_hShellHook,nCode,wParam,lParam);
- }
- extern "C"
- {
- void RemoveApplicationMonitor()
- {
- if(UnhookWindowsHookEx(g_hShellHook))
- g_hShellHook=NULL;
- }
- bool AddApplicatinMonitor()
- {
- g_dwProcessId=GetCurrentProcessId();
- GetModuleFileName(g_hIns,g_szModule,MAX_PATH);
- if(g_hShellHook)
- {
- RemoveApplicationMonitor();
- }
- g_hShellHook = SetWindowsHookEx(WH_SHELL,ShellProc,g_hIns,0);
- return g_hShellHook!=NULL;
- }
- }
- BOOL APIENTRY DllMain( HANDLE hModule,
- DWORD ul_reason_for_call,
- LPVOID lpReserved
- )
- {
- g_hIns=(HINSTANCE)hModule;
- switch(ul_reason_for_call)
- {
- case DLL_PROCESS_ATTACH:
- Start();
- break;
- case DLL_PROCESS_DETACH:
- End();
- break;
- }
- return TRUE;
- }
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
