hook ZwSetSystemTime 保护系统时间_kesetsystemtime filter-优快云博客

本文链接：https://blog.youkuaiyun.com/iiprogram/article/details/2298529

#include
#include
#include
#include
#include "systimeprotectsys.h"

#define NTDEVICE_NAME L"//Device//systimeprotectsys"
#define DOSLINK_NAME L"//DosDevices//systimeprotectsys"

#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport)  ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
#define SDT    SYSTEMSERVICE

#define MemOpen() __asm CLI; __asm MOV EAX, CR0; __asm MOV EAX, NOT 10000H; __asm MOV CR0, EAX;

#define MemClose() __asm MOV EAX, CR0;__asm OR EAX, 10000H;__asm MOV  CR0, EAX __asm STI;

BOOLEAN g_Hooked = FALSE;

extern NTSYSAPI NTSTATUS NTAPI ZwSetSystemTime(PLARGE_INTEGER NewTime,PLARGE_INTEGER OldTime);

typedef NTSTATUS (*ZWSETSYSTEMTIME)(PLARGE_INTEGER NewTime,PLARGE_INTEGER OldTime);

NTSTATUS HookZwSetSystemTime(PLARGE_INTEGER NewTime,PLARGE_INTEGER OldTime);

static ZWSETSYSTEMTIME       RealZwSetSystemTime;
int i;

void Hook()
{
if(!g_Hooked)
{
g_Hooked=TRUE;

//MemOpen();
__asm
{
push  eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}

RealZwSetSystemTime  = (ZWSETSYSTEMTIME) InterlockedExchange((PLONG) &SDT(ZwSetSystemTime), (LONG)HookZwSetSystemTime);
DbgPrint("%x",RealZwSetSystemTime);

//  MemClose();
__asm
{
push  eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
}
}

void UnHook()
{
if(g_Hooked)
{
g_Hooked=FALSE;
__asm
{
push  eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
//  MemOpen();

InterlockedExchange( (PLONG) &SDT(ZwSetSystemTime) , (LONG) RealZwSetSystemTime);
__asm
{
push  eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
//  MemClose();
  }
}

//

NTSTATUS HookZwSetSystemTime(PLARGE_INTEGER NewTime,PLARGE_INTEGER OldTime)
{
DbgPrint("Returned ...");
return STATUS_SUCCESS;
}

VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject)
{
UNICODE_STRING  nameString;
DbgPrint("Driver Unloading.../n");

UnHoo();

RtlInitUnicodeString( &nameString, DOSLINK_NAME );
IoDeleteSymbolicLink(&nameString);
IoDeleteDevice(pDriverObject->DeviceObject);
return;
}

NTSTATUS MyDrvDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP pIrp)
{
NTSTATUS status;
PIO_STACK_LOCATION irpStack;
// PVOID inputBuffer, outputBuffer;
// ULONG inputBufferLength, outputBufferLength;
ULONG ioControlCode;

pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;

irpStack = IoGetCurrentIrpStackLocation( pIrp);
DbgPrint("MyDrvDispatch...");

ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;

//
///

switch( irpStack->MajorFunction)
{
case IRP_MJ_CREATE:
   DbgPrint("IRP_MJ_CREATE...");
                                             Hook();
   break;

case IRP_MJ_SHUTDOWN:
   //当系统关闭..
   DbgPrint("IRP_MJ_SHUTDOWN...");
                                             UnHook();
   break;
case IRP_MJ_CLOSE:
   //驱动关闭,释放所有缓冲
   DbgPrint("IRP_MJ_CLOSE...");//UnHookRegAPI();

   break;

case IRP_MJ_DEVICE_CONTROL:
      //处理通讯指令

   DbgPrint("IRP_MJ_DEVICE_CONTROL/n");
   ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;

   switch (ioControlCode)
   {
      // ioctl 设置开始HOOK
      case IOCTL_TIME_HOOK:
      {
                                                Hook();

         DbgPrint("IOCTL_TIME_HOOK...");

         break;
      }
      // ioctl 设置取消HOOK
      case IOCTL_TIME_UNHOOK:
      {
         UnHook();
         DbgPrint("IOCTL_TIME_UNHOOK...");
         break;
      }

      default:
         pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
         DbgPrint("unknown IRP_MJ_DEVICE_CONTROL/n");
         break;
   }
   break;
}

IoCompleteRequest( pIrp, IO_NO_INCREMENT);
status = STATUS_SUCCESS;
return status;
}

//
// 驱动入口
//

NTSTATUS  DriverEntry( IN PDRIVER_OBJECT DriverObject,  IN PUNICODE_STRING RegistryPath )
{
PDEVICE_OBJECT       deviceObject = NULL;
NTSTATUS       status = STATUS_SUCCESS;
UNICODE_STRING    ntDeviceName;
UNICODE_STRING    win32DeviceName;

DbgPrint("DriverEntry.../n");

RtlInitUnicodeString(&ntDeviceName, NTDEVICE_NAME);

//建立一个驱动设备
status = IoCreateDevice (DriverObject, 0, &ntDeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, &deviceObject);

if (!NT_SUCCESS (status))
{
   goto ERROR;
}

RtlInitUnicodeString(&win32DeviceName, DOSLINK_NAME);

status = IoCreateSymbolicLink( &win32DeviceName, &ntDeviceName );
if (!NT_SUCCESS(status))
{
   goto ERROR;
}

for (i = 0; i  {
DriverObject->MajorFunction[i] = MyDrvDispatch;
}

DriverObject->DriverUnload = DriverUnload;

return(STATUS_SUCCESS);

ERROR:
if(deviceObject)
   IoDeleteDevice(deviceObject);

DbgPrint( "Leave DriverEntry failed/n" );
return status;
}