Solved

SetSystemTime API hook with a commercial library

Posted on 2003-12-01
31
6,739 Views
Last Modified: 2013-12-03
Hi

I'm trying to disable the system time changing on Win9x/Me.

I guess the "only solution" is to install a system wide hook on SetSystemTime API function that redirects all calls to an empty function.
I hope this works to disable the TIME command from MS-DOS windows too (Am I right?).

I'm not an expert programmer (I know VB and a little C/C++) so I gess the best option for me is just to use a library (comercial or free).

I'm cosidering Hoko ( http://scifi.pages.at/yoda9k/Hoko/info.htm ). But all my attempts crash or just don't work.

So maybe some of you can give me the correct code to do what I want with hoko (or some other library)

btw: I'm using C/C++ in Open Watcom 1.1
0
Comment
Question by:rettiseert
  • 13
  • 13
  • 3
  • +2
31 Comments
 
LVL 20

Accepted Solution

by:
Madshi earned 125 total points
ID: 9852784
Hooking 32bit APIs in win9x sometimes works for DOS applications, but more often it does not work. In the end you'll have to try. If you're not a programming expert, API hooking might be a bit over your head. It's really a difficult topic. But anyway, you can have a try. Maybe this one is interesting for you:

http://help.madshi.net/madCodeHook.htm
0
 
LVL 13

Author Comment

by:rettiseert
ID: 9859964
I'm using MadCodeHook but I can't link.
Do I need VC++ or is there a way to generate the EXE in Watcom C++?
0
 
LVL 20

Expert Comment

by:Madshi
ID: 9860009
Have you tried the dynamic borland lib file? I think it should work for Watcom, too. If it does not, I'm willing to work on the problem. Can you tell me how I can create a lib file for Watcom for a Delphi DLL?
0
 
LVL 13

Author Comment

by:rettiseert
ID: 9860343
I can't link with Borland LIB either. aybe I'm doing something wrong

And I can't answer your question.

Thanks
0
 
LVL 20

Expert Comment

by:Madshi
ID: 9860467
What does Watcom complain about? Can you post the exact messages here?
0
 
LVL 20

Expert Comment

by:Madshi
ID: 9860474
P.S: When linking with the Borland Lib.
0
 
LVL 32

Expert Comment

by:jhance
ID: 9865895
Unfortunately, you're trying to secure an unsecurable object.  Kind of like putting a padlock on a cardboard box.  Sure the lock is secure but the box can be easily cut open with a knife...

My suggestion is that Win9x/ME is UNSUITABLE for public access use as it simply CANNOT be secured by any means.  Even your most creative scheme can be circumvented by a "not all that knowledgeable" hacker wannabe.

I have two suggestions:

1) Upgrade your OS to Windows XP Windows 2000 which CAN be secured.  The TIME changing API are privileged anyway and non-administrators cannot change the system time anyway.

2) If that is not possible, write an application that will reset the system's time at the end of each user's session.  There is really nothing you can do to stop users from changing the time but at least you can help prevent headaches for subsequent users.

3) You could hook all the time APIs and prevent them from working and this would indeed frustrate most mischief but please remember that this is still not secure.  On Win9x/ME ANYONE can add or remove a system hook.

***********************************************************************************
                                   COMMENT DISCLAIMER
***********************************************************************************
   CAUTION - CAUTION - CAUTION - CAUTION - CAUTION - CAUTION - CAUTION - CAUTION
***********************************************************************************
                           READ THIS COMMENT AT YOUR OWN RISK

 This helpful comment MAY include straight talk relating to or about your question.
   If you are easily offended by such talk, please disregard this comment in its
                                        entirely.
***********************************************************************************
                               Thank you for your cooperation
***********************************************************************************
0
 
LVL 13

Author Comment

by:rettiseert
ID: 9866905
Hi!

This is the log file I get when try to link:

-----------------------------------------------------
cd c:\watcom\projects\mad
wmake -f c:\watcom\projects\mad\mad.mk -h -e c:\watcom\projects\mad\mad.exe
wlink name mad d all op inc SYS nt op m op maxe=25 op q op symf @mad.lk1
Error! E2028: __imp__HookAPI@20 is an undefined reference
Error! E2028: __imp__UnhookAPI@4 is an undefined reference
file systemapi.obj(C:\watcom\projects\mad\systemapi.cpp): undefined symbol __imp__HookAPI@20
file systemapi.obj(C:\watcom\projects\mad\systemapi.cpp): undefined symbol __imp__UnhookAPI@4
Error(E42): Last command making (c:\watcom\projects\mad\mad.exe) returned a bad status
Error(E02): Make execution terminated
Execution complete
-----------------------------------------------------

Probably I'm doing something wrong and is not compiler's fault.
The program I trying to run is  "madCodeHook\Demos\system wide - win9x only\systemapi.cpp"

In the dir "madCodeHook\dll" there is a file called madCHook.def. Do I need to use that file somewhere?

Thanks! jhance & Madshi
0
 
LVL 20

Expert Comment

by:Madshi
ID: 9872989
Hmmm... Are you linking with the madCodeHook.lib file at all? The compiler doesn't complain about that it didn't find or understand the lib file. Maybe it doesn't even know it is supposed to link to it? Just a guess...

You don't need the def file. Normally you only need the madCHook.h and madCHook.lib.

Btw, the technique used in the demo in "system wide - win9x only" is hard to program. I'd recommend using the demos in the "system wide" folder. They work in both win9x and winNT and are easier to program. But anyway, first you need to be able to compile *any* of the demos.
0
 
LVL 13

Author Comment

by:rettiseert
ID: 9878442
I'm linking with the lib file
Compiler seems to undertand the LIB but the linker doesn't

I'm going to try with VC6 tomorrow

Thanks
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9881238
Many years ago I was making such a things under Win95 and Win98.
But I'm not sure, that it'll work under Me.
I've made the driver, which one allows to set any datetime from my application.
As far as I remember it was system-wide.
0
 
LVL 13

Author Comment

by:rettiseert
ID: 9888820
Hi to all

Hey madshi (I've just noticed your name), are your related with MadCodeHook lib?

OK, I've got VC++ 6.0 and I can compile & link

I understand how the "system wide hoow for 9x only" works, but not the other examples (and in the home page are explanations only for delphi). Can you give me the code to do what I want?: Just intercept all calls to SetSystemTime API and redirect them "to nothing"
0
 
LVL 20

Expert Comment

by:Madshi
ID: 9891642
> are your related with MadCodeHook lib?

Yes, I'm the author of that lib.

The explanations for Delphi are also valid for C++. The other demos work like this: The hooking is done by a little hook dll. The hook dll gets loaded into each and every running application. There's always a starter exe, which does nothing but load ("inject") the DLL into all running processes. The exe is very simple. It just called "InjectLibrary". The hook dll does all the work. In the hook dll just call "HookAPI" to hook the SetSystemTime API. You can use e.g. the "HookFindNextFile.cpp" file and just work on the code a bit. Don't hook FindNextFile, instead hook SetSystemTime. In your hook callback function do nothing but just return false. Should be really easy to do.
0
 
LVL 13

Author Comment

by:rettiseert
ID: 9897734
Thanks madshi, it was as easy as you said.

Unfortunately, for 9x/Me the SetSystemTime & SetLocalTime functions works only in Windows, If I open a MS-DOS window I can change time with no problem. This doesn't happen in XP.

I guess 9x/Me still using command.com and XP use kernel32.

So, any ideas?
What about old TSR programs for ms-dos hooking dos interrupts calls?
I think you know abut low level programming so maybe you can give me some ideas or links where I can find info.

Thanks for all, and congratulations for your excellent lib
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9898158
As I said before I have driver, which can help.
If you are interested I can try to find the sources.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 13

Author Comment

by:rettiseert
ID: 9899597
GloomyFriar hi,

Can yo tell me how does your driver work and which language/compiler did u use.
I'm very interested in finding a solution to lock time changes over Win9x/Me

Thanks
0
 
LVL 20

Expert Comment

by:Madshi
ID: 9902574
If hooking SetSystemTime in win9x doesn't work for 16bit applications, then madCodeHook can't help there, I'm sorry. As I said, hooking 32bit APIs in win9x more often does not show effect on 16bit processes. I've never done 16bit API hooking, so unfortunately I can't help there. But maybe GloomyFriar's driver can help...
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9906448
>Can yo tell me how does your driver work and which language/compiler did u use.

It was written in ASM (DDK95(or 98) + MASM)
It works by setting hook like the following:

BeginProc       DChanger_Device_Init
        mov     eax, 21h
        mov     esi, OFFSET32 DChanger_IRQ_Handler
        VMMCall Hook_V86_Int_Chain
        jnc     @F
        ; Error
        stc
        ret
@@:
;DeviceInitOk:
        clc
        ret
EndProc         DChanger_Device_Init
0
 
LVL 13

Author Comment

by:rettiseert
ID: 9988711
Hi, madshi, hope you remember me

I've been using madCodeHook, but I'm having some problems, maybe you can help me

I'm using VC6 on WinXP to create an Injector.

I can Inject / Uninject DLLs without problems, but as soon as I close my app I get an error message generated by Windows. This error is only generated if I Uninject a DLL and only when I close my app.

If I compile the code in "Demos\system wide\VariousDlls\DllInjector.cpp" I get the same error but If I use the DllInjector.exe already compiled by you everything works fine, so I gess I need to use a copiler/linker special paratemer.

The error is (I'll try to translate it 'cos my OS is in spanish):

"The instrucion in "0x4440f50c" makes a reference to memory in "0x4440f50c". The memory cannot be "read".

What should I do?
0
 
LVL 20

Expert Comment

by:Madshi
ID: 9999444
Are you using the dynamic or the static lib? If you're using the static lib, are you calling InitializeMadCHook and FinalizeMadCHook?
0
 
LVL 13

Author Comment

by:rettiseert
ID: 10000263
It's the dynamic lib...
0
 
LVL 20

Expert Comment

by:Madshi
ID: 10001460
And the exception occurs on your development OS (winXP)? Or does it occur in win9x? Thanks!
0
 
LVL 13

Author Comment

by:rettiseert
ID: 10013519
Hi, sorry for the delay

I've tested only in XP, not in 9x/Me.

I've tryed creating an injector in a DLL and then call it from VB but the same error occurs when I close the VB app.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 10015380
Could you please test it with the DllInjector.cpp (-> DllInjector.exe) and the Empty.cpp (-> Empty.dll) demos? If you can reproduce the problem there, could you please send me the whole project folder? Thanks!
0
 
LVL 13

Author Comment

by:rettiseert
ID: 10029408
Hi

OK, I've tested various dlls (I just had to delete "InitializeMadCHook();" and "FinalizeMadCHook();" in exes and dlls 'cos I don't have the static lib)

1- My compiled DllInjector.EXE injecting any demo DLL compiled by you works fine.
2- My compiled DllInjector.EXE injecting any demo DLL compiled by me works fine .
3- Your compiled DllInjector.EXE injecting my own DLL works fine.
4- My compiled DllInjector.EXE injecting my own DLL makes the error.

This is very strange isn't it?
If my compiled DllInjector.EXE is the problem then why with your demo Dlls works fine?
If my own dll is the problem then why your DllInjector.EXE works fine with it?

This is the code of my own dll:

/****************************************************/
#include <windows.h>
#include "madCHook.h"

BOOL (WINAPI *SetSystemTimeNext)( CONST SYSTEMTIME *lpSystemTime );
BOOL (WINAPI *SetLocalTimeNext) ( CONST SYSTEMTIME *lpSystemTime );

BOOL WINAPI SetSystemTimeCallback( CONST SYSTEMTIME *lpSystemTime ){
      return FALSE;
}
BOOL WINAPI SetLocalTimeCallback( CONST SYSTEMTIME *lpSystemTime ){
      return FALSE;
}
BOOL WINAPI DllMain(HANDLE hModule, DWORD fdwReason, LPVOID lpReserved)
{
    HookAPI("kernel32.dll", "SetSystemTime", SetSystemTimeCallback, (PVOID*) &SetSystemTimeNext);
      HookAPI("kernel32.dll", "SetLocalTime", SetLocalTimeCallback, (PVOID*) &SetLocalTimeNext);

      return true;
}
/****************************************************/

If you want to see my projects I've uploaded DllInjector and TWLTD (my own dll) here:

http://www.televes.com.mx/errorwhenclosinginjector.zip

I didn't upolad  the empty project because it works fine. And I erased the ilk, obj, pch, pdb and idb files of the debug dirs to reduce the size of the file.

I couldn't set set the option "ignore all default libraries" and add "entry:DllMain" to the project options because if I do I get some errors when linking.

Thanks!!!

* and I've tested the app in Win98 now and I don't get the error message as in XP, instead, the app crash when closing.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 10029723
If you compare the code of your hook dll to the C++ demo hook dlls, which ship with madCodeHook, you should notice one big difference:

Inside of DllMain you're not checking the value of "fdwReason". As a result you're calling HookAPI in DLL_PROCESS_ATTACH, DLL_PROCESS_DETACH, DLL_THREAD_ATTACH and DLL_THREAD_DETACH. That's wrong. You should call it only for DLL_PROCESS_ATTACH.
0
 
LVL 13

Author Comment

by:rettiseert
ID: 10030139
Yes!!! that is!

I was blind because I couldn't  understand (not even now) why the error doesn't occurs using your compiled injector.

Thanks for all Madshi, I've been working on a project since last april and lock time/date is one of the left "details". Your hooking lib is the best of all I tried and the price is the smallest. I guess we will buy the comercial version by the end of this month or next. I recomend it to everyone!.

...and GloomyFriar thanks for the code, I'm sorry but I don't know ASM and I didn't want to botter you with many questions.

See you next time!
0
 
LVL 20

Expert Comment

by:Madshi
ID: 10030178
Perhaps I should raise the price...   :-)   No, don't fear. You'll get it for the current price. But just for my interest: Which other hooking packages did you try and how much do they cost? Thanks!
0
 
LVL 13

Author Comment

by:rettiseert
ID: 10030549
I was searching for a good library in my free time for two months or something and I found just a few.

I remember I tried...

Detours (free but I never could make it work (too advanced for me))
Hoko (US $125)
and one more... (what was the name? I forgot! (and also the price but sure it was over $75))
Also tryed some other free/not finished libraries/codes...

Never tried:

http://www.apihook.com/apihook/index.shtml (with no demo and price starting at $995)
FuncHook (with no demo and price starting at $5,000!!!)
0
 
LVL 20

Expert Comment

by:Madshi
ID: 10030700
Thanks for the information!
0
 

Expert Comment

by:validtec
ID: 10234041
Get API Hook SDK from Validtec Software

http://www.validtec.com
Windows API Hook SDK that can hooking most API of Windows System or functions in 3rd Application's DLL
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Event ID 10010 3 38
Winform not working on 64 bit machine 31 90
TFS Branching 4 63
Dialogbox API leak? 18 62
As more and more people are shifting to the latest .Net frameworks, the windows presentation framework is gaining importance by the day. Many people are now turning to WPF controls to provide a rich user experience. I have been using WPF controls fo…
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now