SetSystemTime API hook with a commercial library


I'm trying to disable the system time changing on Win9x/Me.

I guess the "only solution" is to install a system wide hook on SetSystemTime API function that redirects all calls to an empty function.
I hope this works to disable the TIME command from MS-DOS windows too (Am I right?).

I'm not an expert programmer (I know VB and a little C/C++) so I gess the best option for me is just to use a library (comercial or free).

I'm cosidering Hoko ( ). But all my attempts crash or just don't work.

So maybe some of you can give me the correct code to do what I want with hoko (or some other library)

btw: I'm using C/C++ in Open Watcom 1.1
LVL 13
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hooking 32bit APIs in win9x sometimes works for DOS applications, but more often it does not work. In the end you'll have to try. If you're not a programming expert, API hooking might be a bit over your head. It's really a difficult topic. But anyway, you can have a try. Maybe this one is interesting for you:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rettiseertAuthor Commented:
I'm using MadCodeHook but I can't link.
Do I need VC++ or is there a way to generate the EXE in Watcom C++?
Have you tried the dynamic borland lib file? I think it should work for Watcom, too. If it does not, I'm willing to work on the problem. Can you tell me how I can create a lib file for Watcom for a Delphi DLL?
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

rettiseertAuthor Commented:
I can't link with Borland LIB either. aybe I'm doing something wrong

And I can't answer your question.

What does Watcom complain about? Can you post the exact messages here?
P.S: When linking with the Borland Lib.
Unfortunately, you're trying to secure an unsecurable object.  Kind of like putting a padlock on a cardboard box.  Sure the lock is secure but the box can be easily cut open with a knife...

My suggestion is that Win9x/ME is UNSUITABLE for public access use as it simply CANNOT be secured by any means.  Even your most creative scheme can be circumvented by a "not all that knowledgeable" hacker wannabe.

I have two suggestions:

1) Upgrade your OS to Windows XP Windows 2000 which CAN be secured.  The TIME changing API are privileged anyway and non-administrators cannot change the system time anyway.

2) If that is not possible, write an application that will reset the system's time at the end of each user's session.  There is really nothing you can do to stop users from changing the time but at least you can help prevent headaches for subsequent users.

3) You could hook all the time APIs and prevent them from working and this would indeed frustrate most mischief but please remember that this is still not secure.  On Win9x/ME ANYONE can add or remove a system hook.

                                   COMMENT DISCLAIMER
                           READ THIS COMMENT AT YOUR OWN RISK

 This helpful comment MAY include straight talk relating to or about your question.
   If you are easily offended by such talk, please disregard this comment in its
                               Thank you for your cooperation
rettiseertAuthor Commented:

This is the log file I get when try to link:

cd c:\watcom\projects\mad
wmake -f c:\watcom\projects\mad\ -h -e c:\watcom\projects\mad\mad.exe
wlink name mad d all op inc SYS nt op m op maxe=25 op q op symf @mad.lk1
Error! E2028: __imp__HookAPI@20 is an undefined reference
Error! E2028: __imp__UnhookAPI@4 is an undefined reference
file systemapi.obj(C:\watcom\projects\mad\systemapi.cpp): undefined symbol __imp__HookAPI@20
file systemapi.obj(C:\watcom\projects\mad\systemapi.cpp): undefined symbol __imp__UnhookAPI@4
Error(E42): Last command making (c:\watcom\projects\mad\mad.exe) returned a bad status
Error(E02): Make execution terminated
Execution complete

Probably I'm doing something wrong and is not compiler's fault.
The program I trying to run is  "madCodeHook\Demos\system wide - win9x only\systemapi.cpp"

In the dir "madCodeHook\dll" there is a file called madCHook.def. Do I need to use that file somewhere?

Thanks! jhance & Madshi
Hmmm... Are you linking with the madCodeHook.lib file at all? The compiler doesn't complain about that it didn't find or understand the lib file. Maybe it doesn't even know it is supposed to link to it? Just a guess...

You don't need the def file. Normally you only need the madCHook.h and madCHook.lib.

Btw, the technique used in the demo in "system wide - win9x only" is hard to program. I'd recommend using the demos in the "system wide" folder. They work in both win9x and winNT and are easier to program. But anyway, first you need to be able to compile *any* of the demos.
rettiseertAuthor Commented:
I'm linking with the lib file
Compiler seems to undertand the LIB but the linker doesn't

I'm going to try with VC6 tomorrow

Many years ago I was making such a things under Win95 and Win98.
But I'm not sure, that it'll work under Me.
I've made the driver, which one allows to set any datetime from my application.
As far as I remember it was system-wide.
rettiseertAuthor Commented:
Hi to all

Hey madshi (I've just noticed your name), are your related with MadCodeHook lib?

OK, I've got VC++ 6.0 and I can compile & link

I understand how the "system wide hoow for 9x only" works, but not the other examples (and in the home page are explanations only for delphi). Can you give me the code to do what I want?: Just intercept all calls to SetSystemTime API and redirect them "to nothing"
> are your related with MadCodeHook lib?

Yes, I'm the author of that lib.

The explanations for Delphi are also valid for C++. The other demos work like this: The hooking is done by a little hook dll. The hook dll gets loaded into each and every running application. There's always a starter exe, which does nothing but load ("inject") the DLL into all running processes. The exe is very simple. It just called "InjectLibrary". The hook dll does all the work. In the hook dll just call "HookAPI" to hook the SetSystemTime API. You can use e.g. the "HookFindNextFile.cpp" file and just work on the code a bit. Don't hook FindNextFile, instead hook SetSystemTime. In your hook callback function do nothing but just return false. Should be really easy to do.
rettiseertAuthor Commented:
Thanks madshi, it was as easy as you said.

Unfortunately, for 9x/Me the SetSystemTime & SetLocalTime functions works only in Windows, If I open a MS-DOS window I can change time with no problem. This doesn't happen in XP.

I guess 9x/Me still using and XP use kernel32.

So, any ideas?
What about old TSR programs for ms-dos hooking dos interrupts calls?
I think you know abut low level programming so maybe you can give me some ideas or links where I can find info.

Thanks for all, and congratulations for your excellent lib
As I said before I have driver, which can help.
If you are interested I can try to find the sources.
rettiseertAuthor Commented:
GloomyFriar hi,

Can yo tell me how does your driver work and which language/compiler did u use.
I'm very interested in finding a solution to lock time changes over Win9x/Me

If hooking SetSystemTime in win9x doesn't work for 16bit applications, then madCodeHook can't help there, I'm sorry. As I said, hooking 32bit APIs in win9x more often does not show effect on 16bit processes. I've never done 16bit API hooking, so unfortunately I can't help there. But maybe GloomyFriar's driver can help...
>Can yo tell me how does your driver work and which language/compiler did u use.

It was written in ASM (DDK95(or 98) + MASM)
It works by setting hook like the following:

BeginProc       DChanger_Device_Init
        mov     eax, 21h
        mov     esi, OFFSET32 DChanger_IRQ_Handler
        VMMCall Hook_V86_Int_Chain
        jnc     @F
        ; Error
EndProc         DChanger_Device_Init
rettiseertAuthor Commented:
Hi, madshi, hope you remember me

I've been using madCodeHook, but I'm having some problems, maybe you can help me

I'm using VC6 on WinXP to create an Injector.

I can Inject / Uninject DLLs without problems, but as soon as I close my app I get an error message generated by Windows. This error is only generated if I Uninject a DLL and only when I close my app.

If I compile the code in "Demos\system wide\VariousDlls\DllInjector.cpp" I get the same error but If I use the DllInjector.exe already compiled by you everything works fine, so I gess I need to use a copiler/linker special paratemer.

The error is (I'll try to translate it 'cos my OS is in spanish):

"The instrucion in "0x4440f50c" makes a reference to memory in "0x4440f50c". The memory cannot be "read".

What should I do?
Are you using the dynamic or the static lib? If you're using the static lib, are you calling InitializeMadCHook and FinalizeMadCHook?
rettiseertAuthor Commented:
It's the dynamic lib...
And the exception occurs on your development OS (winXP)? Or does it occur in win9x? Thanks!
rettiseertAuthor Commented:
Hi, sorry for the delay

I've tested only in XP, not in 9x/Me.

I've tryed creating an injector in a DLL and then call it from VB but the same error occurs when I close the VB app.
Could you please test it with the DllInjector.cpp (-> DllInjector.exe) and the Empty.cpp (-> Empty.dll) demos? If you can reproduce the problem there, could you please send me the whole project folder? Thanks!
rettiseertAuthor Commented:

OK, I've tested various dlls (I just had to delete "InitializeMadCHook();" and "FinalizeMadCHook();" in exes and dlls 'cos I don't have the static lib)

1- My compiled DllInjector.EXE injecting any demo DLL compiled by you works fine.
2- My compiled DllInjector.EXE injecting any demo DLL compiled by me works fine .
3- Your compiled DllInjector.EXE injecting my own DLL works fine.
4- My compiled DllInjector.EXE injecting my own DLL makes the error.

This is very strange isn't it?
If my compiled DllInjector.EXE is the problem then why with your demo Dlls works fine?
If my own dll is the problem then why your DllInjector.EXE works fine with it?

This is the code of my own dll:

#include <windows.h>
#include "madCHook.h"

BOOL (WINAPI *SetSystemTimeNext)( CONST SYSTEMTIME *lpSystemTime );
BOOL (WINAPI *SetLocalTimeNext) ( CONST SYSTEMTIME *lpSystemTime );

BOOL WINAPI SetSystemTimeCallback( CONST SYSTEMTIME *lpSystemTime ){
      return FALSE;
BOOL WINAPI SetLocalTimeCallback( CONST SYSTEMTIME *lpSystemTime ){
      return FALSE;
BOOL WINAPI DllMain(HANDLE hModule, DWORD fdwReason, LPVOID lpReserved)
    HookAPI("kernel32.dll", "SetSystemTime", SetSystemTimeCallback, (PVOID*) &SetSystemTimeNext);
      HookAPI("kernel32.dll", "SetLocalTime", SetLocalTimeCallback, (PVOID*) &SetLocalTimeNext);

      return true;

If you want to see my projects I've uploaded DllInjector and TWLTD (my own dll) here:

I didn't upolad  the empty project because it works fine. And I erased the ilk, obj, pch, pdb and idb files of the debug dirs to reduce the size of the file.

I couldn't set set the option "ignore all default libraries" and add "entry:DllMain" to the project options because if I do I get some errors when linking.


* and I've tested the app in Win98 now and I don't get the error message as in XP, instead, the app crash when closing.
If you compare the code of your hook dll to the C++ demo hook dlls, which ship with madCodeHook, you should notice one big difference:

Inside of DllMain you're not checking the value of "fdwReason". As a result you're calling HookAPI in DLL_PROCESS_ATTACH, DLL_PROCESS_DETACH, DLL_THREAD_ATTACH and DLL_THREAD_DETACH. That's wrong. You should call it only for DLL_PROCESS_ATTACH.
rettiseertAuthor Commented:
Yes!!! that is!

I was blind because I couldn't  understand (not even now) why the error doesn't occurs using your compiled injector.

Thanks for all Madshi, I've been working on a project since last april and lock time/date is one of the left "details". Your hooking lib is the best of all I tried and the price is the smallest. I guess we will buy the comercial version by the end of this month or next. I recomend it to everyone!.

...and GloomyFriar thanks for the code, I'm sorry but I don't know ASM and I didn't want to botter you with many questions.

See you next time!
Perhaps I should raise the price...   :-)   No, don't fear. You'll get it for the current price. But just for my interest: Which other hooking packages did you try and how much do they cost? Thanks!
rettiseertAuthor Commented:
I was searching for a good library in my free time for two months or something and I found just a few.

I remember I tried...

Detours (free but I never could make it work (too advanced for me))
Hoko (US $125)
and one more... (what was the name? I forgot! (and also the price but sure it was over $75))
Also tryed some other free/not finished libraries/codes...

Never tried: (with no demo and price starting at $995)
FuncHook (with no demo and price starting at $5,000!!!)
Thanks for the information!
Get API Hook SDK from Validtec Software
Windows API Hook SDK that can hooking most API of Windows System or functions in 3rd Application's DLL
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Development

From novice to tech pro — start learning today.