1 files changed, 190 insertions, 0 deletions
diff --git a/time.c b/time.c
new file mode 100644
index 0000000..448fe7c
--- /dev/null
+++ b/time.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              time.c
+ *
+ * Abstract:
+ *
+ *              This module defines various routines used for hooking time routines.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 10-Mar-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#include <NTDDK.h>
+#include "time.h"
+#include "hookproc.h"
+#include "procname.h"
+#include "learn.h"
+#include "misc.h"
+#include "log.h"
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, InitTimeHooks)
+#endif
+fpZwSetSystemTime                       OriginalNtSetSystemTime = NULL;
+fpZwSetTimerResolution          OriginalNtSetTimerResolution = NULL;
+/*
+ * HookedNtSetSystemTime()
+ *
+ * Description:
+ *              This function mediates the NtSetSystemTime() system service and disallows applications
+ *              to change the system time.
+ *
+ *              NOTE: ZwSetSystemTime sets the system time. [NAR]
+ *
+ * Parameters:
+ *              Those of NtSetSystemTime().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if time changing is disabled.
+ *              Otherwise, NTSTATUS returned by NtSetSystemTime().
+ */
+NTSTATUS
+NTAPI
+HookedNtSetSystemTime
+(
+        IN PLARGE_INTEGER NewTime,
+        OUT PLARGE_INTEGER OldTime OPTIONAL
+)
+{
+        PCHAR                   FunctionName = "HookedNtSetSystemTime";
+        PCHAR                   TIMENAME = NULL;        /* allow the use of POLICY_CHECK_OPTYPE_NAME() macro */
+        HOOK_ROUTINE_ENTER();
+        LOG(LOG_SS_TIME, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtSetSystemTime\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
+        /* NOTE: same code is replicated in sysinfo.c */
+        if (LearningMode == FALSE)
+        {
+                POLICY_CHECK_OPTYPE_NAME(TIME, OP_TIME_CHANGE);
+        }
+        ASSERT(OriginalNtSetSystemTime);
+        rc = OriginalNtSetSystemTime(NewTime, OldTime);
+        if (LearningMode == TRUE)
+        {
+                AddRule(RULE_TIME, NULL, OP_TIME_CHANGE);
+        }
+        HOOK_ROUTINE_EXIT(rc);
+}
+/*
+ * HookedNtSetTimerResolution()
+ *
+ * Description:
+ *              This function mediates the NtSetTimerResolution() system service and disallows applications
+ *              to change the system time.
+ *
+ *              NOTE: ZwSetTimerResolution sets the resolution of the system timer. [NAR]
+ *
+ * Parameters:
+ *              Those of NtSetTimerResolution().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if time changing is disabled.
+ *              Otherwise, NTSTATUS returned by NtSetTimerResolution().
+ */
+NTSTATUS
+NTAPI
+HookedNtSetTimerResolution
+(
+        IN ULONG RequestedResolution,
+        IN BOOLEAN Set,
+        OUT PULONG ActualResolution
+)
+{
+        PCHAR                   FunctionName = "HookedNtSetTimerResolution";
+        PCHAR                   TIMENAME = NULL;        /* allow the use of POLICY_CHECK_OPTYPE_NAME() macro */
+        HOOK_ROUTINE_ENTER();
+        LOG(LOG_SS_TIME, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtSetTimerResolution\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
+        if (LearningMode == FALSE)
+        {
+                POLICY_CHECK_OPTYPE_NAME(TIME, OP_TIME_CHANGE);
+        }
+        ASSERT(OriginalNtSetTimerResolution);
+        rc = OriginalNtSetTimerResolution(RequestedResolution, Set, ActualResolution);
+        if (LearningMode == TRUE)
+        {
+                AddRule(RULE_TIME, NULL, OP_TIME_CHANGE);
+        }
+        HOOK_ROUTINE_EXIT(rc);
+}
+/*
+ * InitTimeHooks()
+ *
+ * Description:
+ *              Initializes all the mediated time operation pointers. The "OriginalFunction" pointers
+ *              are initialized by InstallSyscallsHooks() that must be called prior to this function.
+ *
+ *              NOTE: Called once during driver initialization (DriverEntry()).
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              TRUE to indicate success, FALSE if failed.
+ */
+BOOLEAN
+InitTimeHooks()
+{
+        if ((OriginalNtSetSystemTime = (fpZwSetSystemTime) ZwCalls[ZW_SET_SYSTEM_TIME_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_TIME, LOG_PRIORITY_DEBUG, ("InitTimeHooks: OriginalNtSetSystemTime is NULL\n"));
+                return FALSE;
+        }
+        /* a lot of applications seem to be calling this function thus don't intercept it */
+/*
+        if ((OriginalNtSetTimerResolution = (fpZwSetTimerResolution) ZwCalls[ZW_SET_TIMER_RESOLUTION_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_TIME, LOG_PRIORITY_DEBUG, ("InitTimeHooks: OriginalNtSetTimerResolution is NULL\n"));
+                return FALSE;
+        }
+*/
+        return TRUE;
+}

diff --git a/time.c b/time.c new file mode 100644 index 0000000..448fe7c --- /dev/null +++ b/time.c
@@ -0,0 +1,190 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* time.c
	7	*
	8	* Abstract:
	9	*
	10	* This module defines various routines used for hooking time routines.
	11	*
	12	* Author:
	13	*
	14	* Eugene Tsyrklevich 10-Mar-2004
	15	*
	16	* Revision History:
	17	*
	18	* None.
	19	*/
	20
	21
	22	#include <NTDDK.h>
	23	#include "time.h"
	24	#include "hookproc.h"
	25	#include "procname.h"
	26	#include "learn.h"
	27	#include "misc.h"
	28	#include "log.h"
	29
	30
	31	#ifdef ALLOC_PRAGMA
	32	#pragma alloc_text (INIT, InitTimeHooks)
	33	#endif
	34
	35
	36	fpZwSetSystemTime OriginalNtSetSystemTime = NULL;
	37	fpZwSetTimerResolution OriginalNtSetTimerResolution = NULL;
	38
	39
	40
	41	/*
	42	* HookedNtSetSystemTime()
	43	*
	44	* Description:
	45	* This function mediates the NtSetSystemTime() system service and disallows applications
	46	* to change the system time.
	47	*
	48	* NOTE: ZwSetSystemTime sets the system time. [NAR]
	49	*
	50	* Parameters:
	51	* Those of NtSetSystemTime().
	52	*
	53	* Returns:
	54	* STATUS_ACCESS_DENIED if time changing is disabled.
	55	* Otherwise, NTSTATUS returned by NtSetSystemTime().
	56	*/
	57
	58	NTSTATUS
	59	NTAPI
	60	HookedNtSetSystemTime
	61	(
	62	IN PLARGE_INTEGER NewTime,
	63	OUT PLARGE_INTEGER OldTime OPTIONAL
	64	)
	65	{
	66	PCHAR FunctionName = "HookedNtSetSystemTime";
	67	PCHAR TIMENAME = NULL; /* allow the use of POLICY_CHECK_OPTYPE_NAME() macro */
	68
	69
	70	HOOK_ROUTINE_ENTER();
	71
	72
	73	LOG(LOG_SS_TIME, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtSetSystemTime\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
	74
	75
	76	/* NOTE: same code is replicated in sysinfo.c */
	77
	78	if (LearningMode == FALSE)
	79	{
	80	POLICY_CHECK_OPTYPE_NAME(TIME, OP_TIME_CHANGE);
	81	}
	82
	83
	84	ASSERT(OriginalNtSetSystemTime);
	85
	86	rc = OriginalNtSetSystemTime(NewTime, OldTime);
	87
	88
	89	if (LearningMode == TRUE)
	90	{
	91	AddRule(RULE_TIME, NULL, OP_TIME_CHANGE);
	92	}
	93
	94	HOOK_ROUTINE_EXIT(rc);
	95	}
	96
	97
	98
	99	/*
	100	* HookedNtSetTimerResolution()
	101	*
	102	* Description:
	103	* This function mediates the NtSetTimerResolution() system service and disallows applications
	104	* to change the system time.
	105	*
	106	* NOTE: ZwSetTimerResolution sets the resolution of the system timer. [NAR]
	107	*
	108	* Parameters:
	109	* Those of NtSetTimerResolution().
	110	*
	111	* Returns:
	112	* STATUS_ACCESS_DENIED if time changing is disabled.
	113	* Otherwise, NTSTATUS returned by NtSetTimerResolution().
	114	*/
	115
	116	NTSTATUS
	117	NTAPI
	118	HookedNtSetTimerResolution
	119	(
	120	IN ULONG RequestedResolution,
	121	IN BOOLEAN Set,
	122	OUT PULONG ActualResolution
	123	)
	124	{
	125	PCHAR FunctionName = "HookedNtSetTimerResolution";
	126	PCHAR TIMENAME = NULL; /* allow the use of POLICY_CHECK_OPTYPE_NAME() macro */
	127
	128
	129	HOOK_ROUTINE_ENTER();
	130
	131
	132	LOG(LOG_SS_TIME, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtSetTimerResolution\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
	133
	134
	135	if (LearningMode == FALSE)
	136	{
	137	POLICY_CHECK_OPTYPE_NAME(TIME, OP_TIME_CHANGE);
	138	}
	139
	140
	141	ASSERT(OriginalNtSetTimerResolution);
	142
	143	rc = OriginalNtSetTimerResolution(RequestedResolution, Set, ActualResolution);
	144
	145
	146	if (LearningMode == TRUE)
	147	{
	148	AddRule(RULE_TIME, NULL, OP_TIME_CHANGE);
	149	}
	150
	151	HOOK_ROUTINE_EXIT(rc);
	152	}
	153
	154
	155
	156	/*
	157	* InitTimeHooks()
	158	*
	159	* Description:
	160	* Initializes all the mediated time operation pointers. The "OriginalFunction" pointers
	161	* are initialized by InstallSyscallsHooks() that must be called prior to this function.
	162	*
	163	* NOTE: Called once during driver initialization (DriverEntry()).
	164	*
	165	* Parameters:
	166	* None.
	167	*
	168	* Returns:
	169	* TRUE to indicate success, FALSE if failed.
	170	*/
	171
	172	BOOLEAN
	173	InitTimeHooks()
	174	{
	175	if ((OriginalNtSetSystemTime = (fpZwSetSystemTime) ZwCalls[ZW_SET_SYSTEM_TIME_INDEX].OriginalFunction) == NULL)
	176	{
	177	LOG(LOG_SS_TIME, LOG_PRIORITY_DEBUG, ("InitTimeHooks: OriginalNtSetSystemTime is NULL\n"));
	178	return FALSE;
	179	}
	180
	181	/* a lot of applications seem to be calling this function thus don't intercept it */
	182	/*
	183	if ((OriginalNtSetTimerResolution = (fpZwSetTimerResolution) ZwCalls[ZW_SET_TIMER_RESOLUTION_INDEX].OriginalFunction) == NULL)
	184	{
	185	LOG(LOG_SS_TIME, LOG_PRIORITY_DEBUG, ("InitTimeHooks: OriginalNtSetTimerResolution is NULL\n"));
	186	return FALSE;
	187	}
	188	*/
	189	return TRUE;
	190	}