                           timestop 
                                      (c) 2013 deroko of ARTeam

        Long time ago, a friend of mine (if he allows, I'll mention his
nikc), asked me if there is a solution to freeze time in such way that 
application will think that time hasn't changed at all.

        There are several ways to do it, and the first one you may think
of is hook. Well knowing windows implementation, we all know that time
data is kept inside of KUSER_SHARED_DATA located at 0x7FFE000, thus the
ones who know how to parse this data won't be afected with hook. So we
come to the story of this driver. What it does, is to intercept process
creation and fake it's KUSER_SHARED_DATA via PDE/PTE manipulation, such
that user allocated page won't point to kernel page for KUSER_SHARED_DATA.
Remember KUSER_SHARED_DATA is allocated in user mode, but also there is 
memory in kernel. Basically, same physicall page is pointed by 2 virutal
addresses where one is well known 0x7FFE000 and the other virtual address
is 0xFFDF0000 in kernel. So what code does is very simple, on DriverEntry
I make copy of kernel mode KUSER_SHARED_DATA and keep it internally. When
certain process is created, I switch it's PDE/PTE to point to this memory
which is controlled by me. In this way we can control TickCount, Time 
functions etc... In this example, I fake TickCount such that every 500 
milliseconds, is represented with 1 millisecond in call to GetTickCount.
Time has Stopped (well you can set it always to 0, but I use small increment)

Well, lets hope this will be useful to somebody. To test if code works as
expected, is to run supplied test.exe, as code intercepts only apps
which are named test.exe . Of course, you can change this, and recompile
driver by chaning PsCreateProcessNotifyRoutine callback. Note that enabling
this driver globally(for all processes) will have huuuuuuuuuge performance
impact, as many applications rely on GetTickCount to measure time when
certain even should occur. You have been warned.

                                                (c) deroko of ARTeam 2013 



        