chrome_elf/blacklist/blacklist_interceptions.cc - Issue 107663008: Chrome browser process DLL blacklist.

Unified Diff: chrome_elf/blacklist/blacklist_interceptions.cc

Issue 107663008: Chrome browser process DLL blacklist. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Ricardo's feedback. Created 7 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: chrome_elf/blacklist/blacklist_interceptions.cc

diff --git a/chrome_elf/blacklist/blacklist_interceptions.cc b/chrome_elf/blacklist/blacklist_interceptions.cc

new file mode 100644

index 0000000000000000000000000000000000000000..9f4a3c63b3db8f3dce533102386c2aebd6875fc8

--- /dev/null

+++ b/chrome_elf/blacklist/blacklist_interceptions.cc

@@ -0,0 +1,230 @@

+// Use of this source code is governed by a BSD-style license that can be

+// found in the LICENSE file.

+//

+// Implementation of NtMapViewOfSection intercept for 32 bit builds.

+//

+// TODO(robertshield): Implement the 64 bit intercept.

+#include "chrome_elf/blacklist/blacklist_interceptions.h"

+#include <string>

+#include <vector>

+// Note that only #includes from base that are either header-only or built into

+// base_static (see base/base.gyp) are allowed here.

+#include "base/basictypes.h"

+#include "base/strings/string16.h"

+#include "base/win/pe_image.h"

+#include "chrome_elf/blacklist/blacklist.h"

+#include "sandbox/win/src/internal_types.h"

+#include "sandbox/win/src/nt_internals.h"

+#include "sandbox/win/src/sandbox_nt_util.h"

+#include "sandbox/win/src/sandbox_types.h"

+namespace {

+NtQuerySectionFunction g_nt_query_section_func = NULL;

+NtQueryVirtualMemoryFunction g_nt_query_virtual_memory_func = NULL;

+NtUnmapViewOfSectionFunction g_nt_unmap_view_of_section_func = NULL;

+// TODO(robertshield): Merge with ntdll exports cache.

+FARPROC GetNtDllExportByName(const char* export_name) {

+ HMODULE ntdll = ::GetModuleHandle(sandbox::kNtdllName);

+ return ::GetProcAddress(ntdll, export_name);

+bool DllMatch(const string16& module_name) {

+ for (int i = 0; i < blacklist::g_troublesome_dlls_cur_index; ++i) {

+ if (module_name == blacklist::g_troublesome_dlls[i])

+ return true;

+ }

+ return false;

+// TODO(robertshield): Some of the helper functions below overlap somewhat with

+// code in sandbox_nt_util.cc. See if they can be unified.

+// Native reimplementation of PSAPIs GetMappedFileName.

+string16 GetBackingModuleFilePath(PVOID address) {

+ if (!g_nt_query_virtual_memory_func)

rvargas (doing something else) 2013/12/18 03:19:27 should never happen

robertshield 2013/12/18 04:51:17 Done.

+ return string16();

+ // We'll start with something close to max_path characters for the name.

+ ULONG buffer_bytes = MAX_PATH * 2;

+ std::vector<BYTE> buffer_data(buffer_bytes);

+ for (;;) {

+ MEMORY_SECTION_NAME* section_name =

+ reinterpret_cast<MEMORY_SECTION_NAME*>(&buffer_data[0]);

+ if (!section_name)

+ break;

+ ULONG returned_bytes;

+ NTSTATUS ret = g_nt_query_virtual_memory_func(

+ NtCurrentProcess, address, MemorySectionName, section_name,

+ buffer_bytes, &returned_bytes);

+ if (STATUS_BUFFER_OVERFLOW == ret) {

+ // Retry the call with the given buffer size.

+ buffer_bytes = returned_bytes + 1;

+ buffer_data.resize(buffer_bytes);

+ section_name = NULL;

+ continue;

+ }

+ if (!NT_SUCCESS(ret))

+ break;

+ UNICODE_STRING* section_string =

+ reinterpret_cast<UNICODE_STRING*>(section_name);

+ return string16(section_string->Buffer,

+ section_string->Length / sizeof(wchar_t));

+ }

+ return string16();

+bool IsModuleValidImageSection(HANDLE section,

+ PVOID *base,

+ PLARGE_INTEGER offset,

+ PSIZE_T view_size) {

+ if (!section || !base || !view_size || offset)

+ return false;

+ if (!g_nt_query_section_func)

rvargas (doing something else) 2013/12/18 03:19:27 should never happen

robertshield 2013/12/18 04:51:17 Done.

+ return false;

+ SECTION_BASIC_INFORMATION basic_info;

+ SIZE_T bytes_returned;

+ NTSTATUS ret = g_nt_query_section_func(section, SectionBasicInformation,

+ &basic_info, sizeof(basic_info),

+ &bytes_returned);

+ if (!NT_SUCCESS(ret) || sizeof(basic_info) != bytes_returned)

+ return false;

+ if (!(basic_info.Attributes & SEC_IMAGE))

+ return false;

+ return true;

+string16 ExtractLoadedModuleName(const string16& module_path) {

+ if (module_path.empty() || module_path[module_path.size() - 1] == L'\\')

+ return string16();

+ size_t sep = module_path.find_last_of(L'\\');

+ if (sep == string16::npos)

+ return module_path;

+ else

+ return module_path.substr(sep+1);

+// with additional info about the image.

+void SafeGetImageInfo(const base::win::PEImage& pe,

+ std::string* out_name,

+ uint32* flags) {

+ out_name->clear();

+ out_name->reserve(MAX_PATH);

+ *flags = 0;

+ __try {

+ if (pe.VerifyMagic()) {

+ *flags |= sandbox::MODULE_IS_PE_IMAGE;

+ PIMAGE_EXPORT_DIRECTORY exports = pe.GetExportDirectory();

+ if (exports) {

+ char* image_name = reinterpret_cast<char*>(pe.RVAToAddr(exports->Name));

+ size_t i = 0;

+ for (; i < MAX_PATH && *image_name; ++i, ++image_name)

+ out_name->push_back(*image_name);

+ }

+ PIMAGE_NT_HEADERS headers = pe.GetNTHeaders();

+ if (headers) {

+ if (headers->OptionalHeader.AddressOfEntryPoint)

+ *flags |= sandbox::MODULE_HAS_ENTRY_POINT;

+ if (headers->OptionalHeader.SizeOfCode)

+ *flags |= sandbox::MODULE_HAS_CODE;

+ }

+ } __except(GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ?

+ EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) {

+ out_name->clear();

+ }

+string16 GetImageInfoFromLoadedModule(HMODULE module, uint32* flags) {

+ std::string out_name;

+ base::win::PEImage pe(module);

+ SafeGetImageInfo(pe, &out_name, flags);

+ return string16(out_name.begin(), out_name.end());

+} // namespace

+namespace blacklist {

+bool InitializeInterceptImports() {

+ g_nt_query_section_func = reinterpret_cast<NtQuerySectionFunction>(

+ GetNtDllExportByName("NtQuerySection"));

+ g_nt_query_virtual_memory_func =

+ reinterpret_cast<NtQueryVirtualMemoryFunction>(

+ GetNtDllExportByName("NtQueryVirtualMemory"));

+ g_nt_unmap_view_of_section_func =

+ reinterpret_cast<NtUnmapViewOfSectionFunction>(

+ GetNtDllExportByName("NtUnmapViewOfSection"));

+ return g_nt_query_section_func && g_nt_query_virtual_memory_func &&

+ g_nt_unmap_view_of_section_func;

+SANDBOX_INTERCEPT NTSTATUS WINAPI BlNtMapViewOfSection(

+ NtMapViewOfSectionFunction orig_MapViewOfSection,

+ HANDLE section,

+ HANDLE process,

+ PVOID *base,

+ ULONG_PTR zero_bits,

+ SIZE_T commit_size,

+ PLARGE_INTEGER offset,

+ PSIZE_T view_size,

+ SECTION_INHERIT inherit,

+ ULONG allocation_type,

+ ULONG protect) {

+ NTSTATUS ret = orig_MapViewOfSection(section, process, base, zero_bits,

+ commit_size, offset, view_size, inherit,

+ allocation_type, protect);

+ if (!NT_SUCCESS(ret) || !sandbox::IsSameProcess(process) ||

+ !IsModuleValidImageSection(section, base, offset, view_size)) {

+ return ret;

+ }

+ HMODULE module = reinterpret_cast<HMODULE>(*base);

+ if (module) {

+ UINT image_flags;

+ string16 module_name(GetImageInfoFromLoadedModule(

+ reinterpret_cast<HMODULE>(*base), &image_flags));

+ string16 file_name(GetBackingModuleFilePath(*base));

+ if (module_name.empty() && (image_flags & sandbox::MODULE_HAS_CODE)) {

+ // If the module has no exports we retrieve the module name from the

+ // full path of the mapped section.

+ module_name = ExtractLoadedModuleName(file_name);

+ }

+ if (!module_name.empty() && DllMatch(module_name)) {

+ if (g_nt_unmap_view_of_section_func) {

rvargas (doing something else) 2013/12/18 03:19:27 should always be true now

robertshield 2013/12/18 04:51:17 Done.

+ g_nt_unmap_view_of_section_func(process, *base);

+ ret = STATUS_UNSUCCESSFUL;

+ }

+ return ret;

+} // namespace blacklist

« no previous file with comments | « chrome_elf/blacklist/blacklist_interceptions.h ('k') | chrome_elf/blacklist/test/blacklist_test.cc » ('j') | no next file with comments »