| Index: chrome/browser/safe_browsing/incident_reporting/module_integrity_verifier_win.cc
|
| diff --git a/chrome/browser/safe_browsing/incident_reporting/module_integrity_verifier_win.cc b/chrome/browser/safe_browsing/incident_reporting/module_integrity_verifier_win.cc
|
| index 6ea499b241ba2a56255c1df64ee9d3a7f9a4b05f..55ea230e501dd62138cc46cc81445985e9b9e18a 100644
|
| --- a/chrome/browser/safe_browsing/incident_reporting/module_integrity_verifier_win.cc
|
| +++ b/chrome/browser/safe_browsing/incident_reporting/module_integrity_verifier_win.cc
|
| @@ -5,22 +5,22 @@
|
| #include "chrome/browser/safe_browsing/incident_reporting/module_integrity_verifier_win.h"
|
|
|
| #include <algorithm>
|
| +#include <string>
|
| #include <vector>
|
|
|
| -#include "base/containers/hash_tables.h"
|
| #include "base/files/file_path.h"
|
| #include "base/files/memory_mapped_file.h"
|
| #include "base/metrics/sparse_histogram.h"
|
| #include "base/scoped_native_library.h"
|
| +#include "base/strings/utf_string_conversions.h"
|
| #include "base/win/pe_image.h"
|
| -#include "build/build_config.h"
|
| +#include "chrome/common/safe_browsing/csd.pb.h"
|
|
|
| namespace safe_browsing {
|
|
|
| namespace {
|
|
|
| -// The maximum amount of bytes that can be reported as modified by
|
| -// NewVerifyModule.
|
| +// The maximum amount of bytes that can be reported as modified by VerifyModule.
|
| const int kMaxModuleModificationBytes = 256;
|
|
|
| struct Export {
|
| @@ -55,9 +55,6 @@ struct ModuleVerificationState {
|
| // mem_peimage module's code section.
|
| intptr_t code_section_delta;
|
|
|
| - // The bytes corrected by relocs.
|
| - base::hash_set<uintptr_t> reloc_addr;
|
| -
|
| // Set true if the relocation table contains a reloc of type that we don't
|
| // currently handle.
|
| bool unknown_reloc_type;
|
| @@ -75,18 +72,18 @@ struct ModuleVerificationState {
|
| std::vector<Export> exports;
|
|
|
| // The location in the in-memory binary of the latest reloc encountered by
|
| - // |NewEnumRelocsCallback|.
|
| + // |EnumRelocsCallback|.
|
| uint8_t* last_mem_reloc_position;
|
|
|
| // The location in the on-disk binary of the latest reloc encountered by
|
| - // |NewEnumRelocsCallback|.
|
| + // |EnumRelocsCallback|.
|
| uint8_t* last_disk_reloc_position;
|
|
|
| // The number of bytes with a different value on disk and in memory, as
|
| - // computed by |NewVerifyModule|.
|
| + // computed by |VerifyModule|.
|
| int bytes_different;
|
|
|
| - // The module state protobuf object that |NewVerifyModule| will populate.
|
| + // The module state protobuf object that |VerifyModule| will populate.
|
| ClientIncidentReport_EnvironmentData_Process_ModuleState* module_state;
|
|
|
| private:
|
| @@ -97,7 +94,6 @@ ModuleVerificationState::ModuleVerificationState(HMODULE hModule)
|
| : disk_peimage(hModule),
|
| image_base_delta(0),
|
| code_section_delta(0),
|
| - reloc_addr(),
|
| unknown_reloc_type(false),
|
| mem_code_addr(nullptr),
|
| disk_code_addr(nullptr),
|
| @@ -111,11 +107,6 @@ ModuleVerificationState::ModuleVerificationState(HMODULE hModule)
|
| ModuleVerificationState::~ModuleVerificationState() {
|
| }
|
|
|
| -bool ByteAccountedForByReloc(uint8_t* byte_addr,
|
| - const ModuleVerificationState& state) {
|
| - return ((state.reloc_addr.count(reinterpret_cast<uintptr_t>(byte_addr))) > 0);
|
| -}
|
| -
|
| // Find which export a modification at address |mem_address| is in. Looks for
|
| // the largest export address still smaller than |mem_address|. |start| and
|
| // |end| must come from a sorted collection.
|
| @@ -174,71 +165,16 @@ int ExamineByteRangeDiff(uint8_t* disk_start,
|
| return bytes_different;
|
| }
|
|
|
| -// Checks each byte in the module's code section again the corresponding byte on
|
| -// disk, returning the number of bytes differing between the two. Also adds the
|
| -// names of any modfied functions exported by name to |modified_exports|.
|
| -// |state.exports| must be sorted.
|
| -int ExamineBytesDiffInMemory(uint8_t* disk_code_start,
|
| - uint8_t* mem_code_start,
|
| - uint32_t code_size,
|
| - const ModuleVerificationState& state,
|
| - std::set<std::string>* modified_exports) {
|
| - int bytes_different = 0;
|
| - std::vector<Export>::const_iterator export_it = state.exports.begin();
|
| -
|
| - for (uint8_t* end = mem_code_start + code_size; mem_code_start != end;
|
| - ++mem_code_start) {
|
| - if ((*disk_code_start++ != *mem_code_start) &&
|
| - !ByteAccountedForByReloc(mem_code_start, state)) {
|
| - std::vector<Export>::const_iterator modified_export_it =
|
| - FindModifiedExport(mem_code_start, export_it, state.exports.end());
|
| -
|
| - if (modified_export_it != state.exports.begin())
|
| - modified_exports->insert((modified_export_it - 1)->name);
|
| - ++bytes_different;
|
| -
|
| - // No later byte can belong to an earlier export.
|
| - export_it = modified_export_it;
|
| - }
|
| - }
|
| - return bytes_different;
|
| -}
|
| -
|
| -// Adds to |state->reloc_addr| the bytes of the pointer at |address| that are
|
| -// corrected by adding |image_base_delta|.
|
| -void AddBytesCorrectedByReloc(uintptr_t address,
|
| - ModuleVerificationState* state) {
|
| -#if defined(ARCH_CPU_LITTLE_ENDIAN)
|
| -# define OFFSET(i) i
|
| -#else
|
| -# define OFFSET(i) (sizeof(uintptr_t) - i)
|
| -#endif
|
| -
|
| - uintptr_t orig_mem_value = *reinterpret_cast<uintptr_t*>(address);
|
| - uintptr_t fixed_mem_value = orig_mem_value + state->image_base_delta;
|
| - uintptr_t disk_value =
|
| - *reinterpret_cast<uintptr_t*>(address + state->code_section_delta);
|
| -
|
| - uintptr_t diff_before = orig_mem_value ^ disk_value;
|
| - uintptr_t shared_after = ~(fixed_mem_value ^ disk_value);
|
| - int i = 0;
|
| - for (uintptr_t fixed = diff_before & shared_after; fixed; fixed >>= 8, ++i) {
|
| - if (fixed & 0xFF)
|
| - state->reloc_addr.insert(address + OFFSET(i));
|
| - }
|
| -#undef OFFSET
|
| -}
|
| -
|
| bool AddrIsInCodeSection(void* address,
|
| uint8_t* code_addr,
|
| uint32_t code_size) {
|
| return (code_addr <= address && address < code_addr + code_size);
|
| }
|
|
|
| -bool NewEnumRelocsCallback(const base::win::PEImage& mem_peimage,
|
| - WORD type,
|
| - void* address,
|
| - void* cookie) {
|
| +bool EnumRelocsCallback(const base::win::PEImage& mem_peimage,
|
| + WORD type,
|
| + void* address,
|
| + void* cookie) {
|
| ModuleVerificationState* state =
|
| reinterpret_cast<ModuleVerificationState*>(cookie);
|
|
|
| @@ -319,52 +255,6 @@ bool NewEnumRelocsCallback(const base::win::PEImage& mem_peimage,
|
| return true;
|
| }
|
|
|
| -bool EnumRelocsCallback(const base::win::PEImage& mem_peimage,
|
| - WORD type,
|
| - void* address,
|
| - void* cookie) {
|
| - ModuleVerificationState* state =
|
| - reinterpret_cast<ModuleVerificationState*>(cookie);
|
| -
|
| - uint8_t* mem_code_addr = NULL;
|
| - uint8_t* disk_code_addr = NULL;
|
| - uint32_t code_size = 0;
|
| - if (!GetCodeAddrsAndSize(mem_peimage,
|
| - state->disk_peimage,
|
| - &mem_code_addr,
|
| - &disk_code_addr,
|
| - &code_size))
|
| - return false;
|
| -
|
| - // If not in the code section return true to continue to the next reloc.
|
| - if (!AddrIsInCodeSection(address, mem_code_addr, code_size))
|
| - return true;
|
| -
|
| - switch (type) {
|
| - case IMAGE_REL_BASED_ABSOLUTE: // 0
|
| - // Absolute type relocations are a noop, sometimes used to pad a section
|
| - // of relocations.
|
| - break;
|
| - case IMAGE_REL_BASED_HIGHLOW: // 3
|
| - // The base relocation applies all 32 bits of the difference to the 32-bit
|
| - // field at offset.
|
| - AddBytesCorrectedByReloc(reinterpret_cast<uintptr_t>(address), state);
|
| - break;
|
| - case IMAGE_REL_BASED_DIR64: // 10
|
| - // The base relocation applies the difference to the 64-bit field at
|
| - // offset.
|
| - // TODO(robertshield): Handle this type of reloc.
|
| - break;
|
| - default:
|
| - // TODO(robertshield): Find a reliable description of the behaviour of the
|
| - // remaining types of relocation and handle them.
|
| - UMA_HISTOGRAM_SPARSE_SLOWLY("SafeBrowsing.ModuleBaseRelocation", type);
|
| - state->unknown_reloc_type = true;
|
| - break;
|
| - }
|
| - return true;
|
| -}
|
| -
|
| bool EnumExportsCallback(const base::win::PEImage& mem_peimage,
|
| DWORD ordinal,
|
| DWORD hint,
|
| @@ -410,32 +300,36 @@ bool GetCodeAddrsAndSize(const base::win::PEImage& mem_peimage,
|
| return true;
|
| }
|
|
|
| -VerificationResult NewVerifyModule(
|
| +bool VerifyModule(
|
| const wchar_t* module_name,
|
| - ClientIncidentReport_EnvironmentData_Process_ModuleState* module_state) {
|
| - VerificationResult result = { MODULE_STATE_UNKNOWN, 0, false, };
|
| + ClientIncidentReport_EnvironmentData_Process_ModuleState* module_state,
|
| + int* num_bytes_different) {
|
| + using ModuleState = ClientIncidentReport_EnvironmentData_Process_ModuleState;
|
| + *num_bytes_different = 0;
|
| + module_state->set_name(base::WideToUTF8(module_name));
|
| + module_state->set_modified_state(ModuleState::MODULE_STATE_UNKNOWN);
|
|
|
| // Get module handle, load a copy from disk as data and create PEImages.
|
| HMODULE module_handle = NULL;
|
| if (!GetModuleHandleEx(0, module_name, &module_handle))
|
| - return result;
|
| + return false;
|
| base::ScopedNativeLibrary native_library(module_handle);
|
|
|
| WCHAR module_path[MAX_PATH] = {};
|
| DWORD length =
|
| GetModuleFileName(module_handle, module_path, arraysize(module_path));
|
| if (!length || length == arraysize(module_path))
|
| - return result;
|
| + return false;
|
|
|
| base::MemoryMappedFile mapped_module;
|
| if (!mapped_module.Initialize(base::FilePath(module_path)))
|
| - return result;
|
| + return false;
|
| ModuleVerificationState state(
|
| reinterpret_cast<HMODULE>(const_cast<uint8*>(mapped_module.data())));
|
|
|
| base::win::PEImage mem_peimage(module_handle);
|
| if (!mem_peimage.VerifyMagic() || !state.disk_peimage.VerifyMagic())
|
| - return result;
|
| + return false;
|
|
|
| // Get the list of exports and sort them by address for efficient lookups.
|
| mem_peimage.EnumExports(EnumExportsCallback, &state.exports);
|
| @@ -448,7 +342,7 @@ VerificationResult NewVerifyModule(
|
| &state.mem_code_addr,
|
| &state.disk_code_addr,
|
| &state.code_size))
|
| - return result;
|
| + return false;
|
|
|
| state.module_state = module_state;
|
| state.last_mem_reloc_position = state.mem_code_addr;
|
| @@ -464,10 +358,9 @@ VerificationResult NewVerifyModule(
|
| state.last_disk_reloc_position = state.disk_code_addr;
|
|
|
| // Enumerate relocations and verify the bytes between them.
|
| - result.verification_completed =
|
| - mem_peimage.EnumRelocs(NewEnumRelocsCallback, &state);
|
| + bool scan_complete = mem_peimage.EnumRelocs(EnumRelocsCallback, &state);
|
|
|
| - if (result.verification_completed) {
|
| + if (scan_complete) {
|
| size_t range_size =
|
| state.code_size - (state.last_mem_reloc_position - state.mem_code_addr);
|
| // Inspect the last chunk spanning from the furthest relocation to the end
|
| @@ -478,81 +371,17 @@ VerificationResult NewVerifyModule(
|
| range_size,
|
| &state);
|
| }
|
| - result.num_bytes_different = state.bytes_different;
|
| + *num_bytes_different = state.bytes_different;
|
|
|
| // Report STATE_MODIFIED if any difference was found, regardless of whether or
|
| // not the entire module was scanned. Report STATE_UNMODIFIED only if the
|
| // entire module was scanned and understood.
|
| if (state.bytes_different)
|
| - result.state = MODULE_STATE_MODIFIED;
|
| - else if (!state.unknown_reloc_type && result.verification_completed)
|
| - result.state = MODULE_STATE_UNMODIFIED;
|
| -
|
| - return result;
|
| -}
|
| -
|
| -ModuleState VerifyModule(const wchar_t* module_name,
|
| - std::set<std::string>* modified_exports,
|
| - int* num_bytes_different) {
|
| - // Get module handle, load a copy from disk as data and create PEImages.
|
| - HMODULE module_handle = NULL;
|
| - if (!GetModuleHandleEx(0, module_name, &module_handle))
|
| - return MODULE_STATE_UNKNOWN;
|
| - base::ScopedNativeLibrary native_library(module_handle);
|
| -
|
| - WCHAR module_path[MAX_PATH] = {};
|
| - DWORD length =
|
| - GetModuleFileName(module_handle, module_path, arraysize(module_path));
|
| - if (!length || length == arraysize(module_path))
|
| - return MODULE_STATE_UNKNOWN;
|
| -
|
| - base::MemoryMappedFile mapped_module;
|
| - if (!mapped_module.Initialize(base::FilePath(module_path)))
|
| - return MODULE_STATE_UNKNOWN;
|
| - ModuleVerificationState state(
|
| - reinterpret_cast<HMODULE>(const_cast<uint8*>(mapped_module.data())));
|
| -
|
| - base::win::PEImage mem_peimage(module_handle);
|
| - if (!mem_peimage.VerifyMagic() || !state.disk_peimage.VerifyMagic())
|
| - return MODULE_STATE_UNKNOWN;
|
| -
|
| - // Get the list of exports.
|
| - mem_peimage.EnumExports(EnumExportsCallback, &state.exports);
|
| - std::sort(state.exports.begin(), state.exports.end());
|
| -
|
| - // Get the addresses of the code sections then calculate |code_section_delta|
|
| - // and |image_base_delta|.
|
| - uint8_t* mem_code_addr = NULL;
|
| - uint8_t* disk_code_addr = NULL;
|
| - uint32_t code_size = 0;
|
| - if (!GetCodeAddrsAndSize(mem_peimage,
|
| - state.disk_peimage,
|
| - &mem_code_addr,
|
| - &disk_code_addr,
|
| - &code_size))
|
| - return MODULE_STATE_UNKNOWN;
|
| -
|
| - state.code_section_delta = disk_code_addr - mem_code_addr;
|
| -
|
| - uint8_t* preferred_image_base = reinterpret_cast<uint8_t*>(
|
| - state.disk_peimage.GetNTHeaders()->OptionalHeader.ImageBase);
|
| - state.image_base_delta =
|
| - preferred_image_base - reinterpret_cast<uint8_t*>(mem_peimage.module());
|
| -
|
| - // Get the relocations.
|
| - mem_peimage.EnumRelocs(EnumRelocsCallback, &state);
|
| - if (state.unknown_reloc_type)
|
| - return MODULE_STATE_UNKNOWN;
|
| -
|
| - // Count the modified bytes (after accounting for relocs) and get the set of
|
| - // modified functions.
|
| - *num_bytes_different = ExamineBytesDiffInMemory(disk_code_addr,
|
| - mem_code_addr,
|
| - code_size,
|
| - state,
|
| - modified_exports);
|
| + module_state->set_modified_state(ModuleState::MODULE_STATE_MODIFIED);
|
| + else if (!state.unknown_reloc_type && scan_complete)
|
| + module_state->set_modified_state(ModuleState::MODULE_STATE_UNMODIFIED);
|
|
|
| - return *num_bytes_different ? MODULE_STATE_MODIFIED : MODULE_STATE_UNMODIFIED;
|
| + return scan_complete;
|
| }
|
|
|
| } // namespace safe_browsing
|
|
|
Chromium Code Reviews
Issue 1083193007:
Remove legacy Module Verifier. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master