snapshot/win/process_snapshot_win.cc - Issue 1360863006: win: Add more memory regions to gathering of PEB

Side by Side Diff: snapshot/win/process_snapshot_win.cc

Issue 1360863006: win: Add more memory regions to gathering of PEB (Closed) Base URL: https://chromium.googlesource.com/crashpad/crashpad@save-peb

Patch Set: rebase Created 5 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2015 The Crashpad Authors. All rights reserved.	1 // Copyright 2015 The Crashpad Authors. All rights reserved.

2 //	2 //

3 // Licensed under the Apache License, Version 2.0 (the "License");	3 // Licensed under the Apache License, Version 2.0 (the "License");

4 // you may not use this file except in compliance with the License.	4 // you may not use this file except in compliance with the License.

5 // You may obtain a copy of the License at	5 // You may obtain a copy of the License at

6 //	6 //

7 // http://www.apache.org/licenses/LICENSE-2.0	7 // http://www.apache.org/licenses/LICENSE-2.0

8 //	8 //

9 // Unless required by applicable law or agreed to in writing, software	9 // Unless required by applicable law or agreed to in writing, software

10 // distributed under the License is distributed on an "AS IS" BASIS,	10 // distributed under the License is distributed on an "AS IS" BASIS,

(...skipping 30 matching lines...) Expand all Loading...
41 bool ProcessSnapshotWin::Initialize(HANDLE process,	41 bool ProcessSnapshotWin::Initialize(HANDLE process,

42 ProcessSuspensionState suspension_state) {	42 ProcessSuspensionState suspension_state) {

43 INITIALIZATION_STATE_SET_INITIALIZING(initialized_);	43 INITIALIZATION_STATE_SET_INITIALIZING(initialized_);

44	44

45 GetTimeOfDay(&snapshot_time_);	45 GetTimeOfDay(&snapshot_time_);

46	46

47 if (!process_reader_.Initialize(process, suspension_state))	47 if (!process_reader_.Initialize(process, suspension_state))

48 return false;	48 return false;

49	49

50 system_.Initialize(&process_reader_);	50 system_.Initialize(&process_reader_);

51 WinVMAddress peb_address;	51

52 WinVMSize peb_size;	52 if (process_reader_.Is64Bit())

53 process_reader_.GetProcessInfo().Peb(&peb_address, &peb_size);	53 InitializePebData<process_types::internal::Traits64>();

54 peb_.Initialize(&process_reader_, peb_address, peb_size);	54 else

	55 InitializePebData<process_types::internal::Traits32>();

55	56

56 InitializeThreads();	57 InitializeThreads();

57 InitializeModules();	58 InitializeModules();

58	59

59 INITIALIZATION_STATE_SET_VALID(initialized_);	60 INITIALIZATION_STATE_SET_VALID(initialized_);

60 return true;	61 return true;

61 }	62 }

62	63

63 bool ProcessSnapshotWin::InitializeException(	64 bool ProcessSnapshotWin::InitializeException(

64 WinVMAddress exception_information_address) {	65 WinVMAddress exception_information_address) {

(...skipping 114 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
179 return modules;	180 return modules;

180 }	181 }

181	182

182 const ExceptionSnapshot* ProcessSnapshotWin::Exception() const {	183 const ExceptionSnapshot* ProcessSnapshotWin::Exception() const {

183 return exception_.get();	184 return exception_.get();

184 }	185 }

185	186

186 std::vector<const MemorySnapshot*> ProcessSnapshotWin::ExtraMemory() const {	187 std::vector<const MemorySnapshot*> ProcessSnapshotWin::ExtraMemory() const {

187 INITIALIZATION_STATE_DCHECK_VALID(initialized_);	188 INITIALIZATION_STATE_DCHECK_VALID(initialized_);

188 std::vector<const MemorySnapshot*> extra_memory;	189 std::vector<const MemorySnapshot*> extra_memory;

189 extra_memory.push_back(&peb_);	190 for (const auto& peb_memory : peb_memory_)

	191 extra_memory.push_back(peb_memory);

190 return extra_memory;	192 return extra_memory;

191 }	193 }

192	194

193 void ProcessSnapshotWin::InitializeThreads() {	195 void ProcessSnapshotWin::InitializeThreads() {

194 const std::vector<ProcessReaderWin::Thread>& process_reader_threads =	196 const std::vector<ProcessReaderWin::Thread>& process_reader_threads =

195 process_reader_.Threads();	197 process_reader_.Threads();

196 for (const ProcessReaderWin::Thread& process_reader_thread :	198 for (const ProcessReaderWin::Thread& process_reader_thread :

197 process_reader_threads) {	199 process_reader_threads) {

198 auto thread = make_scoped_ptr(new internal::ThreadSnapshotWin());	200 auto thread = make_scoped_ptr(new internal::ThreadSnapshotWin());

199 if (thread->Initialize(&process_reader_, process_reader_thread)) {	201 if (thread->Initialize(&process_reader_, process_reader_thread)) {

200 threads_.push_back(thread.release());	202 threads_.push_back(thread.release());

201 }	203 }

202 }	204 }

203 }	205 }

204	206

205 void ProcessSnapshotWin::InitializeModules() {	207 void ProcessSnapshotWin::InitializeModules() {

206 const std::vector<ProcessInfo::Module>& process_reader_modules =	208 const std::vector<ProcessInfo::Module>& process_reader_modules =

207 process_reader_.Modules();	209 process_reader_.Modules();

208 for (const ProcessInfo::Module& process_reader_module :	210 for (const ProcessInfo::Module& process_reader_module :

209 process_reader_modules) {	211 process_reader_modules) {

210 auto module = make_scoped_ptr(new internal::ModuleSnapshotWin());	212 auto module = make_scoped_ptr(new internal::ModuleSnapshotWin());

211 if (module->Initialize(&process_reader_, process_reader_module)) {	213 if (module->Initialize(&process_reader_, process_reader_module)) {

212 modules_.push_back(module.release());	214 modules_.push_back(module.release());

213 }	215 }

214 }	216 }

215 }	217 }

216	218

	219 template <class Traits>

	220 void ProcessSnapshotWin::InitializePebData() {

	221 WinVMAddress peb_address;

	222 WinVMSize peb_size;

	223 process_reader_.GetProcessInfo().Peb(&peb_address, &peb_size);

	224 peb_memory_.push_back(CreateMemorySnapshot(peb_address, peb_size));

	225

	226 process_types::PEB<Traits> peb_data;

	227 if (!process_reader_.ReadMemory(peb_address, peb_size, &peb_data)) {

	228 LOG(ERROR) << "ReadMemory PEB";

	229 return;

	230 }

	231 peb_memory_.push_back(CreateMemorySnapshot(

	232 peb_data.Ldr, sizeof(process_types::PEB_LDR_DATA<Traits>)));

	233

	234 process_types::RTL_USER_PROCESS_PARAMETERS<Traits> process_parameters;

	235 if (!process_reader_.ReadMemory(peb_data.ProcessParameters,

	236 sizeof(process_parameters),

	237 &process_parameters)) {

	238 LOG(ERROR) << "ReadMemory RTL_USER_PROCESS_PARAMETERS";

	239 return;

	240 }

	241

	242 peb_memory_.push_back(CreateMemorySnapshotForUNICODE_STRING(

	243 process_parameters.CurrentDirectory.DosPath));

	244 peb_memory_.push_back(

	245 CreateMemorySnapshotForUNICODE_STRING(process_parameters.DllPath));
	Mark Mentovai 2015/09/25 21:10:16 The “now” section of the CL description seems to i The “now” section of the CL description seems to indicate that this isn’t working. Or was this field just empty in your test? scottmg 2015/09/25 22:52:25 Yes, it's often null in a live process too. It's t Show quoted text On 2015/09/25 21:10:16, Mark Mentovai - August is over wrote: > The “now” section of the CL description seems to indicate that this isn’t > working. Or was this field just empty in your test? Yes, it's often null in a live process too. It's the search path that the loader uses to locate dlls, but if it's not overridden then (I guess) it doesn't get filled in here.
	246 peb_memory_.push_back(

	247 CreateMemorySnapshotForUNICODE_STRING(process_parameters.ImagePathName));

	248 peb_memory_.push_back(

	249 CreateMemorySnapshotForUNICODE_STRING(process_parameters.CommandLine));

	250 // http://blogs.msdn.com/b/oldnewthing/archive/2010/02/03/9957320.aspx On

	251 // newer OSs there's no stated limit, but in practice grabbing 32k should be

	252 // more than enough.

	253 const int kMaxEnvironmentBlockSize = 32768;

	254 peb_memory_.push_back(CreateMemorySnapshot(process_parameters.Environment,

	255 kMaxEnvironmentBlockSize));
	Mark Mentovai 2015/09/25 21:10:16 It might be worth trying to work out the actual si It might be worth trying to work out the actual size of the environment block so that we don’t over-report, but you can save that for a TODO if it’s rough to work out. scottmg 2015/09/25 22:52:25 I don't know of any way other than probing the tar Show quoted text On 2015/09/25 21:10:16, Mark Mentovai - August is over wrote: > It might be worth trying to work out the actual size of the environment block so > that we don’t over-report, but you can save that for a TODO if it’s rough to > work out. I don't know of any way other than probing the target process for \0, which is a bit tedious (and I'm not sure if it's 100% correct either). Added a TODO as something must know how big that block is. Mark Mentovai 2015/09/25 23:11:59 scottmg wrote: scottmg wrote: Show quoted text > I don't know of any way other than probing the target process for \0, which is a > bit tedious (and I'm not sure if it's 100% correct either). Added a TODO as > something must know how big that block is. Well, if windbg’s able to work out where to stop printing environment variables, there’s got to be some way to do it. I think you just look for a double-NUL. https://msdn.microsoft.com/en-us/library/windows/desktop/ms682653(v=vs.85).aspx scottmg 2015/09/26 00:07:38 Yeah, that was my thinking too. But then I was wor Show quoted text On 2015/09/25 23:11:59, Mark Mentovai - August is over wrote: > scottmg wrote: > > I don't know of any way other than probing the target process for \0, which is > a > > bit tedious (and I'm not sure if it's 100% correct either). Added a TODO as > > something must know how big that block is. > > Well, if windbg’s able to work out where to stop printing environment variables, > there’s got to be some way to do it. I think you just look for a double-NUL. > https://msdn.microsoft.com/en-us/library/windows/desktop/ms682653(v=vs.85).aspx Yeah, that was my thinking too. But then I was worried that we might lose some interesting information if the environment block was the thing that had been futzed with. But maybe that's useful too, because you'd see what the process would probably be able to retrieve. ... ok, switched to grabbing 32k here to find the \0\0 and then only storing up to that point.
	256 }

	257

	258 internal::MemorySnapshotWin* ProcessSnapshotWin::CreateMemorySnapshot(

	259 WinVMAddress address,

	260 WinVMAddress size) {
	Mark Mentovai 2015/09/25 21:10:16 If size is 0, it’s probably worth not creating any If size is 0, it’s probably worth not creating anything. Instead, return nullptr, and have the caller not add anything to the peb_memory_ vector. That may mean that it’s easier for this return void and take the vector as an argument, appending to it if size is nonzero, instead of returning something for the caller to append (or not). scottmg 2015/09/25 22:52:25 Done. Show quoted text On 2015/09/25 21:10:16, Mark Mentovai - August is over wrote: > If size is 0, it’s probably worth not creating anything. Instead, return > nullptr, and have the caller not add anything to the peb_memory_ vector. > > That may mean that it’s easier for this return void and take the vector as an > argument, appending to it if size is nonzero, instead of returning something for > the caller to append (or not). Done.
	261 internal::MemorySnapshotWin* ret = new internal::MemorySnapshotWin();

	262 ret->Initialize(&process_reader_, address, size);

	263 return ret;

	264 }

	265

217 } // namespace crashpad	266 } // namespace crashpad

OLD	NEW

« snapshot/win/process_snapshot_win.h ('K') | « snapshot/win/process_snapshot_win.h ('k') | no next file » | no next file with comments »