win: Add more memory regions to gathering of PEB

snapshot/win/process_snapshot_win.cc

 // Copyright 2015 The Crashpad Authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
 #include "snapshot/win/process_snapshot_win.h"
 
+#include <algorithm>
+
 #include "base/logging.h"
 #include "snapshot/win/module_snapshot_win.h"
 #include "util/win/registration_protocol_win.h"
 #include "util/win/time.h"
 
 namespace crashpad {
 
 ProcessSnapshotWin::ProcessSnapshotWin()
     : ProcessSnapshot(),
       system_(),
@@ skipping 14 matching lines @@
 bool ProcessSnapshotWin::Initialize(HANDLE process,
                                     ProcessSuspensionState suspension_state) {
   INITIALIZATION_STATE_SET_INITIALIZING(initialized_);
 
   GetTimeOfDay(&snapshot_time_);
 
   if (!process_reader_.Initialize(process, suspension_state))
     return false;
 
   system_.Initialize(&process_reader_);
-  WinVMAddress peb_address;
-  WinVMSize peb_size;
-  process_reader_.GetProcessInfo().Peb(&peb_address, &peb_size);
-  peb_.Initialize(&process_reader_, peb_address, peb_size);
+
+  if (process_reader_.Is64Bit())
+    InitializePebData<process_types::internal::Traits64>();
+  else
+    InitializePebData<process_types::internal::Traits32>();
 
   InitializeThreads();
   InitializeModules();
 
   INITIALIZATION_STATE_SET_VALID(initialized_);
   return true;
 }
 
 bool ProcessSnapshotWin::InitializeException(
     WinVMAddress exception_information_address) {
@@ skipping 114 matching lines @@
   return modules;
 }
 
 const ExceptionSnapshot* ProcessSnapshotWin::Exception() const {
   return exception_.get();
 }
 
 std::vector<const MemorySnapshot*> ProcessSnapshotWin::ExtraMemory() const {
   INITIALIZATION_STATE_DCHECK_VALID(initialized_);
   std::vector<const MemorySnapshot*> extra_memory;
-  extra_memory.push_back(&peb_);
+  for (const auto& peb_memory : peb_memory_)
+    extra_memory.push_back(peb_memory);
   return extra_memory;
 }
 
 void ProcessSnapshotWin::InitializeThreads() {
   const std::vector<ProcessReaderWin::Thread>& process_reader_threads =
       process_reader_.Threads();
   for (const ProcessReaderWin::Thread& process_reader_thread :
        process_reader_threads) {
     auto thread = make_scoped_ptr(new internal::ThreadSnapshotWin());
     if (thread->Initialize(&process_reader_, process_reader_thread)) {
       threads_.push_back(thread.release());
     }
   }
 }
 
 void ProcessSnapshotWin::InitializeModules() {
   const std::vector<ProcessInfo::Module>& process_reader_modules =
       process_reader_.Modules();
   for (const ProcessInfo::Module& process_reader_module :
        process_reader_modules) {
     auto module = make_scoped_ptr(new internal::ModuleSnapshotWin());
     if (module->Initialize(&process_reader_, process_reader_module)) {
       modules_.push_back(module.release());
     }
   }
 }
 
+template <class Traits>
+void ProcessSnapshotWin::InitializePebData() {
+  WinVMAddress peb_address;
+  WinVMSize peb_size;
+  process_reader_.GetProcessInfo().Peb(&peb_address, &peb_size);
+  AddMemorySnapshot(peb_address, peb_size, &peb_memory_);
+
+  process_types::PEB<Traits> peb_data;
+  if (!process_reader_.ReadMemory(peb_address, peb_size, &peb_data)) {
+    LOG(ERROR) << "ReadMemory PEB";
+    return;
+  }
+  AddMemorySnapshot(
+      peb_data.Ldr, sizeof(process_types::PEB_LDR_DATA<Traits>), &peb_memory_);
+
+  process_types::RTL_USER_PROCESS_PARAMETERS<Traits> process_parameters;
+  if (!process_reader_.ReadMemory(peb_data.ProcessParameters,
+                                  sizeof(process_parameters),
+                                  &process_parameters)) {
+    LOG(ERROR) << "ReadMemory RTL_USER_PROCESS_PARAMETERS";
+    return;
+  }
+
+  AddMemorySnapshotForUNICODE_STRING(
+      process_parameters.CurrentDirectory.DosPath, &peb_memory_);
+  AddMemorySnapshotForUNICODE_STRING(process_parameters.DllPath, &peb_memory_);
+  AddMemorySnapshotForUNICODE_STRING(process_parameters.ImagePathName,
+                                     &peb_memory_);
+  AddMemorySnapshotForUNICODE_STRING(process_parameters.CommandLine,
+                                     &peb_memory_);
+
+  AddMemorySnapshot(
+      process_parameters.Environment,
+      DetermineSizeOfEnvironmentBlock(process_parameters.Environment),
+      &peb_memory_);
+}
+
+void ProcessSnapshotWin::AddMemorySnapshot(
+    WinVMAddress address,
+    WinVMSize size,
+    PointerVector<internal::MemorySnapshotWin>* into) {
+  if (size == 0)
+    return;
+  internal::MemorySnapshotWin* memory_snapshot =
+      new internal::MemorySnapshotWin();
+  memory_snapshot->Initialize(&process_reader_, address, size);
+  into->push_back(memory_snapshot);
+}
+
+template <class Traits>
+void ProcessSnapshotWin::AddMemorySnapshotForUNICODE_STRING(
+    const process_types::UNICODE_STRING<Traits>& us,
+    PointerVector<internal::MemorySnapshotWin>* into) {
+  AddMemorySnapshot(us.Buffer, us.Length, into);
+}
+
+WinVMSize ProcessSnapshotWin::DetermineSizeOfEnvironmentBlock(
+    WinVMAddress start_of_environment_block) {
+  // http://blogs.msdn.com/b/oldnewthing/archive/2010/02/03/9957320.aspx On
+  // newer OSs there's no stated limit, but in practice grabbing 32k characters
+  // should be more than enough.
+  int env_block_size = 32768;
+  scoped_ptr<wchar_t[]> env_block(new wchar_t[env_block_size]);
+  while (env_block_size > 0) {
+    if (process_reader_.ReadMemory(start_of_environment_block,
+                                   env_block_size * sizeof(wchar_t),

[Mark Mentovai, 2015/09/26 01:46:48]

sizeof(env_block[0])

[scottmg, 2015/09/28 22:38:09]

Done.

+                                   env_block.get())) {
+      break;
+    }
+    // We could be out of range of the process so the read might

[Mark Mentovai, 2015/09/26 01:46:48]

TODO to revisit this with a more generic “read as much as possible” kind of
thing that knows about the memory map or just tries to read in a loop kind of
like you have here? This may be useful elsewhere (probably operating on bytes
instead of wchar_ts, though).

For now, you can make sure that your read attempts try to get as much as
possible by reducing the trial block size on each iteration so that its end is
aligned with the end of a page.

  end_of_environment_block = start_of_environment_block + env_block_size *
sizeof(env_block[0]);

  // Subtract 1 and truncate down to the nearest page. If it was page-aligned to
  // begin with, the subtraction assures that the new end will be lower than the
  // old end.
  end_of_environment_block = (end_of_environment_block - 1) & ~(page_size - 1);

  // Truncation seems OK if this can’t be divided evenly, because it’ll just
  // throw away an incomplete code unit.
  env_block_size = (end_of_environment_block - start_of_environment_block) /
sizeof(env_block[0]);

You could write this whole thing in a single line, but it’d be harder to follow.

[scottmg, 2015/09/28 22:38:09]

Uses the memory map-aware read now.

+    // fail. Decrease by a bit and try again.
+    env_block_size -= 1024;
+  }
+  if (env_block_size > 0) {
+    std::wstring look_in(&env_block[0], env_block_size);

[Mark Mentovai, 2015/09/26 01:46:48]

Since you’re just copying the whole thing into look_in, probably env_block
should have been the wstring you read into to begin with.

[scottmg, 2015/09/28 22:38:09]

Done.

+    const wchar_t terminator[] = { 0, 0 };
+    size_t at = look_in.find(std::wstring(terminator, arraysize(terminator)));
+    if (at != std::wstring::npos)
+      env_block_size = static_cast<int>(at) + arraysize(terminator);
+    // If we didn't find a terminator, then just add the whole (presumably
+    // partial) block.
+    return env_block_size * sizeof(wchar_t);
+  }
+
+  return 0;
+}
+
 }  // namespace crashpad