Get module versions and types from in-memory images

snapshot/win/pe_image_reader.cc

 // Copyright 2015 The Crashpad Authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
 #include "snapshot/win/pe_image_reader.h"
 
 #include <string.h>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
-#include "base/strings/stringprintf.h"
 #include "client/crashpad_info.h"
+#include "snapshot/win/pe_image_resource_reader.h"
 #include "snapshot/win/process_reader_win.h"
 #include "util/misc/pdb_structures.h"
 #include "util/win/process_structs.h"
 
 namespace crashpad {
 
 namespace {
 
-std::string RangeToString(const CheckedWinAddressRange& range) {
-  return base::StringPrintf("[0x%llx + 0x%llx (%s)]",
-                            range.Base(),
-                            range.Size(),
-                            range.Is64Bit() ? "64" : "32");
-}
-
 // Map from Traits to an IMAGE_NT_HEADERSxx.
 template <class Traits>
 struct NtHeadersForTraits;
 
 template <>
 struct NtHeadersForTraits<process_types::internal::Traits32> {
   using type = IMAGE_NT_HEADERS32;
 };
 
 template <>
@@ skipping 16 matching lines @@
 bool PEImageReader::Initialize(ProcessReaderWin* process_reader,
                                WinVMAddress address,
                                WinVMSize size,
                                const std::string& module_name) {
   INITIALIZATION_STATE_SET_INITIALIZING(initialized_);
 
   process_reader_ = process_reader;
   module_range_.SetRange(process_reader_->Is64Bit(), address, size);
   if (!module_range_.IsValid()) {
     LOG(WARNING) << "invalid module range for " << module_name << ": "
-                 << RangeToString(module_range_);
+                 << module_range_.AsString();
     return false;
   }
   module_name_ = module_name;
 
   INITIALIZATION_STATE_SET_VALID(initialized_);
   return true;
 }
 
 template <class Traits>
 bool PEImageReader::GetCrashpadInfo(
     process_types::CrashpadInfo<Traits>* crashpad_info) const {
   INITIALIZATION_STATE_DCHECK_VALID(initialized_);
 
   IMAGE_SECTION_HEADER section;
   if (!GetSectionByName<NtHeadersForTraits<Traits>::type>("CPADinfo", &section))
     return false;
 
   if (section.Misc.VirtualSize < sizeof(process_types::CrashpadInfo<Traits>)) {
     LOG(WARNING) << "small crashpad info section size "
                  << section.Misc.VirtualSize << ", " << module_name_;
     return false;
   }
 
   WinVMAddress crashpad_info_address = Address() + section.VirtualAddress;
   CheckedWinAddressRange crashpad_info_range(process_reader_->Is64Bit(),
                                              crashpad_info_address,
                                              section.Misc.VirtualSize);
   if (!crashpad_info_range.IsValid()) {
     LOG(WARNING) << "invalid range for crashpad info: "
-                 << RangeToString(crashpad_info_range);
+                 << crashpad_info_range.AsString();
     return false;
   }
 
   if (!module_range_.ContainsRange(crashpad_info_range)) {
     LOG(WARNING) << "crashpad info does not fall inside module "
                  << module_name_;
     return false;
   }
 
   if (!process_reader_->ReadMemory(crashpad_info_address,
                                    sizeof(process_types::CrashpadInfo<Traits>),
                                    crashpad_info)) {
     LOG(WARNING) << "could not read crashpad info " << module_name_;
     return false;
   }
 
   if (crashpad_info->signature != CrashpadInfo::kSignature ||
       crashpad_info->version < 1) {
     LOG(WARNING) << "unexpected crashpad info data " << module_name_;
     return false;
   }
 
   return true;
 }
 
 bool PEImageReader::DebugDirectoryInformation(UUID* uuid,
                                               DWORD* age,
                                               std::string* pdbname) const {
-  if (process_reader_->Is64Bit()) {
-    return ReadDebugDirectoryInformation<IMAGE_NT_HEADERS64>(
-        uuid, age, pdbname);
-  } else {
-    return ReadDebugDirectoryInformation<IMAGE_NT_HEADERS32>(
-        uuid, age, pdbname);
-  }
-}
-
-template <class NtHeadersType>
-bool PEImageReader::ReadDebugDirectoryInformation(UUID* uuid,
-                                                  DWORD* age,
-                                                  std::string* pdbname) const {
-  NtHeadersType nt_headers;
-  if (!ReadNtHeaders(&nt_headers, nullptr))
+  IMAGE_DATA_DIRECTORY data_directory;
+  if (!ImageDataDirectoryEntry(IMAGE_DIRECTORY_ENTRY_DEBUG, &data_directory))
     return false;
 
-  if (nt_headers.FileHeader.SizeOfOptionalHeader <
-          offsetof(decltype(nt_headers.OptionalHeader),
-                   DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG]) +
-              sizeof(nt_headers.OptionalHeader
-                         .DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG]) ||
-      nt_headers.OptionalHeader.NumberOfRvaAndSizes <=
-          IMAGE_DIRECTORY_ENTRY_DEBUG) {
-    return false;
-  }
-
-  const IMAGE_DATA_DIRECTORY& data_directory =
-      nt_headers.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG];
-  if (data_directory.VirtualAddress == 0 || data_directory.Size == 0)
-    return false;
   IMAGE_DEBUG_DIRECTORY debug_directory;
   if (data_directory.Size % sizeof(debug_directory) != 0)
     return false;
   for (size_t offset = 0; offset < data_directory.Size;
        offset += sizeof(debug_directory)) {
     if (!CheckedReadMemory(Address() + data_directory.VirtualAddress + offset,
                            sizeof(debug_directory),
                            &debug_directory)) {
       LOG(WARNING) << "could not read data directory";
       return false;
@@ skipping 35 matching lines @@
       // This occurs for non-PDB based debug information. We simply ignore these
       // as we don't expect to encounter modules that will be in this format
       // for which we'll actually have symbols. See
       // https://crashpad.chromium.org/bug/47.
     }
   }
 
   return false;
 }
 
+bool PEImageReader::VSFixedFileInfo(
+    VS_FIXEDFILEINFO* vs_fixed_file_info) const {
+  IMAGE_DATA_DIRECTORY data_directory;
+  if (!ImageDataDirectoryEntry(IMAGE_DIRECTORY_ENTRY_RESOURCE,
+                               &data_directory)) {
+    return false;
+  }
+
+  PEImageResourceReader resource_reader;
+  if (!resource_reader.Initialize(
+          process_reader_, data_directory, module_range_, module_name_)) {
+    return false;
+  }
+
+  WinVMAddress address;
+  WinVMSize size;
+  if (!resource_reader.FindResourceByID(
+          reinterpret_cast<uint16_t>(VS_FILE_INFO),
+          VS_VERSION_INFO,
+          MAKELANGID(LANG_NEUTRAL, SUBLANG_NEUTRAL),
+          &address,
+          &size,
+          nullptr)) {
+    return false;
+  }
+
+  // https://msdn.microsoft.com/en-us/library/windows/desktop/ms647001.aspx
+  struct VS_VERSIONINFO {
+    WORD wLength;
+    WORD wValueLength;
+    WORD wType;
+
+    // MSDN doesn’t show the [16], but this is in fact a 16-character string.
+    WCHAR szKey[16];
+
+    WORD Padding1;
+    VS_FIXEDFILEINFO Value;
+
+    // Don’t include Children or the Padding2 that precedes it, because they may
+    // not be present.
+    // WORD Padding2;
+    // WORD Children;
+  };
+  VS_VERSIONINFO version_info;
+
+  if (size < sizeof(version_info)) {
+    LOG(WARNING) << "version info size " << size
+                 << " too small for structure of size " << sizeof(version_info)
+                 << " in " << module_name_;
+    return false;
+  }
+
+  if (!CheckedReadMemory(address, sizeof(version_info), &version_info)) {
+    return false;
+  }
+
+  if (version_info.wLength < sizeof(version_info) ||
+      version_info.wValueLength < sizeof(version_info.Value) ||

[scottmg, 2015/11/26 21:29:59]

!= for this one rather than <, as if it's not our expected VS_FIXEDFILEINFO
we're confused/out of luck.

[Mark Mentovai, 2015/12/01 18:48:00]

scottmg wrote:
Done.

+      version_info.wType != 0 ||
+      wcsncmp(version_info.szKey,
+              L"VS_VERSION_INFO",
+              arraysize(version_info.szKey)) != 0) {
+    LOG(WARNING) << "unexpected VS_VERSIONINFO";
+    return false;
+  }
+
+  if (version_info.Value.dwSignature != VS_FFI_SIGNATURE ||
+      version_info.Value.dwStrucVersion != VS_FFI_STRUCVERSION) {
+    LOG(WARNING) << "unexpected VS_FIXEDFILEINFO";
+    return false;
+  }
+
+  *vs_fixed_file_info = version_info.Value;
+  vs_fixed_file_info->dwFileFlags &= vs_fixed_file_info->dwFileFlagsMask;
+  return true;
+}
+
 template <class NtHeadersType>
 bool PEImageReader::ReadNtHeaders(NtHeadersType* nt_headers,
                                   WinVMAddress* nt_headers_address) const {
   IMAGE_DOS_HEADER dos_header;
   if (!CheckedReadMemory(Address(), sizeof(IMAGE_DOS_HEADER), &dos_header)) {
     LOG(WARNING) << "could not read dos header of " << module_name_;
     return false;
   }
 
   if (dos_header.e_magic != IMAGE_DOS_SIGNATURE) {
@@ skipping 46 matching lines @@
     if (strncmp(reinterpret_cast<const char*>(section->Name),
                 name.c_str(),
                 sizeof(section->Name)) == 0) {
       return true;
     }
   }
 
   return false;
 }
 
+bool PEImageReader::ImageDataDirectoryEntry(size_t index,
+                                            IMAGE_DATA_DIRECTORY* entry) const {
+  bool rv;
+  if (process_reader_->Is64Bit()) {
+    rv = ImageDataDirectoryEntryT<IMAGE_NT_HEADERS64>(index, entry);
+  } else {
+    rv = ImageDataDirectoryEntryT<IMAGE_NT_HEADERS32>(index, entry);
+  }
+
+  return rv && entry->VirtualAddress != 0 && entry->Size != 0;
+}
+
+template <class NtHeadersType>
+bool PEImageReader::ImageDataDirectoryEntryT(
+    size_t index,
+    IMAGE_DATA_DIRECTORY* entry) const {
+  NtHeadersType nt_headers;
+  if (!ReadNtHeaders(&nt_headers, nullptr)) {
+    return false;
+  }
+
+  if (nt_headers.FileHeader.SizeOfOptionalHeader <
+          offsetof(decltype(nt_headers.OptionalHeader), DataDirectory[index]) +
+              sizeof(nt_headers.OptionalHeader.DataDirectory[index]) ||
+      nt_headers.OptionalHeader.NumberOfRvaAndSizes <= index) {
+    return false;
+  }
+
+  *entry = nt_headers.OptionalHeader.DataDirectory[index];
+  return true;
+}
+
 bool PEImageReader::CheckedReadMemory(WinVMAddress address,
                                       WinVMSize size,
                                       void* into) const {
   CheckedWinAddressRange read_range(process_reader_->Is64Bit(), address, size);
   if (!read_range.IsValid()) {
-    LOG(WARNING) << "invalid read range: " << RangeToString(read_range);
+    LOG(WARNING) << "invalid read range: " << read_range.AsString();
     return false;
   }
   if (!module_range_.ContainsRange(read_range)) {
     LOG(WARNING) << "attempt to read outside of module " << module_name_
-                 << " at range: " << RangeToString(read_range);
+                 << " at range: " << read_range.AsString();
     return false;
   }
   return process_reader_->ReadMemory(address, size, into);
 }
 
 // Explicit instantiations with the only 2 valid template arguments to avoid
 // putting the body of the function in the header.
 template bool PEImageReader::GetCrashpadInfo<process_types::internal::Traits32>(
     process_types::CrashpadInfo<process_types::internal::Traits32>*
         crashpad_info) const;
 template bool PEImageReader::GetCrashpadInfo<process_types::internal::Traits64>(
     process_types::CrashpadInfo<process_types::internal::Traits64>*
         crashpad_info) const;
 
 }  // namespace crashpad