Add a ModuleLoadAnalyzer which checks modules against a whitelist

chrome/browser/safe_browsing/incident_reporting/module_load_analyzer_win.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/safe_browsing/incident_reporting/module_load_analyzer.h"
+
+#include "base/file_version_info.h"
+#include "base/files/file_path.h"
+#include "base/logging.h"
+#include "base/metrics/histogram.h"

[rkaplow, 2016/02/09 20:45:52]

should be using histogram_macros.h

[proberge, 2016/02/10 14:21:41]

Done.

+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
+#include "base/strings/utf_string_conversions.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/install_verification/win/module_info.h"
+#include "chrome/browser/install_verification/win/module_verification_common.h"
+#include "chrome/browser/safe_browsing/incident_reporting/incident_receiver.h"
+#include "chrome/browser/safe_browsing/incident_reporting/suspicious_module_incident.h"
+#include "chrome/browser/safe_browsing/path_sanitizer.h"
+#include "chrome/browser/safe_browsing/safe_browsing_service.h"
+#include "chrome/common/safe_browsing/binary_feature_extractor.h"
+#include "chrome/common/safe_browsing/csd.pb.h"
+#include "crypto/sha2.h"
+
+#if defined(SAFE_BROWSING_DB_LOCAL)
+#include "chrome/browser/safe_browsing/local_database_manager.h"
+#elif defined(SAFE_BROWSING_DB_REMOTE)
+#include "chrome/browser/safe_browsing/remote_database_manager.h"
+#endif
+
+namespace safe_browsing {
+
+static bool g_stop_module_load_analysis_ = false;
+
+// Enables incident reporting when non-whitelisted modules are found.
+const base::Feature kIncidentReportingModuleLoadAnalysis{
+    "IncidentReportingModuleLoadAnalysis", base::FEATURE_DISABLED_BY_DEFAULT};
+
+ModuleLoadAnalyzer::~ModuleLoadAnalyzer() {
+  g_stop_module_load_analysis_ = true;
+}
+
+void ModuleLoadAnalyzer::Initialize() {
+  DCHECK(database_manager_);
+  // For testing only. In practice, Initialize should ever only be called once.
+  g_stop_module_load_analysis_ = false;
+  if (base::FeatureList::IsEnabled(kIncidentReportingModuleLoadAnalysis)) {
+    scoped_refptr<SafeBrowsingService> safe_browsing_service(
+        g_browser_process->safe_browsing_service());
+
+    if (safe_browsing_service) {
+      safe_browsing_service
+          ->RegisterExtendedReportingOnlyDelayedAnalysisCallback(
+              base::Bind(&ModuleLoadAnalyzer::VerifyModuleLoadState,
+                         base::Unretained(this)));
+    }
+  }
+}
+
+// Retrieves the set of suspicious modules that are loaded in the process.
+void ModuleLoadAnalyzer::GetLoadedSuspiciousModulesOnIOThread(
+    scoped_ptr<IncidentReceiver> incident_receiver) {
+  std::set<ModuleInfo> module_info_set;
+  base::TimeTicks start_time = base::TimeTicks::Now();
+  scoped_ptr<std::set<base::string16>> suspicious_names(
+      new std::set<base::string16>);
+
+  if (!GetLoadedModules(&module_info_set))
+    return;
+
+  std::set<ModuleInfo>::const_iterator module_iter(module_info_set.begin());
+  for (; module_iter != module_info_set.end(); ++module_iter) {
+    base::string16 module_file_name(base::ToLowerASCII(
+        base::FilePath(module_iter->name).BaseName().value()));
+
+    // If not whitelisted.
+    if (!database_manager_->MatchModuleWhitelistString(
+            base::UTF16ToUTF8(module_file_name)))
+      suspicious_names->insert(module_iter->name);
+  }
+
+  UMA_HISTOGRAM_TIMES("SBIRS.SuspiciousModuleDetectionTime",
+                      base::TimeTicks::Now() - start_time);
+
+  if (!suspicious_names->empty()) {
+    // Note that we use BLOCK_SHUTDOWN here but manually end the processing as
+    // soon as the analyzer is destroyed.
+    scoped_refptr<base::TaskRunner> task_runner =
+        content::BrowserThread::GetBlockingPool()
+            ->GetTaskRunnerWithShutdownBehavior(
+                base::SequencedWorkerPool::BLOCK_SHUTDOWN);
+
+    task_runner->PostTask(
+        FROM_HERE,
+        base::Bind(&ModuleLoadAnalyzer::ReportIncidentsForSuspiciousModules,
+                   base::Passed(std::move(suspicious_names)),
+                   base::Passed(std::move(incident_receiver))));
+  }
+}
+
+// static
+void ModuleLoadAnalyzer::ReportIncidentsForSuspiciousModules(
+    scoped_ptr<std::set<base::string16>> module_names,
+    scoped_ptr<IncidentReceiver> incident_receiver) {
+  PathSanitizer path_sanitizer;
+  base::TimeTicks start_time = base::TimeTicks::Now();
+
+  UMA_HISTOGRAM_COUNTS("SBIRS.SuspiciousModuleReportCount",
+                       module_names->size());
+
+  for (const auto& module_name : *module_names) {
+    if (g_stop_module_load_analysis_)
+      return;
+    // TODO(proberge): Skip over modules that have already been reported.
+
+    scoped_ptr<ClientIncidentReport_IncidentData_SuspiciousModuleIncident>
+        suspicious_module(
+            new ClientIncidentReport_IncidentData_SuspiciousModuleIncident());
+
+    const base::FilePath module_path(module_name);
+
+    // Sanitized path.
+    base::FilePath sanitized_path(module_path);
+    path_sanitizer.StripHomeDirectory(&sanitized_path);
+    suspicious_module->set_path(base::WideToUTF8(sanitized_path.value()));
+
+    // Digest.
+    scoped_refptr<BinaryFeatureExtractor> binary_feature_extractor(
+        new BinaryFeatureExtractor());
+
+    binary_feature_extractor->ExtractDigest(
+        module_path, suspicious_module->mutable_digest());
+
+    // Version.
+    scoped_ptr<FileVersionInfo> version_info(
+        FileVersionInfo::CreateFileVersionInfo(module_path));
+    if (version_info) {
+      std::wstring file_version = version_info->file_version();
+      if (!file_version.empty())
+        suspicious_module->set_version(base::WideToUTF8(file_version));
+    }
+
+    // Signature.
+    binary_feature_extractor->CheckSignature(
+        module_path, suspicious_module->mutable_signature());
+
+    // Image headers.
+    if (!binary_feature_extractor->ExtractImageFeatures(
+            module_path, BinaryFeatureExtractor::kDefaultOptions,
+            suspicious_module->mutable_image_headers(),
+            nullptr /* signed_data */)) {
+      suspicious_module->clear_image_headers();
+    }
+
+    // Send the report.
+    incident_receiver->AddIncidentForProcess(make_scoped_ptr(
+        new SuspiciousModuleIncident(std::move(suspicious_module))));
+  }
+
+  UMA_HISTOGRAM_TIMES("SBIRS.SuspiciousModuleReportingTime",

[rkaplow, 2016/02/09 20:45:52]

you can use SCOPED_UMA_HISTOGRAM_TIMER

[proberge, 2016/02/10 14:21:41]

Done.

+                      base::TimeTicks::Now() - start_time);
+}
+
+void ModuleLoadAnalyzer::VerifyModuleLoadState(
+    scoped_ptr<IncidentReceiver> incident_receiver) {
+  // PostTaskAndReply doesn't work here because we're in a sequenced blocking
+  // thread pool.
+  content::BrowserThread::PostTask(
+      content::BrowserThread::IO, FROM_HERE,
+      base::Bind(&ModuleLoadAnalyzer::GetLoadedSuspiciousModulesOnIOThread,
+                 base::Unretained(this),
+                 base::Passed(std::move(incident_receiver))));
+}
+
+}  // namespace safe_browsing