| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chrome/browser/safe_browsing/incident_reporting/module_load_analyzer.h
" |
| 6 |
| 7 #include <set> |
| 8 #include <utility> |
| 9 |
| 10 #include "base/file_version_info.h" |
| 11 #include "base/files/file_path.h" |
| 12 #include "base/i18n/case_conversion.h" |
| 13 #include "base/logging.h" |
| 14 #include "base/metrics/histogram_macros.h" |
| 15 #include "base/strings/string16.h" |
| 16 #include "base/strings/utf_string_conversions.h" |
| 17 #include "chrome/browser/install_verification/win/module_info.h" |
| 18 #include "chrome/browser/install_verification/win/module_verification_common.h" |
| 19 #include "chrome/browser/safe_browsing/incident_reporting/incident_receiver.h" |
| 20 #include "chrome/browser/safe_browsing/incident_reporting/suspicious_module_inci
dent.h" |
| 21 #include "chrome/browser/safe_browsing/path_sanitizer.h" |
| 22 #include "chrome/common/safe_browsing/binary_feature_extractor.h" |
| 23 #include "chrome/common/safe_browsing/csd.pb.h" |
| 24 #include "content/public/browser/browser_thread.h" |
| 25 |
| 26 #if defined(SAFE_BROWSING_DB_LOCAL) |
| 27 #include "chrome/browser/safe_browsing/local_database_manager.h" |
| 28 #elif defined(SAFE_BROWSING_DB_REMOTE) |
| 29 #include "chrome/browser/safe_browsing/remote_database_manager.h" |
| 30 #endif |
| 31 |
| 32 namespace safe_browsing { |
| 33 |
| 34 namespace { |
| 35 |
| 36 void ReportIncidentsForSuspiciousModules( |
| 37 scoped_ptr<std::set<base::FilePath>> module_paths, |
| 38 scoped_ptr<IncidentReceiver> incident_receiver) { |
| 39 PathSanitizer path_sanitizer; |
| 40 scoped_refptr<BinaryFeatureExtractor> binary_feature_extractor( |
| 41 new BinaryFeatureExtractor()); |
| 42 SCOPED_UMA_HISTOGRAM_TIMER("SBIRS.SuspiciousModuleReportingTime"); |
| 43 |
| 44 for (const auto& module_path : *module_paths) { |
| 45 // TODO(proberge): Skip over modules that have already been reported. |
| 46 |
| 47 scoped_ptr<ClientIncidentReport_IncidentData_SuspiciousModuleIncident> |
| 48 suspicious_module( |
| 49 new ClientIncidentReport_IncidentData_SuspiciousModuleIncident()); |
| 50 |
| 51 // Sanitized path. |
| 52 base::FilePath sanitized_path(module_path); |
| 53 path_sanitizer.StripHomeDirectory(&sanitized_path); |
| 54 suspicious_module->set_path(sanitized_path.AsUTF8Unsafe()); |
| 55 |
| 56 // Digest. |
| 57 binary_feature_extractor->ExtractDigest( |
| 58 module_path, suspicious_module->mutable_digest()); |
| 59 |
| 60 // Version. |
| 61 scoped_ptr<FileVersionInfo> version_info( |
| 62 FileVersionInfo::CreateFileVersionInfo(module_path)); |
| 63 if (version_info) { |
| 64 base::string16 file_version = version_info->file_version(); |
| 65 if (!file_version.empty()) |
| 66 suspicious_module->set_version(base::UTF16ToUTF8(file_version)); |
| 67 } |
| 68 |
| 69 // Signature. |
| 70 binary_feature_extractor->CheckSignature( |
| 71 module_path, suspicious_module->mutable_signature()); |
| 72 |
| 73 // Image headers. |
| 74 if (!binary_feature_extractor->ExtractImageFeatures( |
| 75 module_path, BinaryFeatureExtractor::kDefaultOptions, |
| 76 suspicious_module->mutable_image_headers(), |
| 77 nullptr /* signed_data */)) { |
| 78 suspicious_module->clear_image_headers(); |
| 79 } |
| 80 |
| 81 // Send the incident to the reporting service. |
| 82 incident_receiver->AddIncidentForProcess(make_scoped_ptr( |
| 83 new SuspiciousModuleIncident(std::move(suspicious_module)))); |
| 84 } |
| 85 } |
| 86 |
| 87 void CheckModuleWhitelistOnIOThread( |
| 88 const scoped_refptr<SafeBrowsingDatabaseManager>& database_manager, |
| 89 scoped_ptr<IncidentReceiver> incident_receiver, |
| 90 scoped_ptr<std::set<ModuleInfo>> module_info_set) { |
| 91 SCOPED_UMA_HISTOGRAM_TIMER("SBIRS.SuspiciousModuleDetectionTime"); |
| 92 scoped_ptr<std::set<base::FilePath>> suspicious_paths( |
| 93 new std::set<base::FilePath>); |
| 94 |
| 95 base::FilePath file_path; |
| 96 for (const ModuleInfo& module_info : *module_info_set) { |
| 97 file_path = base::FilePath(module_info.name); |
| 98 base::string16 module_file_name( |
| 99 base::i18n::FoldCase(file_path.BaseName().AsUTF16Unsafe())); |
| 100 |
| 101 // If not whitelisted. |
| 102 if (!database_manager->MatchModuleWhitelistString( |
| 103 base::UTF16ToUTF8(module_file_name))) |
| 104 suspicious_paths->insert(file_path); |
| 105 } |
| 106 |
| 107 UMA_HISTOGRAM_COUNTS("SBIRS.SuspiciousModuleReportCount", |
| 108 suspicious_paths->size()); |
| 109 |
| 110 if (!suspicious_paths->empty()) { |
| 111 content::BrowserThread::GetBlockingPool() |
| 112 ->PostWorkerTaskWithShutdownBehavior( |
| 113 FROM_HERE, base::Bind(&ReportIncidentsForSuspiciousModules, |
| 114 base::Passed(std::move(suspicious_paths)), |
| 115 base::Passed(std::move(incident_receiver))), |
| 116 base::SequencedWorkerPool::CONTINUE_ON_SHUTDOWN); |
| 117 } |
| 118 } |
| 119 |
| 120 } // namespace |
| 121 |
| 122 void VerifyModuleLoadState( |
| 123 const scoped_refptr<SafeBrowsingDatabaseManager>& database_manager, |
| 124 scoped_ptr<IncidentReceiver> incident_receiver) { |
| 125 scoped_ptr<std::set<ModuleInfo>> module_info_set(new std::set<ModuleInfo>); |
| 126 if (!GetLoadedModules(module_info_set.get())) |
| 127 return; |
| 128 |
| 129 // PostTaskAndReply doesn't work here because we're in a sequenced blocking |
| 130 // thread pool. |
| 131 content::BrowserThread::PostTask( |
| 132 content::BrowserThread::IO, FROM_HERE, |
| 133 base::Bind(&CheckModuleWhitelistOnIOThread, database_manager, |
| 134 base::Passed(std::move(incident_receiver)), |
| 135 base::Passed(std::move(module_info_set)))); |
| 136 } |
| 137 |
| 138 } // namespace safe_browsing |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1643573002:
Add a ModuleLoadAnalyzer which checks modules against a whitelist (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master