Add UMA stats to record when DLLs are successfully blocked in the Browser.

chrome_elf/blacklist/blacklist.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome_elf/blacklist/blacklist.h"
 
+#include <assert.h>
 #include <string.h>
 
 #include "base/basictypes.h"
 #include "chrome_elf/blacklist/blacklist_interceptions.h"
 #include "sandbox/win/src/interception_internal.h"
 #include "sandbox/win/src/internal_types.h"
 #include "sandbox/win/src/sandbox_utils.h"
 #include "sandbox/win/src/service_resolver.h"
 #include "version.h"  // NOLINT
 
 // http://blogs.msdn.com/oldnewthing/archive/2004/10/25/247180.aspx
 extern "C" IMAGE_DOS_HEADER __ImageBase;
 
 namespace blacklist{
 
 const wchar_t* g_troublesome_dlls[kTroublesomeDllsMaxCount] = {
   L"datamngr.dll",                      // Unknown (suspected adware).
   L"hk.dll",                            // Unknown (keystroke logger).
   L"libsvn_tsvn32.dll",                 // TortoiseSVN.
   L"lmrn.dll",                          // Unknown.
   // Keep this null pointer here to mark the end of the list.
   NULL,
 };
 
+bool g_blocked_dlls[kTroublesomeDllsMaxCount] = {};
+int g_num_blocked_dlls = 0;
+
 const wchar_t kRegistryBeaconPath[] = L"SOFTWARE\\Google\\Chrome\\BLBeacon";
 const wchar_t kBeaconVersion[] = L"version";
 const wchar_t kBeaconState[] = L"state";
 
 }  // namespace blacklist
 
 // Allocate storage for thunks in a page of this module to save on doing
 // an extra allocation at run time.
 #pragma section(".crthunk",read,execute)
 __declspec(allocate(".crthunk")) sandbox::ThunkData g_thunk_storage;
@@ skipping 250 matching lines @@
   for (int i = 0; i < blacklist_size; ++i) {
     if (!_wcsicmp(g_troublesome_dlls[i], dll_name))
       return true;
   }
 
   // Copy string to blacklist.
   wchar_t* str_buffer = new wchar_t[wcslen(dll_name) + 1];
   wcscpy(str_buffer, dll_name);
 
   g_troublesome_dlls[blacklist_size] = str_buffer;
+  g_blocked_dlls[blacklist_size] = false;
   return true;
 }
 
 bool RemoveDllFromBlacklist(const wchar_t* dll_name) {
   int blacklist_size = BlacklistSize();
   for (int i = 0; i < blacklist_size; ++i) {
     if (!_wcsicmp(g_troublesome_dlls[i], dll_name)) {
       // Found the thing to remove. Delete it then replace it with the last
       // element.
       delete[] g_troublesome_dlls[i];
       g_troublesome_dlls[i] = g_troublesome_dlls[blacklist_size - 1];
       g_troublesome_dlls[blacklist_size - 1] = NULL;
+
+      // Also update the stats recording if we have blocked this dll or not.
+      if (g_blocked_dlls[i])
+        --g_num_blocked_dlls;
+      g_blocked_dlls[i] = g_blocked_dlls[blacklist_size - 1];
       return true;
     }
   }
   return false;
 }
 
+// TODO(csharp): Maybe store these values in the registry so we can
+// still report them if Chrome crashes early.
+void SuccessfullyBlocked(const wchar_t** blocked_dlls, int* size) {
+  if (size == NULL)
+    return;
+
+  // If the array isn't valid or big enough, just report the size it needs to
+  // be and return.
+  if (blocked_dlls == NULL && *size < g_num_blocked_dlls) {
+    *size = g_num_blocked_dlls;
+    return;
+  }
+
+  *size = g_num_blocked_dlls;
+
+  int strings_to_fill = 0;
+  for (int i = 0; strings_to_fill < g_num_blocked_dlls && g_troublesome_dlls[i];
+       ++i) {
+    if (g_blocked_dlls[i]) {
+      blocked_dlls[strings_to_fill] = g_troublesome_dlls[i];
+      ++strings_to_fill;
+    }
+  }
+}
+
+void BlockedDll(size_t blocked_index) {
+#if !defined(NDEBUG)

[robertshield, 2014/02/25 14:57:49]

Don't need the debug check here, assert does that itself.

[csharp, 2014/02/25 15:20:50]

Done.

+  assert(blocked_index < kTroublesomeDllsMaxCount);
+#endif
+
+  if (!g_blocked_dlls[blocked_index] &&
+      blocked_index < kTroublesomeDllsMaxCount) {
+    ++g_num_blocked_dlls;
+    g_blocked_dlls[blocked_index] = true;
+  }
+}
+
 bool Initialize(bool force) {
   // Check to see that we found the functions we need in ntdll.
   if (!InitializeInterceptImports())
     return false;
 
   // Check to see if this is a non-browser process, abort if so.
   if (IsNonBrowserProcess())
     return false;
 
   // Check to see if a beacon is present, abort if so.
@@ skipping 115 matching lines @@
                                                       sizeof(g_thunk_storage),
                                                       PAGE_EXECUTE_READ,
                                                       &old_protect);
 
   RecordSuccessfulThunkSetup(&key);
 
   return NT_SUCCESS(ret) && page_executable;
 }
 
 }  // namespace blacklist