[Chrome ELF] New NT registry API.

chrome_elf/blacklist/blacklist.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome_elf/blacklist/blacklist.h"
 
 #include <assert.h>
 #include <string.h>
 
 #include <vector>
 
 #include "chrome/install_static/install_util.h"
 #include "chrome_elf/blacklist/blacklist_interceptions.h"
 #include "chrome_elf/chrome_elf_constants.h"
-#include "chrome_elf/thunk_getter.h"
+#include "chrome_elf/hook_util/thunk_getter.h"
+#include "chrome_elf/nt_registry/nt_registry.h"
 #include "sandbox/win/src/interception_internal.h"
 #include "sandbox/win/src/internal_types.h"
 #include "sandbox/win/src/service_resolver.h"
 
 // http://blogs.msdn.com/oldnewthing/archive/2004/10/25/247180.aspx
 extern "C" IMAGE_DOS_HEADER __ImageBase;
 
-namespace blacklist{
+namespace blacklist {
 
 // The DLLs listed here are known (or under strong suspicion) of causing crashes
 // when they are loaded in the browser. DLLs should only be added to this list
 // if there is nothing else Chrome can do to prevent those crashes.
 // For more information about how this list is generated, and how to get off
 // of it, see:
 // https://sites.google.com/a/chromium.org/dev/Home/third-party-developers
 // NOTE: Please remember to update the DllHash enum in histograms.xml when
 //       adding a new value to the blacklist.
 const wchar_t* g_troublesome_dlls[kTroublesomeDllsMaxCount] = {
-  L"949ba8b6a9.dll",                    // Coupon Time.
-  L"activedetect32.dll",                // Lenovo One Key Theater.
-                                        // See crbug.com/379218.
-  L"activedetect64.dll",                // Lenovo One Key Theater.
-  L"bitguard.dll",                      // Unknown (suspected malware).
-  L"bsvc.dll",                          // Unknown (suspected adware).
-  L"chrmxtn.dll",                       // Unknown (keystroke logger).
-  L"cplushook.dll",                     // Unknown (suspected malware).
-  L"crdli.dll",                         // Linkury Inc.
-  L"crdli64.dll",                       // Linkury Inc.
-  L"datamngr.dll",                      // Unknown (suspected adware).
-  L"dpinterface32.dll",                 // Unknown (suspected adware).
-  L"explorerex.dll",                    // Unknown (suspected adware).
-  L"hk.dll",                            // Unknown (keystroke logger).
-  L"libapi2hook.dll",                   // V-Bates.
-  L"libinject.dll",                     // V-Bates.
-  L"libinject2.dll",                    // V-Bates.
-  L"libredir2.dll",                     // V-Bates.
-  L"libsvn_tsvn32.dll",                 // TortoiseSVN.
-  L"libwinhook.dll",                    // V-Bates.
-  L"lmrn.dll",                          // Unknown.
-  L"minisp.dll",                        // Unknown (suspected malware).
-  L"minisp32.dll",                      // Unknown (suspected malware).
-  L"offerswizarddll.dll",               // Unknown (suspected adware).
-  L"safetynut.dll",                     // Unknown (suspected adware).
-  L"smdmf.dll",                         // Unknown (suspected adware).
-  L"spappsv32.dll",                     // Unknown (suspected adware).
-  L"systemk.dll",                       // Unknown (suspected adware).
-  L"vntsrv.dll",                        // Virtual New Tab by APN LLC.
-  L"wajam_goblin_64.dll",               // Wajam Internet Technologies.
-  L"wajam_goblin.dll",                  // Wajam Internet Technologies.
-  L"windowsapihookdll32.dll",           // Lenovo One Key Theater.
-                                        // See crbug.com/379218.
-  L"windowsapihookdll64.dll",           // Lenovo One Key Theater.
-  L"virtualcamera.ax",                  // %PROGRAMFILES%\ASUS\VirtualCamera.
-                                        // See crbug.com/422522.
-  L"ycwebcamerasource.ax",              // CyberLink Youcam, crbug.com/424159
-  // Keep this null pointer here to mark the end of the list.
-  NULL,
+    L"949ba8b6a9.dll",           // Coupon Time.
+    L"activedetect32.dll",       // Lenovo One Key Theater.
+                                 // See crbug.com/379218.
+    L"activedetect64.dll",       // Lenovo One Key Theater.
+    L"bitguard.dll",             // Unknown (suspected malware).
+    L"bsvc.dll",                 // Unknown (suspected adware).
+    L"chrmxtn.dll",              // Unknown (keystroke logger).
+    L"cplushook.dll",            // Unknown (suspected malware).
+    L"crdli.dll",                // Linkury Inc.
+    L"crdli64.dll",              // Linkury Inc.
+    L"datamngr.dll",             // Unknown (suspected adware).
+    L"dpinterface32.dll",        // Unknown (suspected adware).
+    L"explorerex.dll",           // Unknown (suspected adware).
+    L"hk.dll",                   // Unknown (keystroke logger).
+    L"libapi2hook.dll",          // V-Bates.
+    L"libinject.dll",            // V-Bates.
+    L"libinject2.dll",           // V-Bates.
+    L"libredir2.dll",            // V-Bates.
+    L"libsvn_tsvn32.dll",        // TortoiseSVN.
+    L"libwinhook.dll",           // V-Bates.
+    L"lmrn.dll",                 // Unknown.
+    L"minisp.dll",               // Unknown (suspected malware).
+    L"minisp32.dll",             // Unknown (suspected malware).
+    L"offerswizarddll.dll",      // Unknown (suspected adware).
+    L"safetynut.dll",            // Unknown (suspected adware).
+    L"smdmf.dll",                // Unknown (suspected adware).
+    L"spappsv32.dll",            // Unknown (suspected adware).
+    L"systemk.dll",              // Unknown (suspected adware).
+    L"vntsrv.dll",               // Virtual New Tab by APN LLC.
+    L"wajam_goblin_64.dll",      // Wajam Internet Technologies.
+    L"wajam_goblin.dll",         // Wajam Internet Technologies.
+    L"windowsapihookdll32.dll",  // Lenovo One Key Theater.
+                                 // See crbug.com/379218.
+    L"windowsapihookdll64.dll",  // Lenovo One Key Theater.
+    L"virtualcamera.ax",         // %PROGRAMFILES%\ASUS\VirtualCamera.
+                                 // See crbug.com/422522.
+    L"ycwebcamerasource.ax",     // CyberLink Youcam, crbug.com/424159
+    // Keep this null pointer here to mark the end of the list.
+    NULL,
 };
 
 bool g_blocked_dlls[kTroublesomeDllsMaxCount] = {};
 int g_num_blocked_dlls = 0;
 
 }  // namespace blacklist
 
 // Allocate storage for thunks in a page of this module to save on doing
 // an extra allocation at run time.
-#pragma section(".crthunk",read,execute)
+#pragma section(".crthunk", read, execute)
 __declspec(allocate(".crthunk")) sandbox::ThunkData g_thunk_storage;
 
 namespace {
 
 // Record if the blacklist was successfully initialized so processes can easily
 // determine if the blacklist is enabled for them.
 bool g_blacklist_initialized = false;
 
-// Helper to set DWORD registry values.
-DWORD SetDWValue(HKEY* key, const wchar_t* property, DWORD value) {
-  return ::RegSetValueEx(*key,
-                         property,
-                         0,
-                         REG_DWORD,
-                         reinterpret_cast<LPBYTE>(&value),
-                         sizeof(value));
-}
-
-bool GenerateStateFromBeaconAndAttemptCount(HKEY* key, DWORD blacklist_state) {
-  LONG result = 0;
-  if (blacklist_state == blacklist::BLACKLIST_ENABLED) {
-    // If the blacklist succeeded on the previous run reset the failure
-    // counter.
-    return (SetDWValue(key,
-                       blacklist::kBeaconAttemptCount,
-                       static_cast<DWORD>(0)) == ERROR_SUCCESS);
-  } else {
-    // Some part of the blacklist setup failed last time.  If this has occured
-    // blacklist::kBeaconMaxAttempts times in a row we switch the state to
-    // failed and skip setting up the blacklist.
-    DWORD attempt_count = 0;
-    DWORD attempt_count_size = sizeof(attempt_count);
-    result = ::RegQueryValueEx(*key,
-                               blacklist::kBeaconAttemptCount,
-                               0,
-                               NULL,
-                               reinterpret_cast<LPBYTE>(&attempt_count),
-                               &attempt_count_size);
-
-    if (result == ERROR_FILE_NOT_FOUND)
-      attempt_count = 0;
-    else if (result != ERROR_SUCCESS)
-      return false;
-
-    ++attempt_count;
-    SetDWValue(key, blacklist::kBeaconAttemptCount, attempt_count);
-
-    if (attempt_count >= blacklist::kBeaconMaxAttempts) {
-      blacklist_state = blacklist::BLACKLIST_SETUP_FAILED;
-      SetDWValue(key, blacklist::kBeaconState, blacklist_state);
-    }
-
-    return false;
-  }
-}
-
 }  // namespace
 
 namespace blacklist {
 
 #if defined(_WIN64)
-  // Allocate storage for the pointer to the old NtMapViewOfSectionFunction.
-#pragma section(".oldntmap",write,read)
-  __declspec(allocate(".oldntmap"))
+// Allocate storage for the pointer to the old NtMapViewOfSectionFunction.
+#pragma section(".oldntmap", write, read)
+__declspec(allocate(".oldntmap"))
     NtMapViewOfSectionFunction g_nt_map_view_of_section_func = NULL;
 #endif
 
 bool LeaveSetupBeacon() {
-  HKEY key = NULL;
-  DWORD disposition = 0;
-  LONG result = ::RegCreateKeyEx(HKEY_CURRENT_USER,
-                                 kRegistryBeaconPath,
-                                 0,
-                                 NULL,
-                                 REG_OPTION_NON_VOLATILE,
-                                 KEY_QUERY_VALUE | KEY_SET_VALUE,
-                                 NULL,
-                                 &key,
-                                 &disposition);
-  if (result != ERROR_SUCCESS)
+  HANDLE key_handle = INVALID_HANDLE_VALUE;
+
+  if (!nt::CreateRegKey(nt::HKCU, kRegistryBeaconPath,
+                        KEY_QUERY_VALUE | KEY_SET_VALUE, &key_handle))
     return false;
 
-  // Retrieve the current blacklist state.
   DWORD blacklist_state = BLACKLIST_STATE_MAX;
-  DWORD blacklist_state_size = sizeof(blacklist_state);
-  DWORD type = 0;
-  result = ::RegQueryValueEx(key,
-                             kBeaconState,
-                             0,
-                             &type,
-                             reinterpret_cast<LPBYTE>(&blacklist_state),
-                             &blacklist_state_size);
-
-  if (result != ERROR_SUCCESS || blacklist_state == BLACKLIST_DISABLED ||
-      type != REG_DWORD) {
-    ::RegCloseKey(key);
+  if (!nt::QueryRegValueDWORD(key_handle, kBeaconState, &blacklist_state) ||
+      blacklist_state == BLACKLIST_DISABLED) {
+    nt::CloseRegKey(key_handle);
     return false;
   }
 
-  if (!GenerateStateFromBeaconAndAttemptCount(&key, blacklist_state)) {
-    ::RegCloseKey(key);
-    return false;
+  // Handle attempt count.
+  // Only return true if BL is enabled and succeeded on previous run.
+  bool success = false;
+  if (blacklist_state == BLACKLIST_ENABLED) {
+    // If the blacklist succeeded on the previous run reset the failure
+    // counter.  Then update the beacon state.
+    if (nt::SetRegValueDWORD(key_handle, kBeaconAttemptCount,
+                             static_cast<DWORD>(0))) {
+      if (nt::SetRegValueDWORD(key_handle, kBeaconState,
+                               BLACKLIST_SETUP_RUNNING))
+        success = true;
+    }
+  } else {
+    // Some part of the blacklist setup failed last time.  If this has occured
+    // blacklist::kBeaconMaxAttempts times in a row we switch the state to
+    // failed and skip setting up the blacklist.
+    DWORD attempt_count = 0;
+
+    nt::QueryRegValueDWORD(key_handle, blacklist::kBeaconAttemptCount,
+                           &attempt_count);
+    ++attempt_count;
+    nt::SetRegValueDWORD(key_handle, blacklist::kBeaconAttemptCount,
+                         attempt_count);
+
+    if (attempt_count >= blacklist::kBeaconMaxAttempts) {
+      blacklist_state = blacklist::BLACKLIST_SETUP_FAILED;
+      nt::SetRegValueDWORD(key_handle, blacklist::kBeaconState,
+                           blacklist_state);
+    }
   }
 
-  result = SetDWValue(&key, kBeaconState, BLACKLIST_SETUP_RUNNING);
-  ::RegCloseKey(key);
-
-  return (result == ERROR_SUCCESS);
+  nt::CloseRegKey(key_handle);
+  return success;
 }
 
 bool ResetBeacon() {
-  HKEY key = NULL;
-  DWORD disposition = 0;
-  LONG result = ::RegCreateKeyEx(HKEY_CURRENT_USER,
-                                 kRegistryBeaconPath,
-                                 0,
-                                 NULL,
-                                 REG_OPTION_NON_VOLATILE,
-                                 KEY_QUERY_VALUE | KEY_SET_VALUE,
-                                 NULL,
-                                 &key,
-                                 &disposition);
-  if (result != ERROR_SUCCESS)
+  HANDLE key_handle = INVALID_HANDLE_VALUE;
+
+  if (!nt::CreateRegKey(nt::HKCU, kRegistryBeaconPath,
+                        KEY_QUERY_VALUE | KEY_SET_VALUE, &key_handle))
     return false;
 
   DWORD blacklist_state = BLACKLIST_STATE_MAX;
-  DWORD blacklist_state_size = sizeof(blacklist_state);
-  DWORD type = 0;
-  result = ::RegQueryValueEx(key,
-                             kBeaconState,
-                             0,
-                             &type,
-                             reinterpret_cast<LPBYTE>(&blacklist_state),
-                             &blacklist_state_size);
-
-  if (result != ERROR_SUCCESS || type != REG_DWORD) {
-    ::RegCloseKey(key);
+  if (!nt::QueryRegValueDWORD(key_handle, kBeaconState, &blacklist_state)) {
+    nt::CloseRegKey(key_handle);
     return false;
   }
 
   // Reaching this point with the setup running state means the setup did not
   // crash, so we reset to enabled.  Any other state indicates that setup was
   // skipped; in that case we leave the state alone for later recording.
-  if (blacklist_state == BLACKLIST_SETUP_RUNNING)
-    result = SetDWValue(&key, kBeaconState, BLACKLIST_ENABLED);
+  if (blacklist_state == BLACKLIST_SETUP_RUNNING) {
+    if (!nt::SetRegValueDWORD(key_handle, kBeaconState, BLACKLIST_ENABLED)) {
+      nt::CloseRegKey(key_handle);
+      return false;
+    }
+  }
 
-  ::RegCloseKey(key);
-  return (result == ERROR_SUCCESS);
+  nt::CloseRegKey(key_handle);
+  return true;
 }
 
 int BlacklistSize() {
   int size = -1;
-  while (blacklist::g_troublesome_dlls[++size] != NULL) {}
+  while (blacklist::g_troublesome_dlls[++size] != NULL) {
+  }
 
   return size;
 }
 
 bool IsBlacklistInitialized() {
   return g_blacklist_initialized;
 }
 
 int GetBlacklistIndex(const wchar_t* dll_name) {
   for (int i = 0;
@@ skipping 102 matching lines @@
 
   // Don't try blacklisting on unsupported OS versions.
   if (!thunk)
     return false;
 
   BYTE* thunk_storage = reinterpret_cast<BYTE*>(&g_thunk_storage);
 
   // Mark the thunk storage as readable and writeable, since we
   // ready to write to it.
   DWORD old_protect = 0;
-  if (!VirtualProtect(&g_thunk_storage,
-                      sizeof(g_thunk_storage),
-                      PAGE_EXECUTE_READWRITE,
-                      &old_protect)) {
+  if (!VirtualProtect(&g_thunk_storage, sizeof(g_thunk_storage),
+                      PAGE_EXECUTE_READWRITE, &old_protect)) {
     return false;
   }
 
   thunk->AllowLocalPatches();
 
   // We declare this early so it can be used in the 64-bit block below and
   // still work on 32-bit build when referenced at the end of the function.
   BOOL page_executable = false;
 
-  // Replace the default NtMapViewOfSection with our patched version.
+// Replace the default NtMapViewOfSection with our patched version.
 #if defined(_WIN64)
-  NTSTATUS ret = thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
-                              reinterpret_cast<void*>(&__ImageBase),
-                              "NtMapViewOfSection",
-                              NULL,
-                              &blacklist::BlNtMapViewOfSection64,
-                              thunk_storage,
-                              sizeof(sandbox::ThunkData),
-                              NULL);
+  NTSTATUS ret =
+      thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
+                   reinterpret_cast<void*>(&__ImageBase), "NtMapViewOfSection",
+                   NULL, &blacklist::BlNtMapViewOfSection64, thunk_storage,
+                   sizeof(sandbox::ThunkData), NULL);
 
   // Keep a pointer to the original code, we don't have enough space to
   // add it directly to the call.
-  g_nt_map_view_of_section_func = reinterpret_cast<NtMapViewOfSectionFunction>(
-      thunk_storage);
+  g_nt_map_view_of_section_func =
+      reinterpret_cast<NtMapViewOfSectionFunction>(thunk_storage);
 
   // Ensure that the pointer to the old function can't be changed.
- page_executable = VirtualProtect(&g_nt_map_view_of_section_func,
-                                  sizeof(g_nt_map_view_of_section_func),
-                                  PAGE_EXECUTE_READ,
-                                  &old_protect);
+  page_executable = VirtualProtect(&g_nt_map_view_of_section_func,
+                                   sizeof(g_nt_map_view_of_section_func),
+                                   PAGE_EXECUTE_READ, &old_protect);
 #else
-  NTSTATUS ret = thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
-                              reinterpret_cast<void*>(&__ImageBase),
-                              "NtMapViewOfSection",
-                              NULL,
-                              &blacklist::BlNtMapViewOfSection,
-                              thunk_storage,
-                              sizeof(sandbox::ThunkData),
-                              NULL);
+  NTSTATUS ret =
+      thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
+                   reinterpret_cast<void*>(&__ImageBase), "NtMapViewOfSection",
+                   NULL, &blacklist::BlNtMapViewOfSection, thunk_storage,
+                   sizeof(sandbox::ThunkData), NULL);
 #endif
   delete thunk;
 
   // Record if we have initialized the blacklist.
   g_blacklist_initialized = NT_SUCCESS(ret);
 
   // Mark the thunk storage as executable and prevent any future writes to it.
-  page_executable = page_executable && VirtualProtect(&g_thunk_storage,
-                                                      sizeof(g_thunk_storage),
-                                                      PAGE_EXECUTE_READ,
-                                                      &old_protect);
+  page_executable = page_executable &&
+                    VirtualProtect(&g_thunk_storage, sizeof(g_thunk_storage),
+                                   PAGE_EXECUTE_READ, &old_protect);
 
   AddDllsFromRegistryToBlacklist();
 
   return NT_SUCCESS(ret) && page_executable;
 }
 
 void AddDllsFromRegistryToBlacklist() {
-  HKEY key = NULL;
-  LONG result = ::RegOpenKeyEx(HKEY_CURRENT_USER,
-                               kRegistryFinchListPath,
-                               0,
-                               KEY_QUERY_VALUE | KEY_SET_VALUE,
-                               &key);
+  std::vector<std::wstring> dlls;
 
-  if (result != ERROR_SUCCESS)
+  if (!nt::QueryRegValueMULTISZ(nt::HKCU, kRegistryFinchListPath,
+                                kRegistryFinchListValueName, &dlls) ||
+      dlls.empty())
     return;
 
-  // We add dlls from the registry to the blacklist.
-  DWORD value_len;
-  DWORD name_len = MAX_PATH;
-  std::vector<wchar_t> name_buffer(name_len);
-  for (int i = 0; result == ERROR_SUCCESS; ++i) {
-    name_len = MAX_PATH;
-    value_len = 0;
-    result = ::RegEnumValue(
-        key, i, &name_buffer[0], &name_len, NULL, NULL, NULL, &value_len);
-    if (result != ERROR_SUCCESS)
-      break;
-
-    name_len = name_len + 1;
-    value_len = value_len + 1;
-    std::vector<wchar_t> value_buffer(value_len);
-    result = ::RegEnumValue(key, i, &name_buffer[0], &name_len, NULL, NULL,
-                            reinterpret_cast<BYTE*>(&value_buffer[0]),
-                            &value_len);
-    if (result != ERROR_SUCCESS)
-      break;
-    value_buffer[value_len - 1] = L'\0';
-    AddDllToBlacklist(&value_buffer[0]);
+  // Add each DLL to the BL in memory
+  for (auto name : dlls) {
+    AddDllToBlacklist(name.c_str());
   }
 
-  ::RegCloseKey(key);
   return;
 }
 
 }  // namespace blacklist