| Index: chrome_elf/blacklist/blacklist.cc
|
| diff --git a/chrome_elf/blacklist/blacklist.cc b/chrome_elf/blacklist/blacklist.cc
|
| index d370793e7dd9c8723e9362b51651b00f75eba10e..0fdf91d274276396cf9578a67deb37005c7754ae 100644
|
| --- a/chrome_elf/blacklist/blacklist.cc
|
| +++ b/chrome_elf/blacklist/blacklist.cc
|
| @@ -12,7 +12,8 @@
|
| #include "chrome/install_static/install_util.h"
|
| #include "chrome_elf/blacklist/blacklist_interceptions.h"
|
| #include "chrome_elf/chrome_elf_constants.h"
|
| -#include "chrome_elf/thunk_getter.h"
|
| +#include "chrome_elf/hook_util/thunk_getter.h"
|
| +#include "chrome_elf/nt_registry/nt_registry.h"
|
| #include "sandbox/win/src/interception_internal.h"
|
| #include "sandbox/win/src/internal_types.h"
|
| #include "sandbox/win/src/service_resolver.h"
|
| @@ -20,7 +21,7 @@
|
| // http://blogs.msdn.com/oldnewthing/archive/2004/10/25/247180.aspx
|
| extern "C" IMAGE_DOS_HEADER __ImageBase;
|
|
|
| -namespace blacklist{
|
| +namespace blacklist {
|
|
|
| // The DLLs listed here are known (or under strong suspicion) of causing crashes
|
| // when they are loaded in the browser. DLLs should only be added to this list
|
| @@ -31,45 +32,45 @@ namespace blacklist{
|
| // NOTE: Please remember to update the DllHash enum in histograms.xml when
|
| // adding a new value to the blacklist.
|
| const wchar_t* g_troublesome_dlls[kTroublesomeDllsMaxCount] = {
|
| - L"949ba8b6a9.dll", // Coupon Time.
|
| - L"activedetect32.dll", // Lenovo One Key Theater.
|
| - // See crbug.com/379218.
|
| - L"activedetect64.dll", // Lenovo One Key Theater.
|
| - L"bitguard.dll", // Unknown (suspected malware).
|
| - L"bsvc.dll", // Unknown (suspected adware).
|
| - L"chrmxtn.dll", // Unknown (keystroke logger).
|
| - L"cplushook.dll", // Unknown (suspected malware).
|
| - L"crdli.dll", // Linkury Inc.
|
| - L"crdli64.dll", // Linkury Inc.
|
| - L"datamngr.dll", // Unknown (suspected adware).
|
| - L"dpinterface32.dll", // Unknown (suspected adware).
|
| - L"explorerex.dll", // Unknown (suspected adware).
|
| - L"hk.dll", // Unknown (keystroke logger).
|
| - L"libapi2hook.dll", // V-Bates.
|
| - L"libinject.dll", // V-Bates.
|
| - L"libinject2.dll", // V-Bates.
|
| - L"libredir2.dll", // V-Bates.
|
| - L"libsvn_tsvn32.dll", // TortoiseSVN.
|
| - L"libwinhook.dll", // V-Bates.
|
| - L"lmrn.dll", // Unknown.
|
| - L"minisp.dll", // Unknown (suspected malware).
|
| - L"minisp32.dll", // Unknown (suspected malware).
|
| - L"offerswizarddll.dll", // Unknown (suspected adware).
|
| - L"safetynut.dll", // Unknown (suspected adware).
|
| - L"smdmf.dll", // Unknown (suspected adware).
|
| - L"spappsv32.dll", // Unknown (suspected adware).
|
| - L"systemk.dll", // Unknown (suspected adware).
|
| - L"vntsrv.dll", // Virtual New Tab by APN LLC.
|
| - L"wajam_goblin_64.dll", // Wajam Internet Technologies.
|
| - L"wajam_goblin.dll", // Wajam Internet Technologies.
|
| - L"windowsapihookdll32.dll", // Lenovo One Key Theater.
|
| - // See crbug.com/379218.
|
| - L"windowsapihookdll64.dll", // Lenovo One Key Theater.
|
| - L"virtualcamera.ax", // %PROGRAMFILES%\ASUS\VirtualCamera.
|
| - // See crbug.com/422522.
|
| - L"ycwebcamerasource.ax", // CyberLink Youcam, crbug.com/424159
|
| - // Keep this null pointer here to mark the end of the list.
|
| - NULL,
|
| + L"949ba8b6a9.dll", // Coupon Time.
|
| + L"activedetect32.dll", // Lenovo One Key Theater.
|
| + // See crbug.com/379218.
|
| + L"activedetect64.dll", // Lenovo One Key Theater.
|
| + L"bitguard.dll", // Unknown (suspected malware).
|
| + L"bsvc.dll", // Unknown (suspected adware).
|
| + L"chrmxtn.dll", // Unknown (keystroke logger).
|
| + L"cplushook.dll", // Unknown (suspected malware).
|
| + L"crdli.dll", // Linkury Inc.
|
| + L"crdli64.dll", // Linkury Inc.
|
| + L"datamngr.dll", // Unknown (suspected adware).
|
| + L"dpinterface32.dll", // Unknown (suspected adware).
|
| + L"explorerex.dll", // Unknown (suspected adware).
|
| + L"hk.dll", // Unknown (keystroke logger).
|
| + L"libapi2hook.dll", // V-Bates.
|
| + L"libinject.dll", // V-Bates.
|
| + L"libinject2.dll", // V-Bates.
|
| + L"libredir2.dll", // V-Bates.
|
| + L"libsvn_tsvn32.dll", // TortoiseSVN.
|
| + L"libwinhook.dll", // V-Bates.
|
| + L"lmrn.dll", // Unknown.
|
| + L"minisp.dll", // Unknown (suspected malware).
|
| + L"minisp32.dll", // Unknown (suspected malware).
|
| + L"offerswizarddll.dll", // Unknown (suspected adware).
|
| + L"safetynut.dll", // Unknown (suspected adware).
|
| + L"smdmf.dll", // Unknown (suspected adware).
|
| + L"spappsv32.dll", // Unknown (suspected adware).
|
| + L"systemk.dll", // Unknown (suspected adware).
|
| + L"vntsrv.dll", // Virtual New Tab by APN LLC.
|
| + L"wajam_goblin_64.dll", // Wajam Internet Technologies.
|
| + L"wajam_goblin.dll", // Wajam Internet Technologies.
|
| + L"windowsapihookdll32.dll", // Lenovo One Key Theater.
|
| + // See crbug.com/379218.
|
| + L"windowsapihookdll64.dll", // Lenovo One Key Theater.
|
| + L"virtualcamera.ax", // %PROGRAMFILES%\ASUS\VirtualCamera.
|
| + // See crbug.com/422522.
|
| + L"ycwebcamerasource.ax", // CyberLink Youcam, crbug.com/424159
|
| + // Keep this null pointer here to mark the end of the list.
|
| + NULL,
|
| };
|
|
|
| bool g_blocked_dlls[kTroublesomeDllsMaxCount] = {};
|
| @@ -79,7 +80,7 @@ int g_num_blocked_dlls = 0;
|
|
|
| // Allocate storage for thunks in a page of this module to save on doing
|
| // an extra allocation at run time.
|
| -#pragma section(".crthunk",read,execute)
|
| +#pragma section(".crthunk", read, execute)
|
| __declspec(allocate(".crthunk")) sandbox::ThunkData g_thunk_storage;
|
|
|
| namespace {
|
| @@ -88,151 +89,97 @@ namespace {
|
| // determine if the blacklist is enabled for them.
|
| bool g_blacklist_initialized = false;
|
|
|
| -// Helper to set DWORD registry values.
|
| -DWORD SetDWValue(HKEY* key, const wchar_t* property, DWORD value) {
|
| - return ::RegSetValueEx(*key,
|
| - property,
|
| - 0,
|
| - REG_DWORD,
|
| - reinterpret_cast<LPBYTE>(&value),
|
| - sizeof(value));
|
| -}
|
| -
|
| -bool GenerateStateFromBeaconAndAttemptCount(HKEY* key, DWORD blacklist_state) {
|
| - LONG result = 0;
|
| - if (blacklist_state == blacklist::BLACKLIST_ENABLED) {
|
| - // If the blacklist succeeded on the previous run reset the failure
|
| - // counter.
|
| - return (SetDWValue(key,
|
| - blacklist::kBeaconAttemptCount,
|
| - static_cast<DWORD>(0)) == ERROR_SUCCESS);
|
| - } else {
|
| - // Some part of the blacklist setup failed last time. If this has occured
|
| - // blacklist::kBeaconMaxAttempts times in a row we switch the state to
|
| - // failed and skip setting up the blacklist.
|
| - DWORD attempt_count = 0;
|
| - DWORD attempt_count_size = sizeof(attempt_count);
|
| - result = ::RegQueryValueEx(*key,
|
| - blacklist::kBeaconAttemptCount,
|
| - 0,
|
| - NULL,
|
| - reinterpret_cast<LPBYTE>(&attempt_count),
|
| - &attempt_count_size);
|
| -
|
| - if (result == ERROR_FILE_NOT_FOUND)
|
| - attempt_count = 0;
|
| - else if (result != ERROR_SUCCESS)
|
| - return false;
|
| -
|
| - ++attempt_count;
|
| - SetDWValue(key, blacklist::kBeaconAttemptCount, attempt_count);
|
| -
|
| - if (attempt_count >= blacklist::kBeaconMaxAttempts) {
|
| - blacklist_state = blacklist::BLACKLIST_SETUP_FAILED;
|
| - SetDWValue(key, blacklist::kBeaconState, blacklist_state);
|
| - }
|
| -
|
| - return false;
|
| - }
|
| -}
|
| -
|
| } // namespace
|
|
|
| namespace blacklist {
|
|
|
| #if defined(_WIN64)
|
| - // Allocate storage for the pointer to the old NtMapViewOfSectionFunction.
|
| -#pragma section(".oldntmap",write,read)
|
| - __declspec(allocate(".oldntmap"))
|
| +// Allocate storage for the pointer to the old NtMapViewOfSectionFunction.
|
| +#pragma section(".oldntmap", write, read)
|
| +__declspec(allocate(".oldntmap"))
|
| NtMapViewOfSectionFunction g_nt_map_view_of_section_func = NULL;
|
| #endif
|
|
|
| bool LeaveSetupBeacon() {
|
| - HKEY key = NULL;
|
| - DWORD disposition = 0;
|
| - LONG result = ::RegCreateKeyEx(HKEY_CURRENT_USER,
|
| - kRegistryBeaconPath,
|
| - 0,
|
| - NULL,
|
| - REG_OPTION_NON_VOLATILE,
|
| - KEY_QUERY_VALUE | KEY_SET_VALUE,
|
| - NULL,
|
| - &key,
|
| - &disposition);
|
| - if (result != ERROR_SUCCESS)
|
| + HANDLE key_handle = INVALID_HANDLE_VALUE;
|
| +
|
| + if (!nt::CreateRegKey(nt::HKCU, kRegistryBeaconPath,
|
| + KEY_QUERY_VALUE | KEY_SET_VALUE, &key_handle))
|
| return false;
|
|
|
| - // Retrieve the current blacklist state.
|
| DWORD blacklist_state = BLACKLIST_STATE_MAX;
|
| - DWORD blacklist_state_size = sizeof(blacklist_state);
|
| - DWORD type = 0;
|
| - result = ::RegQueryValueEx(key,
|
| - kBeaconState,
|
| - 0,
|
| - &type,
|
| - reinterpret_cast<LPBYTE>(&blacklist_state),
|
| - &blacklist_state_size);
|
| -
|
| - if (result != ERROR_SUCCESS || blacklist_state == BLACKLIST_DISABLED ||
|
| - type != REG_DWORD) {
|
| - ::RegCloseKey(key);
|
| + if (!nt::QueryRegValueDWORD(key_handle, kBeaconState, &blacklist_state) ||
|
| + blacklist_state == BLACKLIST_DISABLED) {
|
| + nt::CloseRegKey(key_handle);
|
| return false;
|
| }
|
|
|
| - if (!GenerateStateFromBeaconAndAttemptCount(&key, blacklist_state)) {
|
| - ::RegCloseKey(key);
|
| - return false;
|
| - }
|
| + // Handle attempt count.
|
| + // Only return true if BL is enabled and succeeded on previous run.
|
| + bool success = false;
|
| + if (blacklist_state == BLACKLIST_ENABLED) {
|
| + // If the blacklist succeeded on the previous run reset the failure
|
| + // counter. Then update the beacon state.
|
| + if (nt::SetRegValueDWORD(key_handle, kBeaconAttemptCount,
|
| + static_cast<DWORD>(0))) {
|
| + if (nt::SetRegValueDWORD(key_handle, kBeaconState,
|
| + BLACKLIST_SETUP_RUNNING))
|
| + success = true;
|
| + }
|
| + } else {
|
| + // Some part of the blacklist setup failed last time. If this has occured
|
| + // blacklist::kBeaconMaxAttempts times in a row we switch the state to
|
| + // failed and skip setting up the blacklist.
|
| + DWORD attempt_count = 0;
|
| +
|
| + nt::QueryRegValueDWORD(key_handle, blacklist::kBeaconAttemptCount,
|
| + &attempt_count);
|
| + ++attempt_count;
|
| + nt::SetRegValueDWORD(key_handle, blacklist::kBeaconAttemptCount,
|
| + attempt_count);
|
|
|
| - result = SetDWValue(&key, kBeaconState, BLACKLIST_SETUP_RUNNING);
|
| - ::RegCloseKey(key);
|
| + if (attempt_count >= blacklist::kBeaconMaxAttempts) {
|
| + blacklist_state = blacklist::BLACKLIST_SETUP_FAILED;
|
| + nt::SetRegValueDWORD(key_handle, blacklist::kBeaconState,
|
| + blacklist_state);
|
| + }
|
| + }
|
|
|
| - return (result == ERROR_SUCCESS);
|
| + nt::CloseRegKey(key_handle);
|
| + return success;
|
| }
|
|
|
| bool ResetBeacon() {
|
| - HKEY key = NULL;
|
| - DWORD disposition = 0;
|
| - LONG result = ::RegCreateKeyEx(HKEY_CURRENT_USER,
|
| - kRegistryBeaconPath,
|
| - 0,
|
| - NULL,
|
| - REG_OPTION_NON_VOLATILE,
|
| - KEY_QUERY_VALUE | KEY_SET_VALUE,
|
| - NULL,
|
| - &key,
|
| - &disposition);
|
| - if (result != ERROR_SUCCESS)
|
| + HANDLE key_handle = INVALID_HANDLE_VALUE;
|
| +
|
| + if (!nt::CreateRegKey(nt::HKCU, kRegistryBeaconPath,
|
| + KEY_QUERY_VALUE | KEY_SET_VALUE, &key_handle))
|
| return false;
|
|
|
| DWORD blacklist_state = BLACKLIST_STATE_MAX;
|
| - DWORD blacklist_state_size = sizeof(blacklist_state);
|
| - DWORD type = 0;
|
| - result = ::RegQueryValueEx(key,
|
| - kBeaconState,
|
| - 0,
|
| - &type,
|
| - reinterpret_cast<LPBYTE>(&blacklist_state),
|
| - &blacklist_state_size);
|
| -
|
| - if (result != ERROR_SUCCESS || type != REG_DWORD) {
|
| - ::RegCloseKey(key);
|
| + if (!nt::QueryRegValueDWORD(key_handle, kBeaconState, &blacklist_state)) {
|
| + nt::CloseRegKey(key_handle);
|
| return false;
|
| }
|
|
|
| // Reaching this point with the setup running state means the setup did not
|
| // crash, so we reset to enabled. Any other state indicates that setup was
|
| // skipped; in that case we leave the state alone for later recording.
|
| - if (blacklist_state == BLACKLIST_SETUP_RUNNING)
|
| - result = SetDWValue(&key, kBeaconState, BLACKLIST_ENABLED);
|
| + if (blacklist_state == BLACKLIST_SETUP_RUNNING) {
|
| + if (!nt::SetRegValueDWORD(key_handle, kBeaconState, BLACKLIST_ENABLED)) {
|
| + nt::CloseRegKey(key_handle);
|
| + return false;
|
| + }
|
| + }
|
|
|
| - ::RegCloseKey(key);
|
| - return (result == ERROR_SUCCESS);
|
| + nt::CloseRegKey(key_handle);
|
| + return true;
|
| }
|
|
|
| int BlacklistSize() {
|
| int size = -1;
|
| - while (blacklist::g_troublesome_dlls[++size] != NULL) {}
|
| + while (blacklist::g_troublesome_dlls[++size] != NULL) {
|
| + }
|
|
|
| return size;
|
| }
|
| @@ -355,10 +302,8 @@ bool Initialize(bool force) {
|
| // Mark the thunk storage as readable and writeable, since we
|
| // ready to write to it.
|
| DWORD old_protect = 0;
|
| - if (!VirtualProtect(&g_thunk_storage,
|
| - sizeof(g_thunk_storage),
|
| - PAGE_EXECUTE_READWRITE,
|
| - &old_protect)) {
|
| + if (!VirtualProtect(&g_thunk_storage, sizeof(g_thunk_storage),
|
| + PAGE_EXECUTE_READWRITE, &old_protect)) {
|
| return false;
|
| }
|
|
|
| @@ -368,36 +313,29 @@ bool Initialize(bool force) {
|
| // still work on 32-bit build when referenced at the end of the function.
|
| BOOL page_executable = false;
|
|
|
| - // Replace the default NtMapViewOfSection with our patched version.
|
| +// Replace the default NtMapViewOfSection with our patched version.
|
| #if defined(_WIN64)
|
| - NTSTATUS ret = thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
|
| - reinterpret_cast<void*>(&__ImageBase),
|
| - "NtMapViewOfSection",
|
| - NULL,
|
| - &blacklist::BlNtMapViewOfSection64,
|
| - thunk_storage,
|
| - sizeof(sandbox::ThunkData),
|
| - NULL);
|
| + NTSTATUS ret =
|
| + thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
|
| + reinterpret_cast<void*>(&__ImageBase), "NtMapViewOfSection",
|
| + NULL, &blacklist::BlNtMapViewOfSection64, thunk_storage,
|
| + sizeof(sandbox::ThunkData), NULL);
|
|
|
| // Keep a pointer to the original code, we don't have enough space to
|
| // add it directly to the call.
|
| - g_nt_map_view_of_section_func = reinterpret_cast<NtMapViewOfSectionFunction>(
|
| - thunk_storage);
|
| + g_nt_map_view_of_section_func =
|
| + reinterpret_cast<NtMapViewOfSectionFunction>(thunk_storage);
|
|
|
| // Ensure that the pointer to the old function can't be changed.
|
| - page_executable = VirtualProtect(&g_nt_map_view_of_section_func,
|
| - sizeof(g_nt_map_view_of_section_func),
|
| - PAGE_EXECUTE_READ,
|
| - &old_protect);
|
| + page_executable = VirtualProtect(&g_nt_map_view_of_section_func,
|
| + sizeof(g_nt_map_view_of_section_func),
|
| + PAGE_EXECUTE_READ, &old_protect);
|
| #else
|
| - NTSTATUS ret = thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
|
| - reinterpret_cast<void*>(&__ImageBase),
|
| - "NtMapViewOfSection",
|
| - NULL,
|
| - &blacklist::BlNtMapViewOfSection,
|
| - thunk_storage,
|
| - sizeof(sandbox::ThunkData),
|
| - NULL);
|
| + NTSTATUS ret =
|
| + thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
|
| + reinterpret_cast<void*>(&__ImageBase), "NtMapViewOfSection",
|
| + NULL, &blacklist::BlNtMapViewOfSection, thunk_storage,
|
| + sizeof(sandbox::ThunkData), NULL);
|
| #endif
|
| delete thunk;
|
|
|
| @@ -405,10 +343,9 @@ bool Initialize(bool force) {
|
| g_blacklist_initialized = NT_SUCCESS(ret);
|
|
|
| // Mark the thunk storage as executable and prevent any future writes to it.
|
| - page_executable = page_executable && VirtualProtect(&g_thunk_storage,
|
| - sizeof(g_thunk_storage),
|
| - PAGE_EXECUTE_READ,
|
| - &old_protect);
|
| + page_executable = page_executable &&
|
| + VirtualProtect(&g_thunk_storage, sizeof(g_thunk_storage),
|
| + PAGE_EXECUTE_READ, &old_protect);
|
|
|
| AddDllsFromRegistryToBlacklist();
|
|
|
| @@ -416,41 +353,18 @@ bool Initialize(bool force) {
|
| }
|
|
|
| void AddDllsFromRegistryToBlacklist() {
|
| - HKEY key = NULL;
|
| - LONG result = ::RegOpenKeyEx(HKEY_CURRENT_USER,
|
| - kRegistryFinchListPath,
|
| - 0,
|
| - KEY_QUERY_VALUE | KEY_SET_VALUE,
|
| - &key);
|
| -
|
| - if (result != ERROR_SUCCESS)
|
| + std::vector<std::wstring> dlls;
|
| +
|
| + if (!nt::QueryRegValueMULTISZ(nt::HKCU, kRegistryFinchListPath,
|
| + kRegistryFinchListValueName, &dlls) ||
|
| + dlls.empty())
|
| return;
|
|
|
| - // We add dlls from the registry to the blacklist.
|
| - DWORD value_len;
|
| - DWORD name_len = MAX_PATH;
|
| - std::vector<wchar_t> name_buffer(name_len);
|
| - for (int i = 0; result == ERROR_SUCCESS; ++i) {
|
| - name_len = MAX_PATH;
|
| - value_len = 0;
|
| - result = ::RegEnumValue(
|
| - key, i, &name_buffer[0], &name_len, NULL, NULL, NULL, &value_len);
|
| - if (result != ERROR_SUCCESS)
|
| - break;
|
| -
|
| - name_len = name_len + 1;
|
| - value_len = value_len + 1;
|
| - std::vector<wchar_t> value_buffer(value_len);
|
| - result = ::RegEnumValue(key, i, &name_buffer[0], &name_len, NULL, NULL,
|
| - reinterpret_cast<BYTE*>(&value_buffer[0]),
|
| - &value_len);
|
| - if (result != ERROR_SUCCESS)
|
| - break;
|
| - value_buffer[value_len - 1] = L'\0';
|
| - AddDllToBlacklist(&value_buffer[0]);
|
| + // Add each DLL to the BL in memory
|
| + for (auto name : dlls) {
|
| + AddDllToBlacklist(name.c_str());
|
| }
|
|
|
| - ::RegCloseKey(key);
|
| return;
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 1841573002:
[Chrome ELF] New NT registry API. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master