[Win] Create ModuleWatcher.

chrome/common/conflicts/module_watcher_win.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/common/conflicts/module_watcher_win.h"
+
+#include <windows.h>
+#include <tlhelp32.h>
+#include <winternl.h>  // For UNICODE_STRING.
+
+#include <string>
+
+#include "base/lazy_instance.h"
+#include "base/memory/ptr_util.h"
+#include "base/strings/utf_string_conversions.h"
+#include "base/synchronization/lock.h"
+#include "base/win/scoped_handle.h"
+
+// These structures and functions are documented in MSDN, see
+// http://msdn.microsoft.com/en-us/library/gg547638(v=vs.85).aspx
+// there are however no headers or import libraries available in the
+// Platform SDK. They are declared outside of the anonymous namespace to
+// allow them to be forward declared in the header file.
+enum {
+  // The DLL was loaded. The NotificationData parameter points to a
+  // LDR_DLL_LOADED_NOTIFICATION_DATA structure.
+  LDR_DLL_NOTIFICATION_REASON_LOADED = 1,
+  // The DLL was unloaded. The NotificationData parameter points to a
+  // LDR_DLL_UNLOADED_NOTIFICATION_DATA structure.
+  LDR_DLL_NOTIFICATION_REASON_UNLOADED = 2,
+};
+
+// Structure that is used for module load notifications.
+struct LDR_DLL_LOADED_NOTIFICATION_DATA {
+  // Reserved.
+  ULONG Flags;
+  // The full path name of the DLL module.
+  PCUNICODE_STRING FullDllName;
+  // The base file name of the DLL module.
+  PCUNICODE_STRING BaseDllName;
+  // A pointer to the base address for the DLL in memory.
+  PVOID DllBase;
+  // The size of the DLL image, in bytes.
+  ULONG SizeOfImage;
+};
+using PLDR_DLL_LOADED_NOTIFICATION_DATA = LDR_DLL_LOADED_NOTIFICATION_DATA*;
+
+// Structure that is used for module unload notifications.
+struct LDR_DLL_UNLOADED_NOTIFICATION_DATA {
+  // Reserved.
+  ULONG Flags;
+  // The full path name of the DLL module.
+  PCUNICODE_STRING FullDllName;
+  // The base file name of the DLL module.
+  PCUNICODE_STRING BaseDllName;
+  // A pointer to the base address for the DLL in memory.
+  PVOID DllBase;
+  // The size of the DLL image, in bytes.
+  ULONG SizeOfImage;
+};
+using PLDR_DLL_UNLOADED_NOTIFICATION_DATA = LDR_DLL_UNLOADED_NOTIFICATION_DATA*;
+
+// Union that is used for notifications.
+union LDR_DLL_NOTIFICATION_DATA {
+  LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
+  LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
+};
+using PLDR_DLL_NOTIFICATION_DATA = LDR_DLL_NOTIFICATION_DATA*;
+
+// Signature of the notification callback function.
+using PLDR_DLL_NOTIFICATION_FUNCTION =
+    VOID(CALLBACK*)(ULONG notification_reason,
+                    const LDR_DLL_NOTIFICATION_DATA* notification_data,
+                    PVOID context);
+
+// Signatures of the functions used for registering DLL notification callbacks.
+using LdrRegisterDllNotificationFunc =
+    NTSTATUS(NTAPI*)(ULONG flags,
+                     PLDR_DLL_NOTIFICATION_FUNCTION notification_function,
+                     PVOID context,
+                     PVOID* cookie);
+using LdrUnregisterDllNotificationFunc = NTSTATUS(NTAPI*)(PVOID cookie);
+
+namespace {
+
+// Global lock for ensuring synchronization of destruction and notifications.
+base::LazyInstance<base::Lock>::Leaky g_module_watcher_lock =

[sky, 2016/11/14 22:14:16]

These aren't global, so you shouldn't use "g_".

[grt (UTC plus 2), 2016/11/15 10:35:34]

Hi Scott. I asked Chris to put the g_ there, so I'll share why. These are global
to the module even though they can't be seen outside of this compilation unit
and they're not local in function scope where they're used. I think of that as
being global enough. I checked the Google C++ style guide and Chromium's style
guide and found guidance in neither. The Chromium C++ Dos and Donts, on the
other hand, shows an example with the leading "g_" exactly like this:
https://www.chromium.org/developers/coding-style/cpp-dos-and-donts#TOC-Move-s....
Are you okay with "g_" here, or would you like to fire up a discussion on
chromium-dev to see if there's consensus one way or another from the arbiters of
style?

Cheers

[sky, 2016/11/15 14:15:37]

This has come up in the past on a number of reviews and the guidance I've
received from folks (including Darin), is no g_. I think it's worth a discussion
on chromium-dev to reach consensus.

+    LAZY_INSTANCE_INITIALIZER;
+// Global pointer to the singleton ModuleWatcher, if one exists. Under
+// |module_watcher_lock|.
+ModuleWatcher* g_module_watcher_instance = nullptr;
+
+// Names of the DLL notification registration functions. These are exported by
+// ntdll.
+constexpr wchar_t kNtDll[] = L"ntdll.dll";
+constexpr char kLdrRegisterDllNotification[] = "LdrRegisterDllNotification";
+constexpr char kLdrUnregisterDllNotification[] = "LdrUnregisterDllNotification";
+
+// Helper function for converting a UNICODE_STRING to a UTF8 std::string.
+std::string ToString(const UNICODE_STRING* str) {
+  std::string s;
+  base::WideToUTF8(str->Buffer, str->Length / sizeof(wchar_t), &s);
+  return s;
+}
+
+template <typename NotificationDataType>
+void OnModuleEvent(mojom::ModuleEventType event_type,
+                   const NotificationDataType& notification_data,
+                   const ModuleWatcher::OnModuleEventCallback& callback) {
+  mojom::ModuleEvent event;
+  event.event_type = event_type;
+  event.module_path = ToString(notification_data.FullDllName);
+  event.load_address = reinterpret_cast<uintptr_t>(notification_data.DllBase);
+  event.size = notification_data.SizeOfImage;
+  callback.Run(event);
+}
+
+}  // namespace
+
+// static
+std::unique_ptr<ModuleWatcher> ModuleWatcher::Create(
+    const OnModuleEventCallback& callback) {
+  // If a ModuleWatcher already exists then bail out.
+  base::AutoLock lock(g_module_watcher_lock.Get());
+  if (g_module_watcher_instance)
+    return nullptr;
+
+  // This thread acquired the right to create a ModuleWatcher, so do so.
+  g_module_watcher_instance = new ModuleWatcher(callback);
+  return base::WrapUnique(g_module_watcher_instance);
+}
+
+ModuleWatcher::~ModuleWatcher() {
+  // As soon as |g_module_watcher_instance| is null any dispatched callbacks
+  // will be silently absorbed by LoaderNotificationCallback.
+  base::AutoLock lock(g_module_watcher_lock.Get());
+  DCHECK_EQ(g_module_watcher_instance, this);
+  g_module_watcher_instance = nullptr;
+  UnregisterDllNotificationCallback();
+}
+
+void ModuleWatcher::RegisterDllNotificationCallback() {
+  LdrRegisterDllNotificationFunc reg_fn =
+      reinterpret_cast<LdrRegisterDllNotificationFunc>(::GetProcAddress(
+          ::GetModuleHandle(kNtDll), kLdrRegisterDllNotification));
+  if (reg_fn)
+    reg_fn(0, &LoaderNotificationCallback, this, &dll_notification_cookie_);
+}
+
+void ModuleWatcher::UnregisterDllNotificationCallback() {
+  LdrUnregisterDllNotificationFunc unreg_fn =
+      reinterpret_cast<LdrUnregisterDllNotificationFunc>(::GetProcAddress(
+          ::GetModuleHandle(kNtDll), kLdrUnregisterDllNotification));
+  if (unreg_fn)
+    unreg_fn(dll_notification_cookie_);
+}
+
+void ModuleWatcher::EnumerateAlreadyLoadedModules() {
+  // Get all modules in the current process. According to MSDN,
+  // CreateToolhelp32Snapshot should be retried as long as its returning
+  // ERROR_BAD_LENGTH. To avoid locking up here a retry limit is enforced.
+  base::win::ScopedHandle snap;
+  DWORD process_id = ::GetCurrentProcessId();
+  for (size_t i = 0; i < 5; ++i) {
+    snap.Set(::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32,
+                                        process_id));
+    if (snap.IsValid())
+      break;
+    if (::GetLastError() != ERROR_BAD_LENGTH)
+      return;
+  }
+  if (!snap.IsValid())
+    return;
+
+  // Walk the module list.
+  MODULEENTRY32 module = {sizeof(module)};

[Will Harris, 2016/11/17 18:12:36]

module.dwSize = sizeof(module_entry) before calling ::Module32First

[chrisha, 2016/11/17 21:40:31]

The initializer does exactly that (dwSize is the first field).

[Will Harris, 2016/11/18 02:46:03]

Acknowledged.

+  std::string path;
+  for (BOOL result = ::Module32First(snap.Get(), &module); result != FALSE;
+       result = ::Module32Next(snap.Get(), &module)) {
+    base::WideToUTF8(module.szExePath, ::wcslen(module.szExePath), &path);
+    mojom::ModuleEvent event;
+    event.event_type = mojom::ModuleEventType::MODULE_ALREADY_LOADED;
+    event.module_path = path;
+    event.load_address = reinterpret_cast<uintptr_t>(module.modBaseAddr);
+    event.size = module.modBaseSize;
+    callback_.Run(event);
+  }
+
+  return;
+}
+
+// static
+ModuleWatcher::OnModuleEventCallback ModuleWatcher::GetCallbackForContext(
+    void* context) {
+  base::AutoLock lock(g_module_watcher_lock.Get());
+  if (context != g_module_watcher_instance)

[Will Harris, 2016/11/17 18:12:36]

when does this ever happen?

[chrisha, 2016/11/17 21:40:31]

If you tore down the watcher while a ldr notification was pending (and also if
you then subsequently created a new one). The context will refer to the old
watcher, while the global can be null or refer to a new one.

[Will Harris, 2016/11/18 02:46:03]

Acknowledged.

+    return OnModuleEventCallback();
+  return g_module_watcher_instance->callback_;
+}
+
+// static
+void __stdcall ModuleWatcher::LoaderNotificationCallback(
+    unsigned long notification_reason,
+    const LDR_DLL_NOTIFICATION_DATA* notification_data,
+    void* context) {
+  auto callback = GetCallbackForContext(context);
+  if (callback.is_null())

[Will Harris, 2016/11/17 18:12:36]

when will this ever be null?

[chrisha, 2016/11/17 21:40:31]

Same story as above. If a pending ldr notification is being processed after the
watcher has been destroyed then GetCallbackForContext will return a null
callback to indicate that no watcher exists.

These two functions make the watcher safe to destruct even though notifications
are racing against it.

[Will Harris, 2016/11/18 02:46:03]

I see "if (callback)" everywhere else this is done, I presume is_null() is the
same?

[grt (UTC plus 2), 2016/11/18 11:45:54]

Awesome! I hadn't noticed the bool operator before. TIL!

[chrisha, 2016/11/21 16:34:47]

Switched to using the bool operator.

+    return;
+
+  switch (notification_reason) {
+    case LDR_DLL_NOTIFICATION_REASON_LOADED:
+      OnModuleEvent(mojom::ModuleEventType::MODULE_LOADED,
+                    notification_data->Loaded, callback);
+      break;
+
+    case LDR_DLL_NOTIFICATION_REASON_UNLOADED:
+      OnModuleEvent(mojom::ModuleEventType::MODULE_UNLOADED,
+                    notification_data->Unloaded, callback);
+      break;
+
+    default:
+      // This is unexpected, but not a reason to crash.
+      NOTREACHED() << "Unknown LDR_DLL_NOTIFICATION_REASON: "
+                   << notification_reason;
+  }
+}
+
+ModuleWatcher::ModuleWatcher(const OnModuleEventCallback& callback)
+    : callback_(callback) {
+  RegisterDllNotificationCallback();
+  EnumerateAlreadyLoadedModules();
+}