1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/safe_browsing/incident_reporting/environment_data_collection_win.h"
6
7 #include <windows.h>
8 #include <set>
9
10 #include "base/i18n/case_conversion.h"
11 #include "base/strings/string_util.h"
12 #include "base/strings/utf_string_conversions.h"
13 #include "base/win/registry.h"
14 #include "chrome/browser/install_verification/win/module_info.h"
15 #include "chrome/browser/install_verification/win/module_verification_common.h"
16 #include "chrome/browser/net/service_providers_win.h"
17 #include "chrome/browser/safe_browsing/incident_reporting/module_integrity_verifier_win.h"
18 #include "chrome/browser/safe_browsing/path_sanitizer.h"
19 #include "chrome/common/safe_browsing/csd.pb.h"
20 #include "chrome_elf/chrome_elf_constants.h"
21
22 namespace safe_browsing {
23
24 namespace {
25
26 // The modules on which we will run VerifyModule.
27 const wchar_t* const kModulesToVerify[] = {
28 L"chrome.dll",
29 L"chrome_elf.dll",
30 L"ntdll.dll",
31 };
32
33 // Helper function for expanding all environment variables in |path|.
ExpandEnvironmentVariables(const std::wstring & path)34 std::wstring ExpandEnvironmentVariables(const std::wstring& path) {
35 static const DWORD kMaxBuffer = 32 * 1024; // Max according to MSDN.
36 std::wstring path_expanded;
37 DWORD path_len = MAX_PATH;
38 do {
39 DWORD result = ExpandEnvironmentStrings(
40 path.c_str(), WriteInto(&path_expanded, path_len), path_len);
41 if (!result) {
42 // Failed to expand variables. Return the original string.
43 DPLOG(ERROR) << path;
44 break;
45 }
46 if (result <= path_len)
47 return path_expanded.substr(0, result - 1);
48 path_len = result;
49 } while (path_len < kMaxBuffer);
50
51 return path;
52 }
53
54 } // namespace
55
CollectDlls(ClientIncidentReport_EnvironmentData_Process * process)56 bool CollectDlls(ClientIncidentReport_EnvironmentData_Process* process) {
57 // Retrieve the module list.
58 std::set<ModuleInfo> loaded_modules;
59 if (!GetLoadedModules(&loaded_modules))
60 return false;
61
62 // Sanitize path of each module and add it to the incident report.
63 PathSanitizer path_sanitizer;
64 for (std::set<ModuleInfo>::const_iterator it = loaded_modules.begin();
65 it != loaded_modules.end();
66 ++it) {
67 base::FilePath dll_path(it->name);
68 path_sanitizer.StripHomeDirectory(&dll_path);
69
70 ClientIncidentReport_EnvironmentData_Process_Dll* dll = process->add_dll();
71 dll->set_path(base::WideToUTF8(base::i18n::ToLower(dll_path.value())));
72 dll->set_base_address(it->base_address);
73 dll->set_length(it->size);
74 }
75
76 return true;
77 }
78
RecordLspFeature(ClientIncidentReport_EnvironmentData_Process * process)79 void RecordLspFeature(ClientIncidentReport_EnvironmentData_Process* process) {
80 WinsockLayeredServiceProviderList lsp_list;
81 GetWinsockLayeredServiceProviders(&lsp_list);
82
83 // For each LSP, we extract and sanitize the path.
84 PathSanitizer path_sanitizer;
85 std::set<std::wstring> lsp_paths;
86 for (size_t i = 0; i < lsp_list.size(); ++i) {
87 base::FilePath lsp_path(ExpandEnvironmentVariables(lsp_list[i].path));
88 path_sanitizer.StripHomeDirectory(&lsp_path);
89 lsp_paths.insert(base::i18n::ToLower(lsp_path.value()));
90 }
91
92 // Look for a match between LSPs and loaded dlls.
93 for (int i = 0; i < process->dll_size(); ++i) {
94 if (lsp_paths.count(base::UTF8ToWide(process->dll(i).path()))) {
95 process->mutable_dll(i)
96 ->add_feature(ClientIncidentReport_EnvironmentData_Process_Dll::LSP);
97 }
98 }
99 }
100
CollectDllBlacklistData(ClientIncidentReport_EnvironmentData_Process * process)101 void CollectDllBlacklistData(
102 ClientIncidentReport_EnvironmentData_Process* process) {
103 PathSanitizer path_sanitizer;
104 base::win::RegistryValueIterator iter(HKEY_CURRENT_USER,
105 blacklist::kRegistryFinchListPath);
106 for (; iter.Valid(); ++iter) {
107 base::FilePath dll_name(iter.Value());
108 path_sanitizer.StripHomeDirectory(&dll_name);
109 process->add_blacklisted_dll(dll_name.AsUTF8Unsafe());
110 }
111 }
112
CollectModuleVerificationData(const wchar_t * const modules_to_verify[],size_t num_modules_to_verify,ClientIncidentReport_EnvironmentData_Process * process)113 void CollectModuleVerificationData(
114 const wchar_t* const modules_to_verify[],
115 size_t num_modules_to_verify,
116 ClientIncidentReport_EnvironmentData_Process* process) {
117 for (size_t i = 0; i < num_modules_to_verify; ++i) {
118 std::set<std::string> modified_exports;
119 int modified = VerifyModule(modules_to_verify[i], &modified_exports);
120
121 if (modified == MODULE_STATE_UNMODIFIED)
122 continue;
123
124 ClientIncidentReport_EnvironmentData_Process_ModuleState* module_state =
125 process->add_module_state();
126
127 module_state->set_name(
128 base::WideToUTF8(std::wstring(modules_to_verify[i])));
129 // Add 1 to the ModuleState enum to get the corresponding value in the
130 // protobuf's ModuleState enum.
131 module_state->set_modified_state(static_cast<
132 ClientIncidentReport_EnvironmentData_Process_ModuleState_ModifiedState>(
133 modified + 1));
134 for (std::set<std::string>::iterator it = modified_exports.begin();
135 it != modified_exports.end();
136 ++it) {
137 module_state->add_modified_export(*it);
138 }
139 }
140 }
141
CollectPlatformProcessData(ClientIncidentReport_EnvironmentData_Process * process)142 void CollectPlatformProcessData(
143 ClientIncidentReport_EnvironmentData_Process* process) {
144 CollectDlls(process);
145 RecordLspFeature(process);
146 CollectDllBlacklistData(process);
147 CollectModuleVerificationData(
148 kModulesToVerify, arraysize(kModulesToVerify), process);
149 }
150
151 } // namespace safe_browsing
152