src/chrome/browser/safe_browsing/incident_reporting/environment_data_collection_win_unittest.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome/browser/safe_browsing/incident_reporting/environment_data_collection_win.h"
   6
   7 #include <string>
   8
   9 #include "base/base_paths.h"
  10 #include "base/files/file_path.h"
  11 #include "base/path_service.h"
  12 #include "base/scoped_native_library.h"
  13 #include "base/strings/utf_string_conversions.h"
  14 #include "base/test/test_reg_util_win.h"
  15 #include "base/win/registry.h"
  16 #include "chrome/browser/safe_browsing/incident_reporting/module_integrity_unittest_util_win.h"
  17 #include "chrome/browser/safe_browsing/incident_reporting/module_integrity_verifier_win.h"
  18 #include "chrome/browser/safe_browsing/path_sanitizer.h"
  19 #include "chrome/common/safe_browsing/csd.pb.h"
  20 #include "chrome_elf/chrome_elf_constants.h"
  21 #include "net/base/winsock_init.h"
  22 #include "testing/gtest/include/gtest/gtest.h"
  23
  24 namespace {
  25
  26 const wchar_t test_dll[] = L"test_name.dll";
  27
  28 // Helper function that returns true if a dll with filename |dll_name| is
  29 // found in |process_report|.
  30 bool ProcessReportContainsDll(
  31     const safe_browsing::ClientIncidentReport_EnvironmentData_Process&
  32         process_report,
  33     const base::FilePath& dll_name) {
  34   for (int i = 0; i < process_report.dll_size(); ++i) {
  35     base::FilePath current_dll =
  36         base::FilePath::FromUTF8Unsafe(process_report.dll(i).path());
  37
  38     if (current_dll.BaseName() == dll_name)
  39       return true;
  40   }
  41
  42   return false;
  43 }
  44
  45 // Look through dll entries and check for the presence of the LSP feature for
  46 // |dll|.
  47 bool DllEntryContainsLspFeature(
  48     const safe_browsing::ClientIncidentReport_EnvironmentData_Process&
  49         process_report,
  50     const std::string& dll) {
  51   for (int i = 0; i < process_report.dll_size(); ++i) {
  52     if (process_report.dll(i).path() == dll) {
  53       // Verify each feature of |dll|.
  54       for (int j = 0; j < process_report.dll(i).feature_size(); ++j) {
  55         if (process_report.dll(i).feature(j) ==
  56             safe_browsing::ClientIncidentReport_EnvironmentData_Process_Dll::
  57                 LSP)
  58           // LSP feature found.
  59           return true;
  60       }
  61     }
  62   }
  63
  64   return false;
  65 }
  66
  67 }  // namespace
  68
  69 TEST(SafeBrowsingEnvironmentDataCollectionWinTest, CollectDlls) {
  70   // This test will check if the CollectDlls method works by loading
  71   // a dll and then checking if we can find it within the process report.
  72   // Pick msvidc32.dll as it is present from WinXP to Win8 and yet rarely used.
  73   // msvidc32.dll exists in both 32 and 64 bit versions.
  74   base::FilePath msvdc32_dll(L"msvidc32.dll");
  75
  76   safe_browsing::ClientIncidentReport_EnvironmentData_Process process_report;
  77   safe_browsing::CollectDlls(&process_report);
  78
  79   ASSERT_FALSE(ProcessReportContainsDll(process_report, msvdc32_dll));
  80
  81   // Redo the same verification after loading a new dll.
  82   base::ScopedNativeLibrary library(msvdc32_dll);
  83
  84   process_report.clear_dll();
  85   safe_browsing::CollectDlls(&process_report);
  86
  87   ASSERT_TRUE(ProcessReportContainsDll(process_report, msvdc32_dll));
  88 }
  89
  90 TEST(SafeBrowsingEnvironmentDataCollectionWinTest, RecordLspFeature) {
  91   net::EnsureWinsockInit();
  92
  93   // Populate our incident report with loaded modules.
  94   safe_browsing::ClientIncidentReport_EnvironmentData_Process process_report;
  95   safe_browsing::CollectDlls(&process_report);
  96
  97   // We'll test RecordLspFeatures against a real dll registered as a LSP. All
  98   // dll paths are expected to be lowercase in the process report.
  99   std::string lsp = "c:\\windows\\system32\\mswsock.dll";
 100   int base_address = 0x77770000;
 101   int length = 0x180000;
 102
 103   safe_browsing::RecordLspFeature(&process_report);
 104
 105   // Return successfully if LSP feature is found.
 106   if (DllEntryContainsLspFeature(process_report, lsp))
 107     return;
 108
 109   // |lsp| was not already loaded into the current process. Manually add it
 110   // to the process report so that it will get marked as a LSP.
 111   safe_browsing::ClientIncidentReport_EnvironmentData_Process_Dll* dll =
 112       process_report.add_dll();
 113   dll->set_path(lsp);
 114   dll->set_base_address(base_address);
 115   dll->set_length(length);
 116
 117   safe_browsing::RecordLspFeature(&process_report);
 118
 119   // Return successfully if LSP feature is found.
 120   if (DllEntryContainsLspFeature(process_report, lsp))
 121     return;
 122
 123   FAIL() << "No LSP feature found for " << lsp;
 124 }
 125
 126 TEST(SafeBrowsingEnvironmentDataCollectionWinTest, CollectDllBlacklistData) {
 127   // Ensure that CollectDllBlacklistData correctly adds the set of sanitized dll
 128   // names currently stored in the registry to the report.
 129   registry_util::RegistryOverrideManager override_manager;
 130   override_manager.OverrideRegistry(HKEY_CURRENT_USER);
 131
 132   base::win::RegKey blacklist_registry_key(HKEY_CURRENT_USER,
 133                                            blacklist::kRegistryFinchListPath,
 134                                            KEY_QUERY_VALUE | KEY_SET_VALUE);
 135
 136   // Check that with an empty registry the blacklisted dlls field is left empty.
 137   safe_browsing::ClientIncidentReport_EnvironmentData_Process process_report;
 138   safe_browsing::CollectDllBlacklistData(&process_report);
 139   EXPECT_EQ(0, process_report.blacklisted_dll_size());
 140
 141   // Check that after adding exactly one dll to the registry it appears in the
 142   // process report.
 143   blacklist_registry_key.WriteValue(test_dll, test_dll);
 144   safe_browsing::CollectDllBlacklistData(&process_report);
 145   ASSERT_EQ(1, process_report.blacklisted_dll_size());
 146
 147   base::string16 process_report_dll =
 148       base::UTF8ToWide(process_report.blacklisted_dll(0));
 149   EXPECT_EQ(base::string16(test_dll), process_report_dll);
 150
 151   // Check that if the registry contains the full path to a dll it is properly
 152   // sanitized before being reported.
 153   blacklist_registry_key.DeleteValue(test_dll);
 154   process_report.clear_blacklisted_dll();
 155
 156   base::FilePath path;
 157   ASSERT_TRUE(PathService::Get(base::DIR_HOME, &path));
 158   base::string16 input_path =
 159       path.Append(FILE_PATH_LITERAL("test_path.dll")).value();
 160
 161   std::string path_expected = base::FilePath(FILE_PATH_LITERAL("~"))
 162                                   .Append(FILE_PATH_LITERAL("test_path.dll"))
 163                                   .AsUTF8Unsafe();
 164
 165   blacklist_registry_key.WriteValue(input_path.c_str(), input_path.c_str());
 166   safe_browsing::CollectDllBlacklistData(&process_report);
 167
 168   ASSERT_EQ(1, process_report.blacklisted_dll_size());
 169   std::string process_report_path = process_report.blacklisted_dll(0);
 170   EXPECT_EQ(path_expected, process_report_path);
 171 }
 172
 173 TEST(SafeBrowsingEnvironmentDataCollectionWinTest, VerifyLoadedModules) {
 174   //  Load the test modules.
 175   std::vector<base::ScopedNativeLibrary> test_dlls(
 176       safe_browsing::kTestDllNamesCount);
 177   for (size_t i = 0; i < safe_browsing::kTestDllNamesCount; ++i) {
 178     test_dlls[i].Reset(LoadNativeLibrary(
 179         base::FilePath(safe_browsing::kTestDllNames[i]), NULL));
 180   }
 181
 182   // Edit the first byte of the function exported by the first module. Calling
 183   // GetModuleHandle so we do not increment the library ref count.
 184   HMODULE module_handle = GetModuleHandle(safe_browsing::kTestDllNames[0]);
 185   EXPECT_NE(reinterpret_cast<HANDLE>(NULL), module_handle);
 186   uint8_t* export_addr = reinterpret_cast<uint8_t*>(
 187       GetProcAddress(module_handle, safe_browsing::kTestExportName));
 188   EXPECT_NE(reinterpret_cast<uint8_t*>(NULL), export_addr);
 189
 190   uint8_t new_val = (*export_addr) + 1;
 191   SIZE_T bytes_written = 0;
 192   WriteProcessMemory(GetCurrentProcess(),
 193                      export_addr,
 194                      reinterpret_cast<void*>(&new_val),
 195                      1,
 196                      &bytes_written);
 197   EXPECT_EQ(1, bytes_written);
 198
 199   safe_browsing::ClientIncidentReport_EnvironmentData_Process process_report;
 200   safe_browsing::CollectModuleVerificationData(
 201       safe_browsing::kTestDllNames,
 202       safe_browsing::kTestDllNamesCount,
 203       &process_report);
 204
 205   // CollectModuleVerificationData should return the single modified module and
 206   // its modified export.  The other module, being unmodified, is omitted from
 207   // the returned list of modules.
 208   EXPECT_EQ(1, process_report.module_state_size());
 209
 210   EXPECT_EQ(base::WideToUTF8(std::wstring(safe_browsing::kTestDllNames[0])),
 211             process_report.module_state(0).name());
 212   EXPECT_EQ(
 213       safe_browsing::ClientIncidentReport_EnvironmentData_Process_ModuleState::
 214           MODULE_STATE_MODIFIED,
 215       process_report.module_state(0).modified_state());
 216   EXPECT_EQ(1, process_report.module_state(0).modified_export_size());
 217   EXPECT_EQ(std::string(safe_browsing::kTestExportName),
 218             process_report.module_state(0).modified_export(0));
 219 }