1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome_elf/blacklist/blacklist.h"
12 #include "base/basictypes.h"
13 #include "chrome_elf/blacklist/blacklist_interceptions.h"
14 #include "chrome_elf/chrome_elf_constants.h"
15 #include "chrome_elf/chrome_elf_util.h"
16 #include "chrome_elf/thunk_getter.h"
17 #include "sandbox/win/src/interception_internal.h"
18 #include "sandbox/win/src/internal_types.h"
19 #include "sandbox/win/src/service_resolver.h"
21 // http://blogs.msdn.com/oldnewthing/archive/2004/10/25/247180.aspx
22 extern "C" IMAGE_DOS_HEADER __ImageBase;
26 // The DLLs listed here are known (or under strong suspicion) of causing crashes
27 // when they are loaded in the browser. DLLs should only be added to this list
28 // if there is nothing else Chrome can do to prevent those crashes.
29 // For more information about how this list is generated, and how to get off
31 // https://sites.google.com/a/chromium.org/dev/Home/third-party-developers
32 // NOTE: Please remember to update the DllHash enum in histograms.xml when
33 // adding a new value to the blacklist.
34 const wchar_t* g_troublesome_dlls[kTroublesomeDllsMaxCount] = {
35 L"activedetect32.dll", // Lenovo One Key Theater.
36 // See crbug.com/379218.
37 L"activedetect64.dll", // Lenovo One Key Theater.
38 L"bitguard.dll", // Unknown (suspected malware).
39 L"chrmxtn.dll", // Unknown (keystroke logger).
40 L"cplushook.dll", // Unknown (suspected malware).
41 L"datamngr.dll", // Unknown (suspected adware).
42 L"hk.dll", // Unknown (keystroke logger).
43 L"libapi2hook.dll", // V-Bates.
44 L"libinject.dll", // V-Bates.
45 L"libinject2.dll", // V-Bates.
46 L"libredir2.dll", // V-Bates.
47 L"libsvn_tsvn32.dll", // TortoiseSVN.
48 L"libwinhook.dll", // V-Bates.
49 L"lmrn.dll", // Unknown.
50 L"minisp.dll", // Unknown (suspected malware).
51 L"scdetour.dll", // Quick Heal Antivirus.
52 // See crbug.com/382561.
53 L"systemk.dll", // Unknown (suspected adware).
54 L"wajam_goblin_64.dll", // Wajam Internet Technologies.
55 L"wajam_goblin.dll", // Wajam Internet Technologies.
56 L"windowsapihookdll32.dll", // Lenovo One Key Theater.
57 // See crbug.com/379218.
58 L"windowsapihookdll64.dll", // Lenovo One Key Theater.
59 // Keep this null pointer here to mark the end of the list.
63 bool g_blocked_dlls[kTroublesomeDllsMaxCount] = {};
64 int g_num_blocked_dlls = 0;
66 } // namespace blacklist
68 // Allocate storage for thunks in a page of this module to save on doing
69 // an extra allocation at run time.
70 #pragma section(".crthunk",read,execute)
71 __declspec(allocate(".crthunk")) sandbox::ThunkData g_thunk_storage;
75 // Record if the blacklist was successfully initialized so processes can easily
76 // determine if the blacklist is enabled for them.
77 bool g_blacklist_initialized = false;
79 // Helper to set DWORD registry values.
80 DWORD SetDWValue(HKEY* key, const wchar_t* property, DWORD value) {
81 return ::RegSetValueEx(*key,
85 reinterpret_cast<LPBYTE>(&value),
89 bool GenerateStateFromBeaconAndAttemptCount(HKEY* key, DWORD blacklist_state) {
91 if (blacklist_state == blacklist::BLACKLIST_ENABLED) {
92 // If the blacklist succeeded on the previous run reset the failure
94 return (SetDWValue(key,
95 blacklist::kBeaconAttemptCount,
96 static_cast<DWORD>(0)) == ERROR_SUCCESS);
98 // Some part of the blacklist setup failed last time. If this has occured
99 // blacklist::kBeaconMaxAttempts times in a row we switch the state to
100 // failed and skip setting up the blacklist.
101 DWORD attempt_count = 0;
102 DWORD attempt_count_size = sizeof(attempt_count);
103 result = ::RegQueryValueEx(*key,
104 blacklist::kBeaconAttemptCount,
107 reinterpret_cast<LPBYTE>(&attempt_count),
108 &attempt_count_size);
110 if (result == ERROR_FILE_NOT_FOUND)
112 else if (result != ERROR_SUCCESS)
116 SetDWValue(key, blacklist::kBeaconAttemptCount, attempt_count);
118 if (attempt_count >= blacklist::kBeaconMaxAttempts) {
119 blacklist_state = blacklist::BLACKLIST_SETUP_FAILED;
120 SetDWValue(key, blacklist::kBeaconState, blacklist_state);
129 namespace blacklist {
132 // Allocate storage for the pointer to the old NtMapViewOfSectionFunction.
133 #pragma section(".oldntmap",write,read)
134 __declspec(allocate(".oldntmap"))
135 NtMapViewOfSectionFunction g_nt_map_view_of_section_func = NULL;
138 bool LeaveSetupBeacon() {
140 DWORD disposition = 0;
141 LONG result = ::RegCreateKeyEx(HKEY_CURRENT_USER,
145 REG_OPTION_NON_VOLATILE,
146 KEY_QUERY_VALUE | KEY_SET_VALUE,
150 if (result != ERROR_SUCCESS)
153 // Retrieve the current blacklist state.
154 DWORD blacklist_state = BLACKLIST_STATE_MAX;
155 DWORD blacklist_state_size = sizeof(blacklist_state);
157 result = ::RegQueryValueEx(key,
161 reinterpret_cast<LPBYTE>(&blacklist_state),
162 &blacklist_state_size);
164 if (blacklist_state == BLACKLIST_DISABLED || result != ERROR_SUCCESS ||
170 if (!GenerateStateFromBeaconAndAttemptCount(&key, blacklist_state)) {
175 result = SetDWValue(&key, kBeaconState, BLACKLIST_SETUP_RUNNING);
178 return (result == ERROR_SUCCESS);
183 DWORD disposition = 0;
184 LONG result = ::RegCreateKeyEx(HKEY_CURRENT_USER,
188 REG_OPTION_NON_VOLATILE,
189 KEY_QUERY_VALUE | KEY_SET_VALUE,
193 if (result != ERROR_SUCCESS)
196 DWORD blacklist_state = BLACKLIST_STATE_MAX;
197 DWORD blacklist_state_size = sizeof(blacklist_state);
199 result = ::RegQueryValueEx(key,
203 reinterpret_cast<LPBYTE>(&blacklist_state),
204 &blacklist_state_size);
206 if (result != ERROR_SUCCESS || type != REG_DWORD) {
211 // Reaching this point with the setup running state means the setup did not
212 // crash, so we reset to enabled. Any other state indicates that setup was
213 // skipped; in that case we leave the state alone for later recording.
214 if (blacklist_state == BLACKLIST_SETUP_RUNNING)
215 result = SetDWValue(&key, kBeaconState, BLACKLIST_ENABLED);
218 return (result == ERROR_SUCCESS);
221 int BlacklistSize() {
223 while (blacklist::g_troublesome_dlls[++size] != NULL) {}
228 bool IsBlacklistInitialized() {
229 return g_blacklist_initialized;
232 int GetBlacklistIndex(const wchar_t* dll_name) {
233 for (int i = 0; i < kTroublesomeDllsMaxCount, g_troublesome_dlls[i]; ++i) {
234 if (_wcsicmp(dll_name, g_troublesome_dlls[i]) == 0)
240 bool AddDllToBlacklist(const wchar_t* dll_name) {
241 int blacklist_size = BlacklistSize();
242 // We need to leave one space at the end for the null pointer.
243 if (blacklist_size + 1 >= kTroublesomeDllsMaxCount)
245 for (int i = 0; i < blacklist_size; ++i) {
246 if (!_wcsicmp(g_troublesome_dlls[i], dll_name))
250 // Copy string to blacklist.
251 wchar_t* str_buffer = new wchar_t[wcslen(dll_name) + 1];
252 wcscpy(str_buffer, dll_name);
254 g_troublesome_dlls[blacklist_size] = str_buffer;
255 g_blocked_dlls[blacklist_size] = false;
259 bool RemoveDllFromBlacklist(const wchar_t* dll_name) {
260 int blacklist_size = BlacklistSize();
261 for (int i = 0; i < blacklist_size; ++i) {
262 if (!_wcsicmp(g_troublesome_dlls[i], dll_name)) {
263 // Found the thing to remove. Delete it then replace it with the last
265 delete[] g_troublesome_dlls[i];
266 g_troublesome_dlls[i] = g_troublesome_dlls[blacklist_size - 1];
267 g_troublesome_dlls[blacklist_size - 1] = NULL;
269 // Also update the stats recording if we have blocked this dll or not.
270 if (g_blocked_dlls[i])
271 --g_num_blocked_dlls;
272 g_blocked_dlls[i] = g_blocked_dlls[blacklist_size - 1];
279 // TODO(csharp): Maybe store these values in the registry so we can
280 // still report them if Chrome crashes early.
281 void SuccessfullyBlocked(const wchar_t** blocked_dlls, int* size) {
285 // If the array isn't valid or big enough, just report the size it needs to
287 if (blocked_dlls == NULL && *size < g_num_blocked_dlls) {
288 *size = g_num_blocked_dlls;
292 *size = g_num_blocked_dlls;
294 int strings_to_fill = 0;
295 for (int i = 0; strings_to_fill < g_num_blocked_dlls && g_troublesome_dlls[i];
297 if (g_blocked_dlls[i]) {
298 blocked_dlls[strings_to_fill] = g_troublesome_dlls[i];
304 void BlockedDll(size_t blocked_index) {
305 assert(blocked_index < kTroublesomeDllsMaxCount);
307 if (!g_blocked_dlls[blocked_index] &&
308 blocked_index < kTroublesomeDllsMaxCount) {
309 ++g_num_blocked_dlls;
310 g_blocked_dlls[blocked_index] = true;
314 bool Initialize(bool force) {
315 // Check to see that we found the functions we need in ntdll.
316 if (!InitializeInterceptImports())
319 // Check to see if this is a non-browser process, abort if so.
320 if (IsNonBrowserProcess())
323 // Check to see if the blacklist beacon is still set to running (indicating a
324 // failure) or disabled, and abort if so.
325 if (!force && !LeaveSetupBeacon())
328 // It is possible for other dlls to have already patched code by now and
329 // attempting to patch their code might result in crashes.
330 const bool kRelaxed = false;
332 // Create a thunk via the appropriate ServiceResolver instance.
333 sandbox::ServiceResolverThunk* thunk = GetThunk(kRelaxed);
335 // Don't try blacklisting on unsupported OS versions.
339 BYTE* thunk_storage = reinterpret_cast<BYTE*>(&g_thunk_storage);
341 // Mark the thunk storage as readable and writeable, since we
342 // ready to write to it.
343 DWORD old_protect = 0;
344 if (!VirtualProtect(&g_thunk_storage,
345 sizeof(g_thunk_storage),
346 PAGE_EXECUTE_READWRITE,
351 thunk->AllowLocalPatches();
353 // We declare this early so it can be used in the 64-bit block below and
354 // still work on 32-bit build when referenced at the end of the function.
355 BOOL page_executable = false;
357 // Replace the default NtMapViewOfSection with our patched version.
359 NTSTATUS ret = thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
360 reinterpret_cast<void*>(&__ImageBase),
361 "NtMapViewOfSection",
363 &blacklist::BlNtMapViewOfSection64,
365 sizeof(sandbox::ThunkData),
368 // Keep a pointer to the original code, we don't have enough space to
369 // add it directly to the call.
370 g_nt_map_view_of_section_func = reinterpret_cast<NtMapViewOfSectionFunction>(
373 // Ensure that the pointer to the old function can't be changed.
374 page_executable = VirtualProtect(&g_nt_map_view_of_section_func,
375 sizeof(g_nt_map_view_of_section_func),
379 NTSTATUS ret = thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
380 reinterpret_cast<void*>(&__ImageBase),
381 "NtMapViewOfSection",
383 &blacklist::BlNtMapViewOfSection,
385 sizeof(sandbox::ThunkData),
390 // Record if we have initialized the blacklist.
391 g_blacklist_initialized = NT_SUCCESS(ret);
393 // Mark the thunk storage as executable and prevent any future writes to it.
394 page_executable = page_executable && VirtualProtect(&g_thunk_storage,
395 sizeof(g_thunk_storage),
399 AddDllsFromRegistryToBlacklist();
401 return NT_SUCCESS(ret) && page_executable;
404 void AddDllsFromRegistryToBlacklist() {
406 LONG result = ::RegOpenKeyEx(HKEY_CURRENT_USER,
407 kRegistryFinchListPath,
409 KEY_QUERY_VALUE | KEY_SET_VALUE,
412 if (result != ERROR_SUCCESS)
415 // We add dlls from the registry to the blacklist.
417 DWORD name_len = MAX_PATH;
418 std::vector<wchar_t> name_buffer(name_len);
419 for (int i = 0; result == ERROR_SUCCESS; ++i) {
422 result = ::RegEnumValue(
423 key, i, &name_buffer[0], &name_len, NULL, NULL, NULL, &value_len);
424 if (result != ERROR_SUCCESS)
427 name_len = name_len + 1;
428 value_len = value_len + 1;
429 std::vector<wchar_t> value_buffer(value_len);
430 result = ::RegEnumValue(key, i, &name_buffer[0], &name_len, NULL, NULL,
431 reinterpret_cast<BYTE*>(&value_buffer[0]),
433 if (result != ERROR_SUCCESS)
435 value_buffer[value_len - 1] = L'\0';
436 AddDllToBlacklist(&value_buffer[0]);
443 } // namespace blacklist