1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome_elf/blacklist/blacklist.h"
12 #include "base/basictypes.h"
13 #include "chrome_elf/blacklist/blacklist_interceptions.h"
14 #include "chrome_elf/chrome_elf_constants.h"
15 #include "chrome_elf/chrome_elf_util.h"
16 #include "chrome_elf/thunk_getter.h"
17 #include "sandbox/win/src/interception_internal.h"
18 #include "sandbox/win/src/internal_types.h"
19 #include "sandbox/win/src/service_resolver.h"
21 // http://blogs.msdn.com/oldnewthing/archive/2004/10/25/247180.aspx
22 extern "C" IMAGE_DOS_HEADER __ImageBase;
26 // The DLLs listed here are known (or under strong suspicion) of causing crashes
27 // when they are loaded in the browser. DLLs should only be added to this list
28 // if there is nothing else Chrome can do to prevent those crashes.
29 // For more information about how this list is generated, and how to get off
31 // https://sites.google.com/a/chromium.org/dev/Home/third-party-developers
32 const wchar_t* g_troublesome_dlls[kTroublesomeDllsMaxCount] = {
33 L"activedetect32.dll", // Lenovo One Key Theater.
34 // See crbug.com/379218.
35 L"activedetect64.dll", // Lenovo One Key Theater.
36 L"bitguard.dll", // Unknown (suspected malware).
37 L"chrmxtn.dll", // Unknown (keystroke logger).
38 L"datamngr.dll", // Unknown (suspected adware).
39 L"hk.dll", // Unknown (keystroke logger).
40 L"libsvn_tsvn32.dll", // TortoiseSVN.
41 L"lmrn.dll", // Unknown.
42 L"scdetour.dll", // Quick Heal Antivirus.
43 // See crbug.com/382561.
44 L"systemk.dll", // Unknown (suspected adware).
45 L"windowsapihookdll32.dll", // Lenovo One Key Theater.
46 // See crbug.com/379218.
47 L"windowsapihookdll64.dll", // Lenovo One Key Theater.
48 // Keep this null pointer here to mark the end of the list.
52 bool g_blocked_dlls[kTroublesomeDllsMaxCount] = {};
53 int g_num_blocked_dlls = 0;
55 } // namespace blacklist
57 // Allocate storage for thunks in a page of this module to save on doing
58 // an extra allocation at run time.
59 #pragma section(".crthunk",read,execute)
60 __declspec(allocate(".crthunk")) sandbox::ThunkData g_thunk_storage;
64 // Record if the blacklist was successfully initialized so processes can easily
65 // determine if the blacklist is enabled for them.
66 bool g_blacklist_initialized = false;
68 // Helper to set DWORD registry values.
69 DWORD SetDWValue(HKEY* key, const wchar_t* property, DWORD value) {
70 return ::RegSetValueEx(*key,
74 reinterpret_cast<LPBYTE>(&value),
78 bool GenerateStateFromBeaconAndAttemptCount(HKEY* key, DWORD blacklist_state) {
80 if (blacklist_state == blacklist::BLACKLIST_SETUP_RUNNING) {
81 // Some part of the blacklist setup failed last time. If this has occured
82 // blacklist::kBeaconMaxAttempts times in a row we switch the state to
83 // failed and skip setting up the blacklist.
84 DWORD attempt_count = 0;
85 DWORD attempt_count_size = sizeof(attempt_count);
86 result = ::RegQueryValueEx(*key,
87 blacklist::kBeaconAttemptCount,
90 reinterpret_cast<LPBYTE>(&attempt_count),
93 if (result == ERROR_FILE_NOT_FOUND)
95 else if (result != ERROR_SUCCESS)
99 SetDWValue(key, blacklist::kBeaconAttemptCount, attempt_count);
101 if (attempt_count >= blacklist::kBeaconMaxAttempts) {
102 blacklist_state = blacklist::BLACKLIST_SETUP_FAILED;
103 SetDWValue(key, blacklist::kBeaconState, blacklist_state);
106 } else if (blacklist_state == blacklist::BLACKLIST_ENABLED) {
107 // If the blacklist succeeded on the previous run reset the failure
110 SetDWValue(key, blacklist::kBeaconAttemptCount, static_cast<DWORD>(0));
111 if (result != ERROR_SUCCESS) {
120 namespace blacklist {
123 // Allocate storage for the pointer to the old NtMapViewOfSectionFunction.
124 #pragma section(".oldntmap",write,read)
125 __declspec(allocate(".oldntmap"))
126 NtMapViewOfSectionFunction g_nt_map_view_of_section_func = NULL;
129 bool LeaveSetupBeacon() {
131 DWORD disposition = 0;
132 LONG result = ::RegCreateKeyEx(HKEY_CURRENT_USER,
136 REG_OPTION_NON_VOLATILE,
137 KEY_QUERY_VALUE | KEY_SET_VALUE,
141 if (result != ERROR_SUCCESS)
144 // Retrieve the current blacklist state.
145 DWORD blacklist_state = BLACKLIST_STATE_MAX;
146 DWORD blacklist_state_size = sizeof(blacklist_state);
148 result = ::RegQueryValueEx(key,
152 reinterpret_cast<LPBYTE>(&blacklist_state),
153 &blacklist_state_size);
155 if (blacklist_state == BLACKLIST_DISABLED || result != ERROR_SUCCESS ||
161 if (!GenerateStateFromBeaconAndAttemptCount(&key, blacklist_state)) {
166 result = SetDWValue(&key, kBeaconState, BLACKLIST_SETUP_RUNNING);
169 return (result == ERROR_SUCCESS);
174 DWORD disposition = 0;
175 LONG result = ::RegCreateKeyEx(HKEY_CURRENT_USER,
179 REG_OPTION_NON_VOLATILE,
180 KEY_QUERY_VALUE | KEY_SET_VALUE,
184 if (result != ERROR_SUCCESS)
187 DWORD blacklist_state = BLACKLIST_STATE_MAX;
188 DWORD blacklist_state_size = sizeof(blacklist_state);
190 result = ::RegQueryValueEx(key,
194 reinterpret_cast<LPBYTE>(&blacklist_state),
195 &blacklist_state_size);
197 if (result != ERROR_SUCCESS || type != REG_DWORD) {
202 // Reaching this point with the setup running state means the setup did not
203 // crash, so we reset to enabled. Any other state indicates that setup was
204 // skipped; in that case we leave the state alone for later recording.
205 if (blacklist_state == BLACKLIST_SETUP_RUNNING)
206 result = SetDWValue(&key, kBeaconState, BLACKLIST_ENABLED);
209 return (result == ERROR_SUCCESS);
212 int BlacklistSize() {
214 while (blacklist::g_troublesome_dlls[++size] != NULL) {}
219 bool IsBlacklistInitialized() {
220 return g_blacklist_initialized;
223 bool AddDllToBlacklist(const wchar_t* dll_name) {
224 int blacklist_size = BlacklistSize();
225 // We need to leave one space at the end for the null pointer.
226 if (blacklist_size + 1 >= kTroublesomeDllsMaxCount)
228 for (int i = 0; i < blacklist_size; ++i) {
229 if (!_wcsicmp(g_troublesome_dlls[i], dll_name))
233 // Copy string to blacklist.
234 wchar_t* str_buffer = new wchar_t[wcslen(dll_name) + 1];
235 wcscpy(str_buffer, dll_name);
237 g_troublesome_dlls[blacklist_size] = str_buffer;
238 g_blocked_dlls[blacklist_size] = false;
242 bool RemoveDllFromBlacklist(const wchar_t* dll_name) {
243 int blacklist_size = BlacklistSize();
244 for (int i = 0; i < blacklist_size; ++i) {
245 if (!_wcsicmp(g_troublesome_dlls[i], dll_name)) {
246 // Found the thing to remove. Delete it then replace it with the last
248 delete[] g_troublesome_dlls[i];
249 g_troublesome_dlls[i] = g_troublesome_dlls[blacklist_size - 1];
250 g_troublesome_dlls[blacklist_size - 1] = NULL;
252 // Also update the stats recording if we have blocked this dll or not.
253 if (g_blocked_dlls[i])
254 --g_num_blocked_dlls;
255 g_blocked_dlls[i] = g_blocked_dlls[blacklist_size - 1];
262 // TODO(csharp): Maybe store these values in the registry so we can
263 // still report them if Chrome crashes early.
264 void SuccessfullyBlocked(const wchar_t** blocked_dlls, int* size) {
268 // If the array isn't valid or big enough, just report the size it needs to
270 if (blocked_dlls == NULL && *size < g_num_blocked_dlls) {
271 *size = g_num_blocked_dlls;
275 *size = g_num_blocked_dlls;
277 int strings_to_fill = 0;
278 for (int i = 0; strings_to_fill < g_num_blocked_dlls && g_troublesome_dlls[i];
280 if (g_blocked_dlls[i]) {
281 blocked_dlls[strings_to_fill] = g_troublesome_dlls[i];
287 void BlockedDll(size_t blocked_index) {
288 assert(blocked_index < kTroublesomeDllsMaxCount);
290 if (!g_blocked_dlls[blocked_index] &&
291 blocked_index < kTroublesomeDllsMaxCount) {
292 ++g_num_blocked_dlls;
293 g_blocked_dlls[blocked_index] = true;
297 bool Initialize(bool force) {
298 // Check to see that we found the functions we need in ntdll.
299 if (!InitializeInterceptImports())
302 // Check to see if this is a non-browser process, abort if so.
303 if (IsNonBrowserProcess())
306 // Check to see if the blacklist beacon is still set to running (indicating a
307 // failure) or disabled, and abort if so.
308 if (!force && !LeaveSetupBeacon())
311 // It is possible for other dlls to have already patched code by now and
312 // attempting to patch their code might result in crashes.
313 const bool kRelaxed = false;
315 // Create a thunk via the appropriate ServiceResolver instance.
316 sandbox::ServiceResolverThunk* thunk = GetThunk(kRelaxed);
318 // Don't try blacklisting on unsupported OS versions.
322 BYTE* thunk_storage = reinterpret_cast<BYTE*>(&g_thunk_storage);
324 // Mark the thunk storage as readable and writeable, since we
325 // ready to write to it.
326 DWORD old_protect = 0;
327 if (!VirtualProtect(&g_thunk_storage,
328 sizeof(g_thunk_storage),
329 PAGE_EXECUTE_READWRITE,
334 thunk->AllowLocalPatches();
336 // We declare this early so it can be used in the 64-bit block below and
337 // still work on 32-bit build when referenced at the end of the function.
338 BOOL page_executable = false;
340 // Replace the default NtMapViewOfSection with our patched version.
342 NTSTATUS ret = thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
343 reinterpret_cast<void*>(&__ImageBase),
344 "NtMapViewOfSection",
346 &blacklist::BlNtMapViewOfSection64,
348 sizeof(sandbox::ThunkData),
351 // Keep a pointer to the original code, we don't have enough space to
352 // add it directly to the call.
353 g_nt_map_view_of_section_func = reinterpret_cast<NtMapViewOfSectionFunction>(
356 // Ensure that the pointer to the old function can't be changed.
357 page_executable = VirtualProtect(&g_nt_map_view_of_section_func,
358 sizeof(g_nt_map_view_of_section_func),
362 NTSTATUS ret = thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
363 reinterpret_cast<void*>(&__ImageBase),
364 "NtMapViewOfSection",
366 &blacklist::BlNtMapViewOfSection,
368 sizeof(sandbox::ThunkData),
373 // Record if we have initialized the blacklist.
374 g_blacklist_initialized = NT_SUCCESS(ret);
376 // Mark the thunk storage as executable and prevent any future writes to it.
377 page_executable = page_executable && VirtualProtect(&g_thunk_storage,
378 sizeof(g_thunk_storage),
382 AddDllsFromRegistryToBlacklist();
384 return NT_SUCCESS(ret) && page_executable;
387 bool AddDllsFromRegistryToBlacklist() {
389 LONG result = ::RegOpenKeyEx(HKEY_CURRENT_USER,
390 kRegistryFinchListPath,
392 KEY_QUERY_VALUE | KEY_SET_VALUE,
395 if (result != ERROR_SUCCESS)
398 // We add dlls from the registry to the blacklist, and then clear registry.
400 DWORD name_len = MAX_PATH;
401 std::vector<wchar_t> name_buffer(name_len);
402 for (int i = 0; result == ERROR_SUCCESS; ++i) {
405 result = ::RegEnumValue(
406 key, i, &name_buffer[0], &name_len, NULL, NULL, NULL, &value_len);
407 name_len = name_len + 1;
408 value_len = value_len + 1;
409 std::vector<wchar_t> value_buffer(value_len);
410 result = ::RegEnumValue(key, i, &name_buffer[0], &name_len, NULL, NULL,
411 reinterpret_cast<BYTE*>(&value_buffer[0]),
413 value_buffer[value_len - 1] = L'\0';
415 if (result == ERROR_SUCCESS) {
416 AddDllToBlacklist(&value_buffer[0]);
420 // Delete the finch registry key to clear the values.
421 result = ::RegDeleteKey(key, L"");
424 return result == ERROR_SUCCESS;
427 } // namespace blacklist