src/chrome_elf/blacklist/blacklist_interceptions.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4 //
   5 // Implementation of NtMapViewOfSection intercept for 32 bit builds.
   6 //
   7 // TODO(robertshield): Implement the 64 bit intercept.
   8
   9 #include "chrome_elf/blacklist/blacklist_interceptions.h"
  10
  11 #include <string>
  12 #include <vector>
  13
  14 // Note that only #includes from base that are either header-only or built into
  15 // base_static (see base/base.gyp) are allowed here.
  16 #include "base/basictypes.h"
  17 #include "base/strings/string16.h"
  18 #include "base/win/pe_image.h"
  19 #include "chrome_elf/blacklist/blacklist.h"
  20 #include "sandbox/win/src/internal_types.h"
  21 #include "sandbox/win/src/nt_internals.h"
  22 #include "sandbox/win/src/sandbox_nt_util.h"
  23 #include "sandbox/win/src/sandbox_types.h"
  24
  25 namespace {
  26
  27 NtQuerySectionFunction g_nt_query_section_func = NULL;
  28 NtQueryVirtualMemoryFunction g_nt_query_virtual_memory_func = NULL;
  29 NtUnmapViewOfSectionFunction g_nt_unmap_view_of_section_func = NULL;
  30
  31 // TODO(robertshield): Merge with ntdll exports cache.
  32 FARPROC GetNtDllExportByName(const char* export_name) {
  33   HMODULE ntdll = ::GetModuleHandle(sandbox::kNtdllName);
  34   return ::GetProcAddress(ntdll, export_name);
  35 }
  36
  37 bool DllMatch(const base::string16& module_name) {
  38   for (int i = 0; blacklist::g_troublesome_dlls[i] != NULL; ++i) {
  39     if (_wcsicmp(module_name.c_str(), blacklist::g_troublesome_dlls[i]) == 0)
  40       return true;
  41   }
  42   return false;
  43 }
  44
  45 // TODO(robertshield): Some of the helper functions below overlap somewhat with
  46 // code in sandbox_nt_util.cc. See if they can be unified.
  47
  48 // Native reimplementation of PSAPIs GetMappedFileName.
  49 base::string16 GetBackingModuleFilePath(PVOID address) {
  50   DCHECK_NT(g_nt_query_virtual_memory_func);
  51
  52   // We'll start with something close to max_path characters for the name.
  53   ULONG buffer_bytes = MAX_PATH * 2;
  54   std::vector<BYTE> buffer_data(buffer_bytes);
  55
  56   for (;;) {
  57     MEMORY_SECTION_NAME* section_name =
  58         reinterpret_cast<MEMORY_SECTION_NAME*>(&buffer_data[0]);
  59
  60     if (!section_name)
  61       break;
  62
  63     ULONG returned_bytes;
  64     NTSTATUS ret = g_nt_query_virtual_memory_func(
  65         NtCurrentProcess, address, MemorySectionName, section_name,
  66         buffer_bytes, &returned_bytes);
  67
  68     if (STATUS_BUFFER_OVERFLOW == ret) {
  69       // Retry the call with the given buffer size.
  70       buffer_bytes = returned_bytes + 1;
  71       buffer_data.resize(buffer_bytes);
  72       section_name = NULL;
  73       continue;
  74     }
  75     if (!NT_SUCCESS(ret))
  76       break;
  77
  78     UNICODE_STRING* section_string =
  79         reinterpret_cast<UNICODE_STRING*>(section_name);
  80     return base::string16(section_string->Buffer,
  81                           section_string->Length / sizeof(wchar_t));
  82   }
  83
  84   return base::string16();
  85 }
  86
  87 bool IsModuleValidImageSection(HANDLE section,
  88                                PVOID *base,
  89                                PLARGE_INTEGER offset,
  90                                PSIZE_T view_size) {
  91   DCHECK_NT(g_nt_query_section_func);
  92
  93   if (!section || !base || !view_size || offset)
  94     return false;
  95
  96   SECTION_BASIC_INFORMATION basic_info;
  97   SIZE_T bytes_returned;
  98   NTSTATUS ret = g_nt_query_section_func(section, SectionBasicInformation,
  99                                          &basic_info, sizeof(basic_info),
 100                                          &bytes_returned);
 101
 102   if (!NT_SUCCESS(ret) || sizeof(basic_info) != bytes_returned)
 103     return false;
 104
 105   if (!(basic_info.Attributes & SEC_IMAGE))
 106     return false;
 107
 108   return true;
 109 }
 110
 111 base::string16 ExtractLoadedModuleName(const base::string16& module_path) {
 112   if (module_path.empty() || module_path[module_path.size() - 1] == L'\\')
 113     return base::string16();
 114
 115   size_t sep = module_path.find_last_of(L'\\');
 116   if (sep == base::string16::npos)
 117     return module_path;
 118   else
 119     return module_path.substr(sep+1);
 120 }
 121
 122 // Fills |out_name| with the image name from the given |pe| image and |flags|
 123 // with additional info about the image.
 124 void SafeGetImageInfo(const base::win::PEImage& pe,
 125                       std::string* out_name,
 126                       uint32* flags) {
 127   out_name->clear();
 128   out_name->reserve(MAX_PATH);
 129   *flags = 0;
 130   __try {
 131     if (pe.VerifyMagic()) {
 132       *flags |= sandbox::MODULE_IS_PE_IMAGE;
 133
 134       PIMAGE_EXPORT_DIRECTORY exports = pe.GetExportDirectory();
 135       if (exports) {
 136         const char* image_name = reinterpret_cast<const char*>(
 137             pe.RVAToAddr(exports->Name));
 138         size_t i = 0;
 139         for (; i < MAX_PATH && *image_name; ++i, ++image_name)
 140           out_name->push_back(*image_name);
 141       }
 142
 143       PIMAGE_NT_HEADERS headers = pe.GetNTHeaders();
 144       if (headers) {
 145         if (headers->OptionalHeader.AddressOfEntryPoint)
 146           *flags |= sandbox::MODULE_HAS_ENTRY_POINT;
 147         if (headers->OptionalHeader.SizeOfCode)
 148           *flags |= sandbox::MODULE_HAS_CODE;
 149       }
 150     }
 151   } __except((GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ||
 152               GetExceptionCode() == EXCEPTION_IN_PAGE_ERROR) ?
 153              EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) {
 154     out_name->clear();
 155   }
 156 }
 157
 158 base::string16 GetImageInfoFromLoadedModule(HMODULE module, uint32* flags) {
 159   std::string out_name;
 160   base::win::PEImage pe(module);
 161   SafeGetImageInfo(pe, &out_name, flags);
 162   return base::string16(out_name.begin(), out_name.end());
 163 }
 164
 165 bool IsSameAsCurrentProcess(HANDLE process) {
 166   return  (NtCurrentProcess == process) ||
 167           (::GetProcessId(process) == ::GetCurrentProcessId());
 168 }
 169
 170 }  // namespace
 171
 172 namespace blacklist {
 173
 174 bool InitializeInterceptImports() {
 175   g_nt_query_section_func = reinterpret_cast<NtQuerySectionFunction>(
 176           GetNtDllExportByName("NtQuerySection"));
 177   g_nt_query_virtual_memory_func =
 178       reinterpret_cast<NtQueryVirtualMemoryFunction>(
 179           GetNtDllExportByName("NtQueryVirtualMemory"));
 180   g_nt_unmap_view_of_section_func =
 181       reinterpret_cast<NtUnmapViewOfSectionFunction>(
 182           GetNtDllExportByName("NtUnmapViewOfSection"));
 183
 184   return g_nt_query_section_func && g_nt_query_virtual_memory_func &&
 185          g_nt_unmap_view_of_section_func;
 186 }
 187
 188 SANDBOX_INTERCEPT NTSTATUS WINAPI BlNtMapViewOfSection(
 189     NtMapViewOfSectionFunction orig_MapViewOfSection,
 190     HANDLE section,
 191     HANDLE process,
 192     PVOID *base,
 193     ULONG_PTR zero_bits,
 194     SIZE_T commit_size,
 195     PLARGE_INTEGER offset,
 196     PSIZE_T view_size,
 197     SECTION_INHERIT inherit,
 198     ULONG allocation_type,
 199     ULONG protect) {
 200   NTSTATUS ret = orig_MapViewOfSection(section, process, base, zero_bits,
 201                                        commit_size, offset, view_size, inherit,
 202                                        allocation_type, protect);
 203
 204   if (!NT_SUCCESS(ret) || !IsSameAsCurrentProcess(process) ||
 205       !IsModuleValidImageSection(section, base, offset, view_size)) {
 206     return ret;
 207   }
 208
 209   HMODULE module = reinterpret_cast<HMODULE>(*base);
 210   if (module) {
 211     UINT image_flags;
 212
 213     base::string16 module_name(GetImageInfoFromLoadedModule(
 214         reinterpret_cast<HMODULE>(*base), &image_flags));
 215     base::string16 file_name(GetBackingModuleFilePath(*base));
 216
 217     if (module_name.empty() && (image_flags & sandbox::MODULE_HAS_CODE)) {
 218       // If the module has no exports we retrieve the module name from the
 219       // full path of the mapped section.
 220       module_name = ExtractLoadedModuleName(file_name);
 221     }
 222
 223     if (!module_name.empty() && DllMatch(module_name)) {
 224       DCHECK_NT(g_nt_unmap_view_of_section_func);
 225       g_nt_unmap_view_of_section_func(process, *base);
 226       ret = STATUS_UNSUCCESSFUL;
 227     }
 228   }
 229
 230   return ret;
 231 }
 232
 233 #if defined(_WIN64)
 234 NTSTATUS WINAPI BlNtMapViewOfSection64(
 235     HANDLE section, HANDLE process, PVOID *base, ULONG_PTR zero_bits,
 236     SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size,
 237     SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect) {
 238   return BlNtMapViewOfSection(g_nt_map_view_of_section_func, section, process,
 239                               base, zero_bits, commit_size, offset, view_size,
 240                               inherit, allocation_type, protect);
 241 }
 242 #endif
 243 }  // namespace blacklist