1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/safe_browsing/incident_reporting/environment_data_collection_win.h"
11 #include "base/i18n/case_conversion.h"
12 #include "base/memory/ref_counted.h"
13 #include "base/metrics/histogram_macros.h"
14 #include "base/strings/string_util.h"
15 #include "base/strings/utf_string_conversions.h"
16 #include "base/win/registry.h"
17 #include "chrome/browser/install_verification/win/module_info.h"
18 #include "chrome/browser/install_verification/win/module_verification_common.h"
19 #include "chrome/browser/net/service_providers_win.h"
20 #include "chrome/browser/safe_browsing/incident_reporting/module_integrity_verifier_win.h"
21 #include "chrome/browser/safe_browsing/path_sanitizer.h"
22 #include "chrome/common/safe_browsing/binary_feature_extractor.h"
23 #include "chrome/common/safe_browsing/csd.pb.h"
24 #include "chrome_elf/chrome_elf_constants.h"
26 namespace safe_browsing
{
30 // The modules on which we will run VerifyModule.
31 const wchar_t* const kModulesToVerify
[] = {
37 // Helper function for expanding all environment variables in |path|.
38 std::wstring
ExpandEnvironmentVariables(const std::wstring
& path
) {
39 static const DWORD kMaxBuffer
= 32 * 1024; // Max according to MSDN.
40 std::wstring path_expanded
;
41 DWORD path_len
= MAX_PATH
;
43 DWORD result
= ExpandEnvironmentStrings(
44 path
.c_str(), WriteInto(&path_expanded
, path_len
), path_len
);
46 // Failed to expand variables. Return the original string.
50 if (result
<= path_len
)
51 return path_expanded
.substr(0, result
- 1);
53 } while (path_len
< kMaxBuffer
);
60 bool CollectDlls(ClientIncidentReport_EnvironmentData_Process
* process
) {
61 // Retrieve the module list.
62 std::set
<ModuleInfo
> loaded_modules
;
63 if (!GetLoadedModules(&loaded_modules
))
66 // Sanitize path of each module and add it to the incident report along with
68 PathSanitizer path_sanitizer
;
69 scoped_refptr
<BinaryFeatureExtractor
> feature_extractor(
70 new BinaryFeatureExtractor());
71 for (const auto& module
: loaded_modules
) {
72 base::FilePath
dll_path(module
.name
);
73 base::FilePath
sanitized_path(dll_path
);
74 path_sanitizer
.StripHomeDirectory(&sanitized_path
);
76 ClientIncidentReport_EnvironmentData_Process_Dll
* dll
= process
->add_dll();
78 base::WideToUTF8(base::i18n::ToLower(sanitized_path
.value())));
79 dll
->set_base_address(module
.base_address
);
80 dll
->set_length(module
.size
);
81 // TODO(grt): Consider skipping this for valid system modules.
82 if (!feature_extractor
->ExtractImageFeatures(
84 BinaryFeatureExtractor::kOmitExports
,
85 dll
->mutable_image_headers(),
86 nullptr /* signed_data */)) {
87 dll
->clear_image_headers();
94 void RecordLspFeature(ClientIncidentReport_EnvironmentData_Process
* process
) {
95 WinsockLayeredServiceProviderList lsp_list
;
96 GetWinsockLayeredServiceProviders(&lsp_list
);
98 // For each LSP, we extract and sanitize the path.
99 PathSanitizer path_sanitizer
;
100 std::set
<std::wstring
> lsp_paths
;
101 for (size_t i
= 0; i
< lsp_list
.size(); ++i
) {
102 base::FilePath
lsp_path(ExpandEnvironmentVariables(lsp_list
[i
].path
));
103 path_sanitizer
.StripHomeDirectory(&lsp_path
);
104 lsp_paths
.insert(base::i18n::ToLower(lsp_path
.value()));
107 // Look for a match between LSPs and loaded dlls.
108 for (int i
= 0; i
< process
->dll_size(); ++i
) {
109 if (lsp_paths
.count(base::UTF8ToWide(process
->dll(i
).path()))) {
110 process
->mutable_dll(i
)
111 ->add_feature(ClientIncidentReport_EnvironmentData_Process_Dll::LSP
);
116 void CollectDllBlacklistData(
117 ClientIncidentReport_EnvironmentData_Process
* process
) {
118 PathSanitizer path_sanitizer
;
119 base::win::RegistryValueIterator
iter(HKEY_CURRENT_USER
,
120 blacklist::kRegistryFinchListPath
);
121 for (; iter
.Valid(); ++iter
) {
122 base::FilePath
dll_name(iter
.Value());
123 path_sanitizer
.StripHomeDirectory(&dll_name
);
124 process
->add_blacklisted_dll(dll_name
.AsUTF8Unsafe());
128 void CollectModuleVerificationData(
129 const wchar_t* const modules_to_verify
[],
130 size_t num_modules_to_verify
,
131 ClientIncidentReport_EnvironmentData_Process
* process
) {
132 for (size_t i
= 0; i
< num_modules_to_verify
; ++i
) {
133 scoped_ptr
<ClientIncidentReport_EnvironmentData_Process_ModuleState
>
135 new ClientIncidentReport_EnvironmentData_Process_ModuleState());
137 VerificationResult result
= NewVerifyModule(modules_to_verify
[i
],
140 std::set
<std::string
> modified_exports
;
142 int modified
= VerifyModule(modules_to_verify
[i
],
146 if (result
.state
== MODULE_STATE_MODIFIED
) {
147 UMA_HISTOGRAM_COUNTS_10000(
148 "ModuleIntegrityVerification.BytesModified.WithoutByteSet",
149 result
.num_bytes_different
);
152 if (modified
== MODULE_STATE_MODIFIED
) {
153 UMA_HISTOGRAM_COUNTS_10000(
154 "ModuleIntegrityVerification.BytesModified.WithByteSet",
158 if (modified
== MODULE_STATE_MODIFIED
||
159 result
.state
== MODULE_STATE_MODIFIED
) {
160 int difference
= abs(result
.num_bytes_different
- num_bytes
);
162 if (result
.num_bytes_different
> num_bytes
) {
163 UMA_HISTOGRAM_COUNTS_10000(
164 "ModuleIntegrityVerification.Difference.WithoutByteSet",
166 } else if (num_bytes
> result
.num_bytes_different
) {
167 UMA_HISTOGRAM_COUNTS_10000(
168 "ModuleIntegrityVerification.Difference.WithByteSet",
173 if (!result
.verification_completed
) {
174 UMA_HISTOGRAM_COUNTS_100(
175 "ModuleIntegrityVerification.RelocationsUnorderedModuleIndex", i
);
178 if (modified
== MODULE_STATE_UNMODIFIED
)
181 module_state
->set_name(base::WideToUTF8(modules_to_verify
[i
]));
182 // Add 1 to the ModuleState enum to get the corresponding value in the
183 // protobuf's ModuleState enum.
184 module_state
->set_modified_state(static_cast<
185 ClientIncidentReport_EnvironmentData_Process_ModuleState_ModifiedState
>(
187 for (std::set
<std::string
>::iterator it
= modified_exports
.begin();
188 it
!= modified_exports
.end();
190 module_state
->add_modified_export(*it
);
192 process
->mutable_module_state()->AddAllocated(module_state
.release());
196 void CollectPlatformProcessData(
197 ClientIncidentReport_EnvironmentData_Process
* process
) {
198 CollectDlls(process
);
199 RecordLspFeature(process
);
200 CollectDllBlacklistData(process
);
201 CollectModuleVerificationData(
202 kModulesToVerify
, arraysize(kModulesToVerify
), process
);
205 } // namespace safe_browsing