chrome/app/close_handle_hook_win.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome/app/close_handle_hook_win.h"
   6
   7 #include <Windows.h>
   8 #include <psapi.h>
   9
  10 #include <vector>
  11
  12 #include "base/lazy_instance.h"
  13 #include "base/memory/scoped_ptr.h"
  14 #include "base/win/iat_patch_function.h"
  15 #include "base/win/pe_image.h"
  16 #include "base/win/scoped_handle.h"
  17 #include "chrome/common/channel_info.h"
  18 #include "components/version_info/version_info.h"
  19
  20 namespace {
  21
  22 typedef BOOL (WINAPI* CloseHandleType) (HANDLE handle);
  23
  24 typedef BOOL (WINAPI* DuplicateHandleType)(HANDLE source_process,
  25                                            HANDLE source_handle,
  26                                            HANDLE target_process,
  27                                            HANDLE* target_handle,
  28                                            DWORD desired_access,
  29                                            BOOL inherit_handle,
  30                                            DWORD options);
  31
  32 CloseHandleType g_close_function = NULL;
  33 DuplicateHandleType g_duplicate_function = NULL;
  34
  35 // The entry point for CloseHandle interception. This function notifies the
  36 // verifier about the handle that is being closed, and calls the original
  37 // function.
  38 BOOL WINAPI CloseHandleHook(HANDLE handle) {
  39   base::win::OnHandleBeingClosed(handle);
  40   return g_close_function(handle);
  41 }
  42
  43 BOOL WINAPI DuplicateHandleHook(HANDLE source_process,
  44                                 HANDLE source_handle,
  45                                 HANDLE target_process,
  46                                 HANDLE* target_handle,
  47                                 DWORD desired_access,
  48                                 BOOL inherit_handle,
  49                                 DWORD options) {
  50   if ((options & DUPLICATE_CLOSE_SOURCE) &&
  51       (GetProcessId(source_process) == ::GetCurrentProcessId())) {
  52     base::win::OnHandleBeingClosed(source_handle);
  53   }
  54
  55   return g_duplicate_function(source_process, source_handle, target_process,
  56                               target_handle, desired_access, inherit_handle,
  57                               options);
  58 }
  59
  60 // Provides a simple way to temporarily change the protection of a memory page.
  61 class AutoProtectMemory {
  62  public:
  63   AutoProtectMemory()
  64       : changed_(false), address_(NULL), bytes_(0), old_protect_(0) {}
  65
  66   ~AutoProtectMemory() {
  67     RevertProtection();
  68   }
  69
  70   // Grants write access to a given memory range.
  71   bool ChangeProtection(void* address, size_t bytes);
  72
  73   // Restores the original page protection.
  74   void RevertProtection();
  75
  76  private:
  77   bool changed_;
  78   void* address_;
  79   size_t bytes_;
  80   DWORD old_protect_;
  81
  82   DISALLOW_COPY_AND_ASSIGN(AutoProtectMemory);
  83 };
  84
  85 bool AutoProtectMemory::ChangeProtection(void* address, size_t bytes) {
  86   DCHECK(!changed_);
  87   DCHECK(address);
  88
  89   // Change the page protection so that we can write.
  90   MEMORY_BASIC_INFORMATION memory_info;
  91   if (!VirtualQuery(address, &memory_info, sizeof(memory_info)))
  92     return false;
  93
  94   DWORD is_executable = (PAGE_EXECUTE | PAGE_EXECUTE_READ |
  95                         PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY) &
  96                         memory_info.Protect;
  97
  98   DWORD protect = is_executable ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE;
  99   if (!VirtualProtect(address, bytes, protect, &old_protect_))
 100     return false;
 101
 102   changed_ = true;
 103   address_ = address;
 104   bytes_ = bytes;
 105   return true;
 106 }
 107
 108 void AutoProtectMemory::RevertProtection() {
 109   if (!changed_)
 110     return;
 111
 112   DCHECK(address_);
 113   DCHECK(bytes_);
 114
 115   VirtualProtect(address_, bytes_, old_protect_, &old_protect_);
 116   changed_ = false;
 117   address_ = NULL;
 118   bytes_ = 0;
 119   old_protect_ = 0;
 120 }
 121
 122 // Performs an EAT interception.
 123 void EATPatch(HMODULE module, const char* function_name,
 124               void* new_function, void** old_function) {
 125   if (!module)
 126     return;
 127
 128   base::win::PEImage pe(module);
 129   if (!pe.VerifyMagic())
 130     return;
 131
 132   DWORD* eat_entry = pe.GetExportEntry(function_name);
 133   if (!eat_entry)
 134     return;
 135
 136   if (!(*old_function))
 137     *old_function = pe.RVAToAddr(*eat_entry);
 138
 139   AutoProtectMemory memory;
 140   if (!memory.ChangeProtection(eat_entry, sizeof(DWORD)))
 141     return;
 142
 143   // Perform the patch.
 144 #pragma warning(push)
 145 #pragma warning(disable: 4311)
 146   // These casts generate warnings because they are 32 bit specific.
 147   *eat_entry = reinterpret_cast<DWORD>(new_function) -
 148                reinterpret_cast<DWORD>(module);
 149 #pragma warning(pop)
 150 }
 151
 152 // Performs an IAT interception.
 153 base::win::IATPatchFunction* IATPatch(HMODULE module, const char* function_name,
 154                                       void* new_function, void** old_function) {
 155   if (!module)
 156     return NULL;
 157
 158   base::win::IATPatchFunction* patch = new base::win::IATPatchFunction;
 159   __try {
 160     // There is no guarantee that |module| is still loaded at this point.
 161     if (patch->PatchFromModule(module, "kernel32.dll", function_name,
 162                                new_function)) {
 163       delete patch;
 164       return NULL;
 165     }
 166   } __except((GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ||
 167               GetExceptionCode() == EXCEPTION_GUARD_PAGE ||
 168               GetExceptionCode() == EXCEPTION_IN_PAGE_ERROR) ?
 169              EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) {
 170     // Leak the patch.
 171     return NULL;
 172   }
 173
 174   if (!(*old_function)) {
 175     // Things are probably messed up if each intercepted function points to
 176     // a different place, but we need only one function to call.
 177     *old_function = patch->original_function();
 178   }
 179   return patch;
 180 }
 181
 182 // Keeps track of all the hooks needed to intercept functions which could
 183 // possibly close handles.
 184 class HandleHooks {
 185  public:
 186   HandleHooks() {}
 187   ~HandleHooks() {}
 188
 189   void AddIATPatch(HMODULE module);
 190   void AddEATPatch();
 191   void Unpatch();
 192
 193  private:
 194   std::vector<base::win::IATPatchFunction*> hooks_;
 195   DISALLOW_COPY_AND_ASSIGN(HandleHooks);
 196 };
 197 base::LazyInstance<HandleHooks> g_hooks = LAZY_INSTANCE_INITIALIZER;
 198
 199 void HandleHooks::AddIATPatch(HMODULE module) {
 200   if (!module)
 201     return;
 202
 203   base::win::IATPatchFunction* patch = NULL;
 204   patch = IATPatch(module, "CloseHandle", &CloseHandleHook,
 205                    reinterpret_cast<void**>(&g_close_function));
 206   if (!patch)
 207     return;
 208   hooks_.push_back(patch);
 209
 210   patch = IATPatch(module, "DuplicateHandle", &DuplicateHandleHook,
 211                    reinterpret_cast<void**>(&g_duplicate_function));
 212   if (!patch)
 213     return;
 214   hooks_.push_back(patch);
 215 }
 216
 217 void HandleHooks::AddEATPatch() {
 218   // An attempt to restore the entry on the table at destruction is not safe.
 219   EATPatch(GetModuleHandleA("kernel32.dll"), "CloseHandle",
 220            &CloseHandleHook, reinterpret_cast<void**>(&g_close_function));
 221   EATPatch(GetModuleHandleA("kernel32.dll"), "DuplicateHandle",
 222            &DuplicateHandleHook,
 223            reinterpret_cast<void**>(&g_duplicate_function));
 224 }
 225
 226 void HandleHooks::Unpatch() {
 227   for (std::vector<base::win::IATPatchFunction*>::iterator it = hooks_.begin();
 228        it != hooks_.end(); ++it) {
 229     (*it)->Unpatch();
 230     delete *it;
 231   }
 232 }
 233
 234 bool UseHooks() {
 235 #if defined(ARCH_CPU_X86_64)
 236   return false;
 237 #elif defined(NDEBUG)
 238   version_info::Channel channel = chrome::GetChannel();
 239   if (channel == version_info::Channel::CANARY ||
 240       channel == version_info::Channel::DEV) {
 241     return true;
 242   }
 243
 244   return false;
 245 #else  // NDEBUG
 246   return true;
 247 #endif
 248 }
 249
 250 void PatchLoadedModules(HandleHooks* hooks) {
 251   const DWORD kSize = 256;
 252   DWORD returned;
 253   scoped_ptr<HMODULE[]> modules(new HMODULE[kSize]);
 254   if (!EnumProcessModules(GetCurrentProcess(), modules.get(),
 255                           kSize * sizeof(HMODULE), &returned)) {
 256     return;
 257   }
 258   returned /= sizeof(HMODULE);
 259   returned = std::min(kSize, returned);
 260
 261   for (DWORD current = 0; current < returned; current++) {
 262     hooks->AddIATPatch(modules[current]);
 263   }
 264 }
 265
 266 }  // namespace
 267
 268 void InstallHandleHooks() {
 269   if (UseHooks()) {
 270     HandleHooks* hooks = g_hooks.Pointer();
 271
 272     // Performing EAT interception first is safer in the presence of other
 273     // threads attempting to call CloseHandle.
 274     hooks->AddEATPatch();
 275     PatchLoadedModules(hooks);
 276   } else {
 277     base::win::DisableHandleVerifier();
 278   }
 279 }
 280
 281 void RemoveHandleHooks() {
 282   // We are partching all loaded modules without forcing them to stay in memory,
 283   // removing patches is not safe.
 284 }