search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Supervised user import: Listen for profile creation/deletion
[chromium-blink-merge.git] / chrome_elf / blacklist / blacklist.cc
blob5a636ae0771c9edaa052604fbd22462f87802c78
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome_elf/blacklist/blacklist.h"
6
7 #include <assert.h>
8 #include <string.h>
9
10 #include <vector>
11
12 #include "base/basictypes.h"
13 #include "chrome_elf/blacklist/blacklist_interceptions.h"
14 #include "chrome_elf/chrome_elf_constants.h"
15 #include "chrome_elf/chrome_elf_util.h"
16 #include "chrome_elf/thunk_getter.h"
17 #include "sandbox/win/src/interception_internal.h"
18 #include "sandbox/win/src/internal_types.h"
19 #include "sandbox/win/src/service_resolver.h"
20
21 // http://blogs.msdn.com/oldnewthing/archive/2004/10/25/247180.aspx
22 extern "C" IMAGE_DOS_HEADER __ImageBase;
23
24 namespace blacklist{
25
26 // The DLLs listed here are known (or under strong suspicion) of causing crashes
27 // when they are loaded in the browser. DLLs should only be added to this list
28 // if there is nothing else Chrome can do to prevent those crashes.
29 // For more information about how this list is generated, and how to get off
30 // of it, see:
31 // https://sites.google.com/a/chromium.org/dev/Home/third-party-developers
32 // NOTE: Please remember to update the DllHash enum in histograms.xml when
33 // adding a new value to the blacklist.
34 const wchar_t* g_troublesome_dlls[kTroublesomeDllsMaxCount] = {
35 L"activedetect32.dll", // Lenovo One Key Theater.
36 // See crbug.com/379218.
37 L"activedetect64.dll", // Lenovo One Key Theater.
38 L"bitguard.dll", // Unknown (suspected malware).
39 L"bsvc.dll", // Unknown (suspected adware).
40 L"chrmxtn.dll", // Unknown (keystroke logger).
41 L"cplushook.dll", // Unknown (suspected malware).
42 L"crdli.dll", // Linkury Inc.
43 L"crdli64.dll", // Linkury Inc.
44 L"datamngr.dll", // Unknown (suspected adware).
45 L"explorerex.dll", // Unknown (suspected adware).
46 L"hk.dll", // Unknown (keystroke logger).
47 L"libapi2hook.dll", // V-Bates.
48 L"libinject.dll", // V-Bates.
49 L"libinject2.dll", // V-Bates.
50 L"libredir2.dll", // V-Bates.
51 L"libsvn_tsvn32.dll", // TortoiseSVN.
52 L"libwinhook.dll", // V-Bates.
53 L"lmrn.dll", // Unknown.
54 L"minisp.dll", // Unknown (suspected malware).
55 L"minisp32.dll", // Unknown (suspected malware).
56 L"safetynut.dll", // Unknown (suspected adware).
57 L"smdmf.dll", // Unknown (suspected adware).
58 L"systemk.dll", // Unknown (suspected adware).
59 L"vntsrv.dll", // Virtual New Tab by APN LLC.
60 L"wajam_goblin_64.dll", // Wajam Internet Technologies.
61 L"wajam_goblin.dll", // Wajam Internet Technologies.
62 L"windowsapihookdll32.dll", // Lenovo One Key Theater.
63 // See crbug.com/379218.
64 L"windowsapihookdll64.dll", // Lenovo One Key Theater.
65 L"virtualcamera.ax", // %PROGRAMFILES%\ASUS\VirtualCamera.
66 // See crbug.com/422522.
67 L"ycwebcamerasource.ax", // CyberLink Youcam, crbug.com/424159
68 // Keep this null pointer here to mark the end of the list.
69 NULL,
70 };
71
72 bool g_blocked_dlls[kTroublesomeDllsMaxCount] = {};
73 int g_num_blocked_dlls = 0;
74
75 } // namespace blacklist
76
77 // Allocate storage for thunks in a page of this module to save on doing
78 // an extra allocation at run time.
79 #pragma section(".crthunk",read,execute)
80 __declspec(allocate(".crthunk")) sandbox::ThunkData g_thunk_storage;
81
82 namespace {
83
84 // Record if the blacklist was successfully initialized so processes can easily
85 // determine if the blacklist is enabled for them.
86 bool g_blacklist_initialized = false;
87
88 // Helper to set DWORD registry values.
89 DWORD SetDWValue(HKEY* key, const wchar_t* property, DWORD value) {
90 return ::RegSetValueEx(*key,
91 property,
92 0,
93 REG_DWORD,
94 reinterpret_cast<LPBYTE>(&value),
95 sizeof(value));
96 }
97
98 bool GenerateStateFromBeaconAndAttemptCount(HKEY* key, DWORD blacklist_state) {
99 LONG result = 0;
100 if (blacklist_state == blacklist::BLACKLIST_ENABLED) {
101 // If the blacklist succeeded on the previous run reset the failure
102 // counter.
103 return (SetDWValue(key,
104 blacklist::kBeaconAttemptCount,
105 static_cast<DWORD>(0)) == ERROR_SUCCESS);
106 } else {
107 // Some part of the blacklist setup failed last time. If this has occured
108 // blacklist::kBeaconMaxAttempts times in a row we switch the state to
109 // failed and skip setting up the blacklist.
110 DWORD attempt_count = 0;
111 DWORD attempt_count_size = sizeof(attempt_count);
112 result = ::RegQueryValueEx(*key,
113 blacklist::kBeaconAttemptCount,
114 0,
115 NULL,
116 reinterpret_cast<LPBYTE>(&attempt_count),
117 &attempt_count_size);
118
119 if (result == ERROR_FILE_NOT_FOUND)
120 attempt_count = 0;
121 else if (result != ERROR_SUCCESS)
122 return false;
123
124 ++attempt_count;
125 SetDWValue(key, blacklist::kBeaconAttemptCount, attempt_count);
126
127 if (attempt_count >= blacklist::kBeaconMaxAttempts) {
128 blacklist_state = blacklist::BLACKLIST_SETUP_FAILED;
129 SetDWValue(key, blacklist::kBeaconState, blacklist_state);
130 }
131
132 return false;
133 }
134 }
135
136 } // namespace
137
138 namespace blacklist {
139
140 #if defined(_WIN64)
141 // Allocate storage for the pointer to the old NtMapViewOfSectionFunction.
142 #pragma section(".oldntmap",write,read)
143 __declspec(allocate(".oldntmap"))
144 NtMapViewOfSectionFunction g_nt_map_view_of_section_func = NULL;
145 #endif
146
147 bool LeaveSetupBeacon() {
148 HKEY key = NULL;
149 DWORD disposition = 0;
150 LONG result = ::RegCreateKeyEx(HKEY_CURRENT_USER,
151 kRegistryBeaconPath,
152 0,
153 NULL,
154 REG_OPTION_NON_VOLATILE,
155 KEY_QUERY_VALUE | KEY_SET_VALUE,
156 NULL,
157 &key,
158 &disposition);
159 if (result != ERROR_SUCCESS)
160 return false;
161
162 // Retrieve the current blacklist state.
163 DWORD blacklist_state = BLACKLIST_STATE_MAX;
164 DWORD blacklist_state_size = sizeof(blacklist_state);
165 DWORD type = 0;
166 result = ::RegQueryValueEx(key,
167 kBeaconState,
168 0,
169 &type,
170 reinterpret_cast<LPBYTE>(&blacklist_state),
171 &blacklist_state_size);
172
173 if (result != ERROR_SUCCESS || blacklist_state == BLACKLIST_DISABLED ||
174 type != REG_DWORD) {
175 ::RegCloseKey(key);
176 return false;
177 }
178
179 if (!GenerateStateFromBeaconAndAttemptCount(&key, blacklist_state)) {
180 ::RegCloseKey(key);
181 return false;
182 }
183
184 result = SetDWValue(&key, kBeaconState, BLACKLIST_SETUP_RUNNING);
185 ::RegCloseKey(key);
186
187 return (result == ERROR_SUCCESS);
188 }
189
190 bool ResetBeacon() {
191 HKEY key = NULL;
192 DWORD disposition = 0;
193 LONG result = ::RegCreateKeyEx(HKEY_CURRENT_USER,
194 kRegistryBeaconPath,
195 0,
196 NULL,
197 REG_OPTION_NON_VOLATILE,
198 KEY_QUERY_VALUE | KEY_SET_VALUE,
199 NULL,
200 &key,
201 &disposition);
202 if (result != ERROR_SUCCESS)
203 return false;
204
205 DWORD blacklist_state = BLACKLIST_STATE_MAX;
206 DWORD blacklist_state_size = sizeof(blacklist_state);
207 DWORD type = 0;
208 result = ::RegQueryValueEx(key,
209 kBeaconState,
210 0,
211 &type,
212 reinterpret_cast<LPBYTE>(&blacklist_state),
213 &blacklist_state_size);
214
215 if (result != ERROR_SUCCESS || type != REG_DWORD) {
216 ::RegCloseKey(key);
217 return false;
218 }
219
220 // Reaching this point with the setup running state means the setup did not
221 // crash, so we reset to enabled. Any other state indicates that setup was
222 // skipped; in that case we leave the state alone for later recording.
223 if (blacklist_state == BLACKLIST_SETUP_RUNNING)
224 result = SetDWValue(&key, kBeaconState, BLACKLIST_ENABLED);
225
226 ::RegCloseKey(key);
227 return (result == ERROR_SUCCESS);
228 }
229
230 int BlacklistSize() {
231 int size = -1;
232 while (blacklist::g_troublesome_dlls[++size] != NULL) {}
233
234 return size;
235 }
236
237 bool IsBlacklistInitialized() {
238 return g_blacklist_initialized;
239 }
240
241 int GetBlacklistIndex(const wchar_t* dll_name) {
242 for (int i = 0; i < kTroublesomeDllsMaxCount && g_troublesome_dlls[i]; ++i) {
243 if (_wcsicmp(dll_name, g_troublesome_dlls[i]) == 0)
244 return i;
245 }
246 return -1;
247 }
248
249 bool AddDllToBlacklist(const wchar_t* dll_name) {
250 int blacklist_size = BlacklistSize();
251 // We need to leave one space at the end for the null pointer.
252 if (blacklist_size + 1 >= kTroublesomeDllsMaxCount)
253 return false;
254 for (int i = 0; i < blacklist_size; ++i) {
255 if (!_wcsicmp(g_troublesome_dlls[i], dll_name))
256 return true;
257 }
258
259 // Copy string to blacklist.
260 wchar_t* str_buffer = new wchar_t[wcslen(dll_name) + 1];
261 wcscpy(str_buffer, dll_name);
262
263 g_troublesome_dlls[blacklist_size] = str_buffer;
264 g_blocked_dlls[blacklist_size] = false;
265 return true;
266 }
267
268 bool RemoveDllFromBlacklist(const wchar_t* dll_name) {
269 int blacklist_size = BlacklistSize();
270 for (int i = 0; i < blacklist_size; ++i) {
271 if (!_wcsicmp(g_troublesome_dlls[i], dll_name)) {
272 // Found the thing to remove. Delete it then replace it with the last
273 // element.
274 delete[] g_troublesome_dlls[i];
275 g_troublesome_dlls[i] = g_troublesome_dlls[blacklist_size - 1];
276 g_troublesome_dlls[blacklist_size - 1] = NULL;
277
278 // Also update the stats recording if we have blocked this dll or not.
279 if (g_blocked_dlls[i])
280 --g_num_blocked_dlls;
281 g_blocked_dlls[i] = g_blocked_dlls[blacklist_size - 1];
282 return true;
283 }
284 }
285 return false;
286 }
287
288 // TODO(csharp): Maybe store these values in the registry so we can
289 // still report them if Chrome crashes early.
290 void SuccessfullyBlocked(const wchar_t** blocked_dlls, int* size) {
291 if (size == NULL)
292 return;
293
294 // If the array isn't valid or big enough, just report the size it needs to
295 // be and return.
296 if (blocked_dlls == NULL && *size < g_num_blocked_dlls) {
297 *size = g_num_blocked_dlls;
298 return;
299 }
300
301 *size = g_num_blocked_dlls;
302
303 int strings_to_fill = 0;
304 for (int i = 0; strings_to_fill < g_num_blocked_dlls && g_troublesome_dlls[i];
305 ++i) {
306 if (g_blocked_dlls[i]) {
307 blocked_dlls[strings_to_fill] = g_troublesome_dlls[i];
308 ++strings_to_fill;
309 }
310 }
311 }
312
313 void BlockedDll(size_t blocked_index) {
314 assert(blocked_index < kTroublesomeDllsMaxCount);
315
316 if (!g_blocked_dlls[blocked_index] &&
317 blocked_index < kTroublesomeDllsMaxCount) {
318 ++g_num_blocked_dlls;
319 g_blocked_dlls[blocked_index] = true;
320 }
321 }
322
323 bool Initialize(bool force) {
324 // Check to see that we found the functions we need in ntdll.
325 if (!InitializeInterceptImports())
326 return false;
327
328 // Check to see if this is a non-browser process, abort if so.
329 if (IsNonBrowserProcess())
330 return false;
331
332 // Check to see if the blacklist beacon is still set to running (indicating a
333 // failure) or disabled, and abort if so.
334 if (!force && !LeaveSetupBeacon())
335 return false;
336
337 // It is possible for other dlls to have already patched code by now and
338 // attempting to patch their code might result in crashes.
339 const bool kRelaxed = false;
340
341 // Create a thunk via the appropriate ServiceResolver instance.
342 sandbox::ServiceResolverThunk* thunk = GetThunk(kRelaxed);
343
344 // Don't try blacklisting on unsupported OS versions.
345 if (!thunk)
346 return false;
347
348 BYTE* thunk_storage = reinterpret_cast<BYTE*>(&g_thunk_storage);
349
350 // Mark the thunk storage as readable and writeable, since we
351 // ready to write to it.
352 DWORD old_protect = 0;
353 if (!VirtualProtect(&g_thunk_storage,
354 sizeof(g_thunk_storage),
355 PAGE_EXECUTE_READWRITE,
356 &old_protect)) {
357 return false;
358 }
359
360 thunk->AllowLocalPatches();
361
362 // We declare this early so it can be used in the 64-bit block below and
363 // still work on 32-bit build when referenced at the end of the function.
364 BOOL page_executable = false;
365
366 // Replace the default NtMapViewOfSection with our patched version.
367 #if defined(_WIN64)
368 NTSTATUS ret = thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
369 reinterpret_cast<void*>(&__ImageBase),
370 "NtMapViewOfSection",
371 NULL,
372 &blacklist::BlNtMapViewOfSection64,
373 thunk_storage,
374 sizeof(sandbox::ThunkData),
375 NULL);
376
377 // Keep a pointer to the original code, we don't have enough space to
378 // add it directly to the call.
379 g_nt_map_view_of_section_func = reinterpret_cast<NtMapViewOfSectionFunction>(
380 thunk_storage);
381
382 // Ensure that the pointer to the old function can't be changed.
383 page_executable = VirtualProtect(&g_nt_map_view_of_section_func,
384 sizeof(g_nt_map_view_of_section_func),
385 PAGE_EXECUTE_READ,
386 &old_protect);
387 #else
388 NTSTATUS ret = thunk->Setup(::GetModuleHandle(sandbox::kNtdllName),
389 reinterpret_cast<void*>(&__ImageBase),
390 "NtMapViewOfSection",
391 NULL,
392 &blacklist::BlNtMapViewOfSection,
393 thunk_storage,
394 sizeof(sandbox::ThunkData),
395 NULL);
396 #endif
397 delete thunk;
398
399 // Record if we have initialized the blacklist.
400 g_blacklist_initialized = NT_SUCCESS(ret);
401
402 // Mark the thunk storage as executable and prevent any future writes to it.
403 page_executable = page_executable && VirtualProtect(&g_thunk_storage,
404 sizeof(g_thunk_storage),
405 PAGE_EXECUTE_READ,
406 &old_protect);
407
408 AddDllsFromRegistryToBlacklist();
409
410 return NT_SUCCESS(ret) && page_executable;
411 }
412
413 void AddDllsFromRegistryToBlacklist() {
414 HKEY key = NULL;
415 LONG result = ::RegOpenKeyEx(HKEY_CURRENT_USER,
416 kRegistryFinchListPath,
417 0,
418 KEY_QUERY_VALUE | KEY_SET_VALUE,
419 &key);
420
421 if (result != ERROR_SUCCESS)
422 return;
423
424 // We add dlls from the registry to the blacklist.
425 DWORD value_len;
426 DWORD name_len = MAX_PATH;
427 std::vector<wchar_t> name_buffer(name_len);
428 for (int i = 0; result == ERROR_SUCCESS; ++i) {
429 name_len = MAX_PATH;
430 value_len = 0;
431 result = ::RegEnumValue(
432 key, i, &name_buffer[0], &name_len, NULL, NULL, NULL, &value_len);
433 if (result != ERROR_SUCCESS)
434 break;
435
436 name_len = name_len + 1;
437 value_len = value_len + 1;
438 std::vector<wchar_t> value_buffer(value_len);
439 result = ::RegEnumValue(key, i, &name_buffer[0], &name_len, NULL, NULL,
440 reinterpret_cast<BYTE*>(&value_buffer[0]),
441 &value_len);
442 if (result != ERROR_SUCCESS)
443 break;
444 value_buffer[value_len - 1] = L'\0';
445 AddDllToBlacklist(&value_buffer[0]);
446 }
447
448 ::RegCloseKey(key);
449 return;
450 }
451
452 } // namespace blacklist