chrome/browser/safe_browsing/incident_reporting/environment_data_collection_win.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome/browser/safe_browsing/incident_reporting/environment_data_collection_win.h"
   6
   7 #include <windows.h>
   8 #include <set>
   9 #include <string>
  10
  11 #include "base/i18n/case_conversion.h"
  12 #include "base/memory/ref_counted.h"
  13 #include "base/metrics/histogram_macros.h"
  14 #include "base/strings/string_util.h"
  15 #include "base/strings/utf_string_conversions.h"
  16 #include "base/win/registry.h"
  17 #include "chrome/browser/install_verification/win/module_info.h"
  18 #include "chrome/browser/install_verification/win/module_verification_common.h"
  19 #include "chrome/browser/net/service_providers_win.h"
  20 #include "chrome/browser/safe_browsing/incident_reporting/module_integrity_verifier_win.h"
  21 #include "chrome/browser/safe_browsing/path_sanitizer.h"
  22 #include "chrome/common/safe_browsing/binary_feature_extractor.h"
  23 #include "chrome/common/safe_browsing/csd.pb.h"
  24 #include "chrome_elf/chrome_elf_constants.h"
  25
  26 namespace safe_browsing {
  27
  28 namespace {
  29
  30 // The modules on which we will run VerifyModule.
  31 const wchar_t* const kModulesToVerify[] = {
  32     L"chrome.dll",
  33     L"chrome_elf.dll",
  34     L"ntdll.dll",
  35 };
  36
  37 // Helper function for expanding all environment variables in |path|.
  38 std::wstring ExpandEnvironmentVariables(const std::wstring& path) {
  39   static const DWORD kMaxBuffer = 32 * 1024;  // Max according to MSDN.
  40   std::wstring path_expanded;
  41   DWORD path_len = MAX_PATH;
  42   do {
  43     DWORD result = ExpandEnvironmentStrings(
  44         path.c_str(), base::WriteInto(&path_expanded, path_len), path_len);
  45     if (!result) {
  46       // Failed to expand variables. Return the original string.
  47       DPLOG(ERROR) << path;
  48       break;
  49     }
  50     if (result <= path_len)
  51       return path_expanded.substr(0, result - 1);
  52     path_len = result;
  53   } while (path_len < kMaxBuffer);
  54
  55   return path;
  56 }
  57
  58 }  // namespace
  59
  60 bool CollectDlls(ClientIncidentReport_EnvironmentData_Process* process) {
  61   // Retrieve the module list.
  62   std::set<ModuleInfo> loaded_modules;
  63   if (!GetLoadedModules(&loaded_modules))
  64     return false;
  65
  66   // Sanitize path of each module and add it to the incident report along with
  67   // its headers.
  68   PathSanitizer path_sanitizer;
  69   scoped_refptr<BinaryFeatureExtractor> feature_extractor(
  70       new BinaryFeatureExtractor());
  71   for (const auto& module : loaded_modules) {
  72     base::FilePath dll_path(module.name);
  73     base::FilePath sanitized_path(dll_path);
  74     path_sanitizer.StripHomeDirectory(&sanitized_path);
  75
  76     ClientIncidentReport_EnvironmentData_Process_Dll* dll = process->add_dll();
  77     dll->set_path(
  78         base::WideToUTF8(base::i18n::ToLower(sanitized_path.value())));
  79     dll->set_base_address(module.base_address);
  80     dll->set_length(module.size);
  81     // TODO(grt): Consider skipping this for valid system modules.
  82     if (!feature_extractor->ExtractImageFeatures(
  83             dll_path,
  84             BinaryFeatureExtractor::kOmitExports,
  85             dll->mutable_image_headers(),
  86             nullptr /* signed_data */)) {
  87       dll->clear_image_headers();
  88     }
  89   }
  90
  91   return true;
  92 }
  93
  94 void RecordLspFeature(ClientIncidentReport_EnvironmentData_Process* process) {
  95   WinsockLayeredServiceProviderList lsp_list;
  96   GetWinsockLayeredServiceProviders(&lsp_list);
  97
  98   // For each LSP, we extract and sanitize the path.
  99   PathSanitizer path_sanitizer;
 100   std::set<std::wstring> lsp_paths;
 101   for (size_t i = 0; i < lsp_list.size(); ++i) {
 102     base::FilePath lsp_path(ExpandEnvironmentVariables(lsp_list[i].path));
 103     path_sanitizer.StripHomeDirectory(&lsp_path);
 104     lsp_paths.insert(base::i18n::ToLower(lsp_path.value()));
 105   }
 106
 107   // Look for a match between LSPs and loaded dlls.
 108   for (int i = 0; i < process->dll_size(); ++i) {
 109     if (lsp_paths.count(base::UTF8ToWide(process->dll(i).path()))) {
 110       process->mutable_dll(i)
 111           ->add_feature(ClientIncidentReport_EnvironmentData_Process_Dll::LSP);
 112     }
 113   }
 114 }
 115
 116 void CollectDllBlacklistData(
 117     ClientIncidentReport_EnvironmentData_Process* process) {
 118   PathSanitizer path_sanitizer;
 119   base::win::RegistryValueIterator iter(HKEY_CURRENT_USER,
 120                                         blacklist::kRegistryFinchListPath);
 121   for (; iter.Valid(); ++iter) {
 122     base::FilePath dll_name(iter.Value());
 123     path_sanitizer.StripHomeDirectory(&dll_name);
 124     process->add_blacklisted_dll(dll_name.AsUTF8Unsafe());
 125   }
 126 }
 127
 128 void CollectModuleVerificationData(
 129     const wchar_t* const modules_to_verify[],
 130     size_t num_modules_to_verify,
 131     ClientIncidentReport_EnvironmentData_Process* process) {
 132 #if !defined(_WIN64)
 133   using ModuleState = ClientIncidentReport_EnvironmentData_Process_ModuleState;
 134
 135   for (size_t i = 0; i < num_modules_to_verify; ++i) {
 136     scoped_ptr<ModuleState> module_state(new ModuleState());
 137
 138     int num_bytes_different = 0;
 139     bool scan_complete = VerifyModule(modules_to_verify[i],
 140                                       module_state.get(),
 141                                       &num_bytes_different);
 142
 143     if (module_state->modified_state() == ModuleState::MODULE_STATE_UNMODIFIED)
 144       continue;
 145
 146     if (module_state->modified_state() == ModuleState::MODULE_STATE_MODIFIED) {
 147       UMA_HISTOGRAM_COUNTS_10000(
 148           "ModuleIntegrityVerification.BytesModified.WithoutByteSet",
 149           num_bytes_different);
 150     }
 151
 152     if (!scan_complete) {
 153       UMA_HISTOGRAM_ENUMERATION(
 154           "ModuleIntegrityVerification.RelocationsUnordered", i,
 155           num_modules_to_verify);
 156     }
 157
 158     process->mutable_module_state()->AddAllocated(module_state.release());
 159   }
 160 #endif  // _WIN64
 161 }
 162
 163 void CollectPlatformProcessData(
 164     ClientIncidentReport_EnvironmentData_Process* process) {
 165   CollectDlls(process);
 166   RecordLspFeature(process);
 167   CollectDllBlacklistData(process);
 168   CollectModuleVerificationData(
 169       kModulesToVerify, arraysize(kModulesToVerify), process);
 170 }
 171
 172 }  // namespace safe_browsing