1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
|
// Copyright 2017 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/win/conflicts/module_info_util.h"
#include <windows.h>
#include <tlhelp32.h>
#include <limits>
#include <memory>
#include <string>
#include <string_view>
#include "base/containers/heap_array.h"
#include "base/environment.h"
#include "base/files/file.h"
#include "base/i18n/case_conversion.h"
#include "base/logging.h"
#include "base/numerics/safe_conversions.h"
#include "base/scoped_generic.h"
#include "base/strings/strcat_win.h"
#include "base/strings/string_util.h"
#include "base/strings/utf_string_conversions.h"
#include "base/win/pe_image_reader.h"
#include "base/win/scoped_handle.h"
#include "base/win/wincrypt_shim.h"
#include "base/win/wintrust_shim.h"
#include "crypto/scoped_capi_types.h"
// This must be after wincrypt and wintrust.
#include <mscat.h>
namespace {
// Returns the "Subject" field from the digital signature in the provided
// binary, if any is present. Returns an empty string on failure.
std::u16string GetSubjectNameInFile(const base::FilePath& filename) {
// Find the crypto message for this filename.
crypto::ScopedHCERTSTORE store;
crypto::ScopedHCRYPTMSG message;
if (!CryptQueryObject(
CERT_QUERY_OBJECT_FILE, filename.value().c_str(),
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED,
CERT_QUERY_FORMAT_FLAG_BINARY, 0, nullptr, nullptr, nullptr,
crypto::ScopedHCERTSTORE::Receiver(store).get(),
crypto::ScopedHCRYPTMSG::Receiver(message).get(), nullptr)) {
return std::u16string();
}
// Determine the size of the signer info data.
DWORD signer_info_size = 0;
if (!CryptMsgGetParam(message.get(), CMSG_SIGNER_INFO_PARAM, 0, nullptr,
&signer_info_size)) {
return std::u16string();
}
// Allocate enough space to hold the signer info.
std::unique_ptr<BYTE[]> signer_info_buffer(new BYTE[signer_info_size]);
CMSG_SIGNER_INFO* signer_info =
reinterpret_cast<CMSG_SIGNER_INFO*>(signer_info_buffer.get());
// Obtain the signer info.
if (!CryptMsgGetParam(message.get(), CMSG_SIGNER_INFO_PARAM, 0, signer_info,
&signer_info_size)) {
return std::u16string();
}
// Search for the signer certificate.
CERT_INFO CertInfo = {0};
CertInfo.Issuer = signer_info->Issuer;
CertInfo.SerialNumber = signer_info->SerialNumber;
crypto::ScopedPCCERT_CONTEXT cert_context(CertFindCertificateInStore(
store.get(), X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
CERT_FIND_SUBJECT_CERT, &CertInfo, nullptr));
if (!cert_context)
return std::u16string();
// Determine the size of the Subject name.
DWORD subject_name_size =
CertGetNameString(cert_context.get(), CERT_NAME_SIMPLE_DISPLAY_TYPE, 0,
nullptr, nullptr, 0);
if (!subject_name_size)
return std::u16string();
std::wstring subject_name;
subject_name.resize(subject_name_size);
// Get subject name.
if (!CertGetNameString(cert_context.get(), CERT_NAME_SIMPLE_DISPLAY_TYPE, 0,
nullptr, const_cast<LPWSTR>(subject_name.c_str()),
subject_name_size)) {
return std::u16string();
}
// The subject name is normalized because it can contain trailing null
// characters.
internal::NormalizeCertificateSubject(&subject_name);
return base::AsString16(subject_name);
}
// Helper for scoped tracking a catalog admin context.
struct CryptCATContextScopedTraits {
static PVOID InvalidValue() { return nullptr; }
static void Free(PVOID context) { CryptCATAdminReleaseContext(context, 0); }
};
using ScopedCryptCATContext =
base::ScopedGeneric<PVOID, CryptCATContextScopedTraits>;
// Helper for scoped tracking of a catalog context. A catalog context is only
// valid with an associated admin context, so this is effectively a std::pair.
// A custom operator!= is required in order for a null |catalog_context| but
// non-null |context| to compare equal to the InvalidValue exposed by the
// traits class.
class CryptCATCatalogContext {
public:
CryptCATCatalogContext(PVOID context, PVOID catalog_context)
: context_(context), catalog_context_(catalog_context) {}
bool operator!=(const CryptCATCatalogContext& rhs) const {
return catalog_context_ != rhs.catalog_context_;
}
PVOID context() const { return context_; }
PVOID catalog_context() const { return catalog_context_; }
private:
PVOID context_;
PVOID catalog_context_;
};
struct CryptCATCatalogContextScopedTraits {
static CryptCATCatalogContext InvalidValue() {
return CryptCATCatalogContext(nullptr, nullptr);
}
static void Free(const CryptCATCatalogContext& c) {
CryptCATAdminReleaseCatalogContext(c.context(), c.catalog_context(), 0);
}
};
using ScopedCryptCATCatalogContext =
base::ScopedGeneric<CryptCATCatalogContext,
CryptCATCatalogContextScopedTraits>;
// Extracts the subject name and catalog path if the provided file is present in
// a catalog file.
void GetCatalogCertificateInfo(const base::FilePath& filename,
CertificateInfo* certificate_info) {
// Get a crypt context for signature verification.
ScopedCryptCATContext context;
{
PVOID raw_context = nullptr;
if (!CryptCATAdminAcquireContext(&raw_context, nullptr, 0))
return;
context.reset(raw_context);
}
// Open the file of interest.
base::win::ScopedHandle file_handle(
CreateFileW(filename.value().c_str(), GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
nullptr, OPEN_EXISTING, 0, nullptr));
if (!file_handle.IsValid())
return;
// Get the size we need for our hash.
DWORD hash_size = 0;
CryptCATAdminCalcHashFromFileHandle(file_handle.Get(), &hash_size, nullptr,
0);
if (hash_size == 0)
return;
// Calculate the hash. If this fails then bail.
std::vector<BYTE> buffer(hash_size);
if (!CryptCATAdminCalcHashFromFileHandle(file_handle.Get(), &hash_size,
buffer.data(), 0)) {
return;
}
// Get catalog for our context.
ScopedCryptCATCatalogContext catalog_context(CryptCATCatalogContext(
context.get(), CryptCATAdminEnumCatalogFromHash(
context.get(), buffer.data(), hash_size, 0, nullptr)));
if (!catalog_context.is_valid())
return;
// Get the catalog info. This includes the path to the catalog itself, which
// contains the signature of interest.
CATALOG_INFO catalog_info = {};
catalog_info.cbStruct = sizeof(catalog_info);
if (!CryptCATCatalogInfoFromContext(catalog_context.get().catalog_context(),
&catalog_info, 0)) {
return;
}
// Attempt to get the "Subject" field from the signature of the catalog file
// itself.
base::FilePath catalog_path(catalog_info.wszCatalogFile);
std::u16string subject = GetSubjectNameInFile(catalog_path);
if (subject.empty())
return;
certificate_info->type = CertificateInfo::Type::CERTIFICATE_IN_CATALOG;
certificate_info->path = catalog_path;
certificate_info->subject = subject;
}
} // namespace
std::wstring GuidToClsid(std::wstring_view guid) {
return base::StrCat({L"CLSID\\", guid, L"\\InProcServer32"});
}
// ModuleDatabase::CertificateInfo ---------------------------------------------
CertificateInfo::CertificateInfo() : type(Type::NO_CERTIFICATE) {}
// Extracts information about the certificate of the given file, if any is
// found.
void GetCertificateInfo(const base::FilePath& filename,
CertificateInfo* certificate_info) {
DCHECK_EQ(CertificateInfo::Type::NO_CERTIFICATE, certificate_info->type);
DCHECK(certificate_info->path.empty());
DCHECK(certificate_info->subject.empty());
GetCatalogCertificateInfo(filename, certificate_info);
if (certificate_info->type == CertificateInfo::Type::CERTIFICATE_IN_CATALOG)
return;
std::u16string subject = GetSubjectNameInFile(filename);
if (subject.empty())
return;
certificate_info->type = CertificateInfo::Type::CERTIFICATE_IN_FILE;
certificate_info->path = filename;
certificate_info->subject = subject;
}
bool IsMicrosoftModule(std::u16string_view subject) {
static constexpr char16_t kMicrosoft[] = u"Microsoft ";
return base::StartsWith(subject, kMicrosoft);
}
StringMapping GetEnvironmentVariablesMapping(
const std::vector<std::wstring>& environment_variables) {
std::unique_ptr<base::Environment> environment(base::Environment::Create());
StringMapping string_mapping;
for (const std::wstring& variable : environment_variables) {
std::optional<std::string> value =
environment->GetVar(base::WideToASCII(variable));
if (value.has_value()) {
std::string_view trimmed_value =
base::TrimString(value.value(), "\\", base::TRIM_TRAILING);
string_mapping.push_back(std::make_pair(
base::i18n::ToLower(base::UTF8ToUTF16(trimmed_value)),
u"%" + base::i18n::ToLower(base::AsString16(variable)) + u"%"));
}
}
return string_mapping;
}
void CollapseMatchingPrefixInPath(const StringMapping& prefix_mapping,
std::u16string* path) {
const std::u16string path_copy = *path;
DCHECK_EQ(base::i18n::ToLower(path_copy), path_copy);
size_t min_length = std::numeric_limits<size_t>::max();
for (const auto& mapping : prefix_mapping) {
DCHECK_EQ(base::i18n::ToLower(mapping.first), mapping.first);
if (base::StartsWith(path_copy, mapping.first)) {
// Make sure the matching prefix is a full path component.
if (path_copy[mapping.first.length()] != '\\' &&
path_copy[mapping.first.length()] != '\0') {
continue;
}
std::u16string collapsed_path = path_copy;
base::ReplaceFirstSubstringAfterOffset(&collapsed_path, 0, mapping.first,
mapping.second);
size_t length = collapsed_path.length() - mapping.second.length();
if (length < min_length) {
*path = collapsed_path;
min_length = length;
}
}
}
}
bool GetModuleImageSizeAndTimeDateStamp(const base::FilePath& path,
uint32_t* size_of_image,
uint32_t* time_date_stamp) {
base::File file(path, base::File::FLAG_OPEN | base::File::FLAG_READ);
if (!file.IsValid()) {
return false;
}
// The values fetched here from the NT header live in the first 4k bytes of
// the file in a well-formed dll.
constexpr size_t kPageSize = 4096;
auto buffer = base::HeapArray<uint8_t>::Uninit(kPageSize);
std::optional<size_t> bytes_read = file.Read(0, buffer);
if (!bytes_read.has_value()) {
return false;
}
base::win::PeImageReader pe_image_reader;
if (!pe_image_reader.Initialize(buffer.first(bytes_read.value()))) {
return false;
}
*size_of_image = pe_image_reader.GetSizeOfImage();
*time_date_stamp = pe_image_reader.GetCoffFileHeader()->TimeDateStamp;
return true;
}
namespace internal {
void NormalizeCertificateSubject(std::wstring* subject) {
size_t first_null = subject->find(L'\0');
if (first_null != std::wstring::npos)
subject->resize(first_null);
}
} // namespace internal
|
