1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
base / debug / handle_hooks_win.cc [blame]
// Copyright 2015 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "base/debug/handle_hooks_win.h"
#include <windows.h>
#include <psapi.h>
#include <stddef.h>
#include "base/logging.h"
#include "base/memory/raw_ptr.h"
#include "base/numerics/safe_conversions.h"
#include "base/win/iat_patch_function.h"
#include "base/win/pe_image.h"
#include "base/win/scoped_handle.h"
#include "build/build_config.h"
namespace {
using CloseHandleType = decltype(&::CloseHandle);
using DuplicateHandleType = decltype(&::DuplicateHandle);
CloseHandleType g_close_function = nullptr;
DuplicateHandleType g_duplicate_function = nullptr;
// The entry point for CloseHandle interception. This function notifies the
// verifier about the handle that is being closed, and calls the original
// function.
BOOL WINAPI CloseHandleHook(HANDLE handle) {
base::win::OnHandleBeingClosed(handle,
base::win::HandleOperation::kCloseHandleHook);
return g_close_function(handle);
}
BOOL WINAPI DuplicateHandleHook(HANDLE source_process,
HANDLE source_handle,
HANDLE target_process,
HANDLE* target_handle,
DWORD desired_access,
BOOL inherit_handle,
DWORD options) {
if ((options & DUPLICATE_CLOSE_SOURCE) &&
(GetProcessId(source_process) == ::GetCurrentProcessId())) {
base::win::OnHandleBeingClosed(
source_handle, base::win::HandleOperation::kDuplicateHandleHook);
}
return g_duplicate_function(source_process, source_handle, target_process,
target_handle, desired_access, inherit_handle,
options);
}
} // namespace
namespace base {
namespace debug {
namespace {
// Provides a simple way to temporarily change the protection of a memory page.
class AutoProtectMemory {
public:
AutoProtectMemory()
: changed_(false), address_(nullptr), bytes_(0), old_protect_(0) {}
AutoProtectMemory(const AutoProtectMemory&) = delete;
AutoProtectMemory& operator=(const AutoProtectMemory&) = delete;
~AutoProtectMemory() { RevertProtection(); }
// Grants write access to a given memory range.
bool ChangeProtection(void* address, size_t bytes);
// Restores the original page protection.
void RevertProtection();
private:
bool changed_;
raw_ptr<void> address_;
size_t bytes_;
DWORD old_protect_;
};
bool AutoProtectMemory::ChangeProtection(void* address, size_t bytes) {
DCHECK(!changed_);
DCHECK(address);
// Change the page protection so that we can write.
MEMORY_BASIC_INFORMATION memory_info;
if (!VirtualQuery(address, &memory_info, sizeof(memory_info)))
return false;
DWORD is_executable = (PAGE_EXECUTE | PAGE_EXECUTE_READ |
PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY) &
memory_info.Protect;
DWORD protect = is_executable ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE;
if (!VirtualProtect(address, bytes, protect, &old_protect_))
return false;
changed_ = true;
address_ = address;
bytes_ = bytes;
return true;
}
void AutoProtectMemory::RevertProtection() {
if (!changed_)
return;
DCHECK(address_);
DCHECK(bytes_);
VirtualProtect(address_, bytes_, old_protect_, &old_protect_);
changed_ = false;
address_ = nullptr;
bytes_ = 0;
old_protect_ = 0;
}
#if defined(ARCH_CPU_32_BITS)
// Performs an EAT interception. Only supported on 32-bit.
void EATPatch(HMODULE module,
const char* function_name,
void* new_function,
void** old_function) {
if (!module)
return;
base::win::PEImage pe(module);
if (!pe.VerifyMagic())
return;
DWORD* eat_entry = pe.GetExportEntry(function_name);
if (!eat_entry)
return;
if (!(*old_function))
*old_function = pe.RVAToAddr(*eat_entry);
AutoProtectMemory memory;
if (!memory.ChangeProtection(eat_entry, sizeof(DWORD)))
return;
// Perform the patch.
*eat_entry =
base::checked_cast<DWORD>(reinterpret_cast<uintptr_t>(new_function) -
reinterpret_cast<uintptr_t>(module));
}
#endif // defined(ARCH_CPU_32_BITS)
// Performs an IAT interception.
std::unique_ptr<base::win::IATPatchFunction> IATPatch(HMODULE module,
const char* function_name,
void* new_function,
void** old_function) {
if (!module)
return nullptr;
auto patch = std::make_unique<base::win::IATPatchFunction>();
__try {
// There is no guarantee that |module| is still loaded at this point.
if (patch->PatchFromModule(module, "kernel32.dll", function_name,
new_function)) {
return nullptr;
}
} __except ((GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ||
GetExceptionCode() == EXCEPTION_GUARD_PAGE ||
GetExceptionCode() == EXCEPTION_IN_PAGE_ERROR)
? EXCEPTION_EXECUTE_HANDLER
: EXCEPTION_CONTINUE_SEARCH) {
// Leak the patch.
std::ignore = patch.release();
return nullptr;
}
if (!(*old_function)) {
// Things are probably messed up if each intercepted function points to
// a different place, but we need only one function to call.
*old_function = patch->original_function();
}
return patch;
}
} // namespace
// static
void HandleHooks::AddIATPatch(HMODULE module) {
if (!module)
return;
auto close_handle_patch =
IATPatch(module, "CloseHandle", reinterpret_cast<void*>(&CloseHandleHook),
reinterpret_cast<void**>(&g_close_function));
if (!close_handle_patch)
return;
// This is intentionally leaked.
std::ignore = close_handle_patch.release();
auto duplicate_handle_patch = IATPatch(
module, "DuplicateHandle", reinterpret_cast<void*>(&DuplicateHandleHook),
reinterpret_cast<void**>(&g_duplicate_function));
if (!duplicate_handle_patch)
return;
// This is intentionally leaked.
std::ignore = duplicate_handle_patch.release();
}
#if defined(ARCH_CPU_32_BITS)
// static
void HandleHooks::AddEATPatch() {
// An attempt to restore the entry on the table at destruction is not safe.
EATPatch(GetModuleHandleA("kernel32.dll"), "CloseHandle",
reinterpret_cast<void*>(&CloseHandleHook),
reinterpret_cast<void**>(&g_close_function));
EATPatch(GetModuleHandleA("kernel32.dll"), "DuplicateHandle",
reinterpret_cast<void*>(&DuplicateHandleHook),
reinterpret_cast<void**>(&g_duplicate_function));
}
#endif // defined(ARCH_CPU_32_BITS)
// static
void HandleHooks::PatchLoadedModules() {
const DWORD kSize = 256;
DWORD returned;
auto modules = std::make_unique<HMODULE[]>(kSize);
if (!::EnumProcessModules(GetCurrentProcess(), modules.get(),
kSize * sizeof(HMODULE), &returned)) {
return;
}
returned /= sizeof(HMODULE);
returned = std::min(kSize, returned);
for (DWORD current = 0; current < returned; current++) {
AddIATPatch(modules[current]);
}
}
} // namespace debug
} // namespace base