chrome/browser/safe_browsing/incident_reporting/module_integrity_verifier_win_unittest.cc

// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "chrome/browser/safe_browsing/incident_reporting/module_integrity_verifier_win.h"

#include "base/files/file_path.h"
#include "base/files/memory_mapped_file.h"
#include "base/native_library.h"
#include "base/path_service.h"
#include "base/scoped_native_library.h"
#include "base/win/pe_image.h"
#include "chrome/browser/safe_browsing/incident_reporting/module_integrity_unittest_util_win.h"
#include "testing/gtest/include/gtest/gtest.h"

namespace safe_browsing {

class SafeBrowsingModuleVerifierWinTest : public testing::Test {
 protected:
  void SetUpTestDllAndPEImages() {
    LoadModule();
    HMODULE mem_handle;
    GetMemModuleHandle(&mem_handle);
    mem_peimage_ptr_.reset(new base::win::PEImage(mem_handle));
    ASSERT_TRUE(mem_peimage_ptr_->VerifyMagic());

    LoadDLLAsFile();
    HMODULE disk_handle;
    GetDiskModuleHandle(&disk_handle);
    disk_peimage_ptr_.reset(new base::win::PEImageAsData(disk_handle));
    ASSERT_TRUE(disk_peimage_ptr_->VerifyMagic());
  }

  void LoadModule() {
    HMODULE mem_dll_handle =
        LoadNativeLibrary(base::FilePath(kTestDllNames[0]), NULL);
    ASSERT_NE(static_cast<HMODULE>(NULL), mem_dll_handle)
        << "GLE=" << GetLastError();
    mem_dll_handle_.Reset(mem_dll_handle);
    ASSERT_TRUE(mem_dll_handle_.is_valid());
  }

  void GetMemModuleHandle(HMODULE* mem_handle) {
    *mem_handle = GetModuleHandle(kTestDllNames[0]);
    ASSERT_NE(static_cast<HMODULE>(NULL), *mem_handle);
  }

  void LoadDLLAsFile() {
    // Use the module handle to find the it on disk, then load as a file.
    HMODULE module_handle;
    GetMemModuleHandle(&module_handle);

    WCHAR module_path[MAX_PATH] = {};
    DWORD length =
        GetModuleFileName(module_handle, module_path, arraysize(module_path));
    ASSERT_NE(arraysize(module_path), length);
    ASSERT_TRUE(disk_dll_handle_.Initialize(base::FilePath(module_path)));
  }

  void GetDiskModuleHandle(HMODULE* disk_handle) {
    *disk_handle =
        reinterpret_cast<HMODULE>(const_cast<uint8*>(disk_dll_handle_.data()));
  }

  // Edits the first byte of the single function exported by the test dll.
  void EditExport() {
    HMODULE mem_handle;
    GetMemModuleHandle(&mem_handle);
    uint8_t* export_addr =
        reinterpret_cast<uint8_t*>(GetProcAddress(mem_handle, kTestExportName));
    EXPECT_NE(reinterpret_cast<uint8_t*>(NULL), export_addr);

    // Edit the first byte of the function.
    uint8_t new_val = (*export_addr) + 1;
    SIZE_T bytes_written = 0;
    WriteProcessMemory(GetCurrentProcess(),
                       export_addr,
                       reinterpret_cast<void*>(&new_val),
                       1,
                       &bytes_written);
    EXPECT_EQ(1, bytes_written);
  }

  base::ScopedNativeLibrary mem_dll_handle_;
  base::MemoryMappedFile disk_dll_handle_;
  scoped_ptr<base::win::PEImageAsData> disk_peimage_ptr_;
  scoped_ptr<base::win::PEImage> mem_peimage_ptr_;
};

TEST_F(SafeBrowsingModuleVerifierWinTest, VerifyModuleUnmodified) {
  std::set<std::string> modified_exports;
  // Call VerifyModule before the module has been loaded, should fail.
  EXPECT_EQ(MODULE_STATE_UNKNOWN,
            VerifyModule(kTestDllNames[0], &modified_exports));
  EXPECT_EQ(0, modified_exports.size());

  // On loading, the module should be identical (up to relocations) in memory as
  // on disk.
  SetUpTestDllAndPEImages();
  EXPECT_EQ(MODULE_STATE_UNMODIFIED,
            VerifyModule(kTestDllNames[0], &modified_exports));
  EXPECT_EQ(0, modified_exports.size());
}

TEST_F(SafeBrowsingModuleVerifierWinTest, VerifyModuleModified) {
  std::set<std::string> modified_exports;
  // Confirm the module is identical in memory as on disk before we begin.
  SetUpTestDllAndPEImages();
  EXPECT_EQ(MODULE_STATE_UNMODIFIED,
            VerifyModule(kTestDllNames[0], &modified_exports));

  uint8_t* mem_code_addr = NULL;
  uint8_t* disk_code_addr = NULL;
  uint32_t code_size = 0;
  EXPECT_TRUE(GetCodeAddrsAndSize(*mem_peimage_ptr_,
                                  *disk_peimage_ptr_,
                                  &mem_code_addr,
                                  &disk_code_addr,
                                  &code_size));

  // Edit the first byte of the code section of the module (this may be before
  // the address of any export).
  uint8_t new_val = (*mem_code_addr) + 1;
  SIZE_T bytes_written = 0;
  WriteProcessMemory(GetCurrentProcess(),
                     mem_code_addr,
                     reinterpret_cast<void*>(&new_val),
                     1,
                     &bytes_written);
  EXPECT_EQ(1, bytes_written);

  // VerifyModule should detect the change.
  EXPECT_EQ(MODULE_STATE_MODIFIED,
            VerifyModule(kTestDllNames[0], &modified_exports));
}

TEST_F(SafeBrowsingModuleVerifierWinTest, VerifyModuleExportModified) {
  std::set<std::string> modified_exports;
  // Confirm the module is identical in memory as on disk before we begin.
  SetUpTestDllAndPEImages();
  EXPECT_EQ(MODULE_STATE_UNMODIFIED,
            VerifyModule(kTestDllNames[0], &modified_exports));
  modified_exports.clear();

  // Edit the exported function, VerifyModule should now return the function
  // name in modified_exports.
  EditExport();
  EXPECT_EQ(MODULE_STATE_MODIFIED,
            VerifyModule(kTestDllNames[0], &modified_exports));
  EXPECT_EQ(1, modified_exports.size());
  EXPECT_EQ(0, std::string(kTestExportName).compare(*modified_exports.begin()));
}

}  // namespace safe_browsing