winumpath.c

Go to the documentation of this file.

/*
 * Copyright (c) 2020 Bitdefender
 * SPDX-License-Identifier: Apache-2.0
 */
#include "winumpath.h"
#include "crc32.h"
#include "introcore.h"




static WCHAR gInvalidModulePath[8] = u"<error>";


static WINUM_PATH gInvalidUmPath =
{
    .Path = gInvalidModulePath,
    .Name = gInvalidModulePath,

    .PathSize = CWSTRLEN(gInvalidModulePath) * 2,
    .NameSize = CWSTRLEN(gInvalidModulePath) * 2,

    .NameHash = INITIAL_CRC_VALUE,

    .RefCount = 1,

    .SubsectionGva = 0,
};


static
_Function_class_(FUNC_RbTreeNodeFree) void
IntWinUmPathRbTreeNodeFree(
    _Inout_ RBNODE *Node
    )
{
    UNREFERENCED_PARAMETER(Node);
}


static
_Function_class_(FUNC_RbTreeNodeCompare) int
IntWinUmPathRbTreeNodeCompare(
    _In_ RBNODE *Left,
    _In_ RBNODE *Right
    )
{
    WINUM_PATH *p1 = CONTAINING_RECORD(Left, WINUM_PATH, RbNode);
    WINUM_PATH *p2 = CONTAINING_RECORD(Right, WINUM_PATH, RbNode);

    if (p1->SubsectionGva < p2->SubsectionGva)
    {
        return -1;
    }
    else if (p1->SubsectionGva > p2->SubsectionGva)
    {
        return 1;
    }
    else
    {
        return 0;
    }
}


static RBTREE gPaths = RB_TREE_INIT(gPaths, IntWinUmPathRbTreeNodeFree, IntWinUmPathRbTreeNodeCompare);


static WINUM_PATH *
IntWinUmPathFetchBySubsection(
    _In_ QWORD SubsectionGva
    )
{
    RBNODE *result;
    WINUM_PATH target;
    INTSTATUS status;

    target.SubsectionGva = SubsectionGva;

    status = RbLookupNode(&gPaths, &target.RbNode, &result);
    if (!INT_SUCCESS(status))
    {
        return NULL;
    }

    return CONTAINING_RECORD(result, WINUM_PATH, RbNode);
}


__nonnull() static void
IntWinUmPathFree(
    _In_ WINUM_PATH *Path
    )
{
    if (Path->Path)
    {
        HpFreeAndNullWithTag(&Path->Path, IC_TAG_UMPT);
    }

    HpFreeAndNullWithTag(&Path, IC_TAG_PTHP);
}


WINUM_PATH *
IntWinUmPathCreate(
    _In_ const WCHAR *Path,
    _In_ DWORD PathSize,
    _In_ QWORD SubsectionGva
    )
{
    WINUM_PATH *pPath;
    INTSTATUS status;

    // Expecting at least one character and the NULL terminator. The path length cannot exceed a word in length.
    if ((PathSize < 2) || (PathSize > 0xFFFF))
    {
        ERROR("[ERROR] Path size (%d) is invalid for module\n", PathSize);
        return &gInvalidUmPath;
    }

    pPath = HpAllocWithTag(sizeof(*pPath), IC_TAG_PTHP);
    if (NULL == pPath)
    {
        return &gInvalidUmPath;
    }

    pPath->RefCount = 1;
    pPath->PathSize = PathSize;
    pPath->SubsectionGva = SubsectionGva;

    // Copy the module path. PathLength + 2 OK - PathLength is less than 0xFFFF and PathLength is DWORD.
    pPath->Path = HpAllocWithTag(PathSize + 2ull, IC_TAG_UMPT);
    if (NULL == pPath->Path)
    {
        HpFreeAndNullWithTag(&pPath, IC_TAG_PTHP);

        return &gInvalidUmPath;
    }
    else
    {
        DWORD i = 0, ni = 0;

        for (i = 0; i < pPath->PathSize / 2; i++)
        {
            pPath->Path[i] = ((Path[i] >= u'A') && (Path[i] <= u'Z')) ? (Path[i] | 0x20) : Path[i];

            if (pPath->Path[i] == u'\\')
            {
                ni = i + 1;
            }
        }

        pPath->Path[i] = 0;

        pPath->Name = pPath->Path + ni;
        pPath->NameSize = ((pPath->PathSize / 2) - ni) * 2;
        pPath->NameHash = Crc32Wstring(pPath->Name, INITIAL_CRC_VALUE);

        if (0 == ni)
        {
            WARNING("[WARNING] Path `%s` seems to be incomplete\n", utf16_for_log(pPath->Path));
        }

        status = RbInsertNode(&gPaths, &pPath->RbNode);
        if (!INT_SUCCESS(status))
        {
            IntWinUmPathFree(pPath);

            // This will happen in the following pretty stressful case:
            // 1. N processes load the same dll at ~ the same time
            // 2. The dll subsection is not cached
            // 3. The module path is swapped out from guest memory
            // Then, introcore will inject N page faults for each process to fetch the module path from memory, the
            // first page fault will call IntWinUmPathCreate (which will insert the first path in the red-black tree),
            // but the following page fault callbacks will also call IntWinUmPathCreate for each process,
            // resulting in the same subsection, thus the same key
            if (INT_STATUS_KEY_ALREADY_EXISTS == status)
            {
                WARNING("[WARNING] IntWinUmPathCreate called with duplicated subsection: %llx Path: %s!\n",
                        SubsectionGva, Path ? utf16_for_log(Path) : "");

                return IntWinUmPathFetchAndReferenceBySubsection(SubsectionGva);
            }

            ERROR("[ERROR] RbInsertNode failed: 0x%08x\n", status);

            return &gInvalidUmPath;
        }
    }

    return pPath;
}


WINUM_PATH *
IntWinUmPathReference(
    _In_ WINUM_PATH *Path
    )
{
    Path->RefCount++;

    return Path;
}


WINUM_PATH *
IntWinUmPathFetchAndReferenceBySubsection(
    _In_ QWORD SubsectionGva
    )
{
    WINUM_PATH *pPath = IntWinUmPathFetchBySubsection(SubsectionGva);
    if (NULL != pPath)
    {
        pPath->RefCount++;
    }

    return pPath;
}


void
IntWinUmPathDereference(
    _Inout_ WINUM_PATH **Path
    )
{
    WINUM_PATH *pPath;

    if (NULL == Path)
    {
        return;
    }

    pPath = *Path;
    *Path = NULL;

    if (NULL == pPath || pPath == &gInvalidUmPath)
    {
        return;
    }

    if (--pPath->RefCount > 0)
    {
        return;
    }

    RbDeleteNode(&gPaths, &pPath->RbNode);

    IntWinUmPathFree(pPath);
}