From d3b7463c7a48e83180a2619d00614a175641fb4e Mon Sep 17 00:00:00 2001
From: Mark Mentovai <mark@chromium.org>
Date: Tue, 7 Nov 2017 11:46:54 -0500
Subject: [PATCH] win: Recognize nsi.dll presenting as VFT_DRV/VFT2_DRV_NETWORK
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This was previously proposed at
https://chromium-review.googlesource.com/c/crashpad/crashpad/+/339103/2/util/win/pe_image_reader_test.cc#84.
It didn’t land because the change was abandoned for other reasons, but
the fix was valid. nsi.dll is not VFT_APP or VFT_DLL, and if it’s
loaded, crashpad_snapshot_test PEImageReader.VSFixedFileInfo_AllModules
fails.

Although I can’t reproduce nsi.dll being loaded spontaneously in local
testing or on trybots, it occurred in the monolithic crashpad_tests at
https://build.chromium.org/p/chromium.win/builders/Win7%20Tests%20%28dbg%29%281%29/builds/64492:

[ RUN      ] PEImageReader.VSFixedFileInfo_AllModules
../../third_party/crashpad/crashpad/snapshot/win/pe_image_reader_test.cc(90): error: Value of: observed.dwFileType == VFT_APP || observed.dwFileType == VFT_DLL
  Actual: false
Expected: true
Google Test trace:
../../third_party/crashpad/crashpad/snapshot/win/pe_image_reader_test.cc(164): C:\Windows\syswow64\NSI.dll
[  FAILED  ] PEImageReader.VSFixedFileInfo_AllModules (11 ms)

I can also reproduce locally by calling LoadLibrary(L"nsi.dll").

Bug: chromium:779790, chromium:782011
Test: crashpad_snapshot_test PEImageReader.VSFixedFileInfo_AllModules
Change-Id: I361c7d6521645913277a441ce38779aaa4a182c2
Reviewed-on: https://chromium-review.googlesource.com/757077
Reviewed-by: Scott Graham <scottmg@chromium.org>
Commit-Queue: Mark Mentovai <mark@chromium.org>
---
 snapshot/win/pe_image_reader_test.cc | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/snapshot/win/pe_image_reader_test.cc b/snapshot/win/pe_image_reader_test.cc
index 3192a446..23e74dc2 100644
--- a/snapshot/win/pe_image_reader_test.cc
+++ b/snapshot/win/pe_image_reader_test.cc
@@ -18,6 +18,7 @@
 #include <psapi.h>
 
 #include "base/files/file_path.h"
+#include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "gtest/gtest.h"
 #include "snapshot/win/process_reader_win.h"
@@ -86,8 +87,17 @@ void TestVSFixedFileInfo(ProcessReaderWin* process_reader,
       EXPECT_EQ(observed.dwFileType, static_cast<DWORD>(VFT_DLL));
     } else {
       EXPECT_NE(observed.dwFileOS & VOS_NT_WINDOWS32, 0u);
+
+      // VFT_DRV/VFT2_DRV_NETWORK is for nsi.dll, “network service interface.”
+      // It’s not normally loaded, but has been observed to be loaded in some
+      // cases.
       EXPECT_TRUE(observed.dwFileType == VFT_APP ||
-                  observed.dwFileType == VFT_DLL);
+                  observed.dwFileType == VFT_DLL ||
+                  (observed.dwFileType == VFT_DRV &&
+                   observed.dwFileSubtype == VFT2_DRV_NETWORK))
+          << base::StringPrintf("type 0x%x, subtype 0x%x",
+                                observed.dwFileType,
+                                observed.dwFileSubtype);
     }
   }