From e290c6a989e4c837af51c443af89dbab144b228a Mon Sep 17 00:00:00 2001 From: vbryh-msft Date: Wed, 27 Sep 2023 16:38:54 -0700 Subject: [PATCH 1/3] ExtendedProcessFailedEventArgs.md --- specs/ExtendedProcessFailedEventArgs.md | 85 +++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 specs/ExtendedProcessFailedEventArgs.md diff --git a/specs/ExtendedProcessFailedEventArgs.md b/specs/ExtendedProcessFailedEventArgs.md new file mode 100644 index 000000000..408843a09 --- /dev/null +++ b/specs/ExtendedProcessFailedEventArgs.md @@ -0,0 +1,85 @@ + +Title +=== + +# Background +Code integrity is a feature of Windows that verifies the authenticity and integrity of the code that runs on the system. It helps protect it from malware, tampering, and unauthorized changes. Code integrity checks the digital signatures of the files that are loaded into memory, and prevents any file that does not have a valid signature from running in WebView2. We are extending ProcessFailedEventArgs with BlockedFile property which caused webview2 process to exit with code STATUS_INVALID_IMAGE_HASH. + +# Examples + + ```c# + /// This is an event handler for our CoreWebView2's ProcessFailedEvent + private void CoreWebView2_ProcessFailed(object sender, CoreWebView2ProcessFailedEventArgs e) + { + if (e.ExitCode == -1073740760 /*STATUS_INVALID_IMAGE_HASH*/) + { + SendTelemetry(e.BlockedFile); + } + } + ``` + + ```cpp + CHECK_FAILURE(m_webView->add_ProcessFailed( + Callback( + [this](ICoreWebView2* sender, ICoreWebView2ProcessFailedEventArgs* argsRaw) + -> HRESULT { + wil::com_ptr args = argsRaw; + int exit_code; + CHECK_FAILURE(args->get_ExitCode(&exit_code)); + + if (exit_code == -1073740760 /*STATUS_INVALID_IMAGE_HASH*/) { + wil::unique_cotaskmem_string blockedFile; + CHECK_FAILURE(arg_blocked_file->get_BlockedFile(&blockedFile)); + + SendTelemetry(blockedFile); + } + + return S_OK; + } + ``` + + +# API Details + +``` +/// A continuation of the ICoreWebView2ProcessFailedEventArgs2 interface +/// fot getting blocked file for code integrity process failures. +[uuid(a9fc1af8-f934-4f0f-a788-7be0808c329b), object, pointer_default(unique)] +interface ICoreWebView2ProcessFailedEventArgs : IUnknown { + /// Code Integrity is a feature that verifies the integrity and + /// authenticity of dynamic-link libraries (DLLs) + /// on Windows systems. It ensures that only trusted + /// code can run on the system and prevents unauthorized or + /// malicious modifications. + /// When ProcessFailed occurred due to a failed Code Integrity check, + /// this property returns the name of the blocked file that was prevented from + /// loading on the system. + /// The webview2 process which tried to load blocked DLL will fail with + /// exit code STATUS_INVALID_IMAGE_HASH(-1073740760). + /// A file can be blocked for various + /// reasons, such as: + /// - It has an invalid or missing signature that does + /// not match the publisher or signer of the file. + /// - It has been tampered with or corrupted by malware or other software. + /// - It has been blocklisted by an administrator or a security policy. + /// This property always will be empty if failure is not caused by + /// STATUS_INVALID_IMAGE_HASH. + [propget] HRESULT BlockedFile([out, retval] LPWSTR* blockedFile); +} +``` + +```c# (but really MIDL3) +namespace Microsoft.Web.WebView2.Core +{ + runtimeclass CoreWebView2ProcessFailedEventArgs + { + // ICoreWebView2ProcessFailedEventArgs members continuation + [interface_name("Microsoft.Web.WebView2.Core.ICoreWebView2ProcessFailedEventArgs3")] + { + // ICoreWebView2ProcessFailedEventArgs3 members + String BlockedFile { get; }; + } + + } +} +``` \ No newline at end of file From b5d7cafdd47824a190695588e01b73cac60b0cbe Mon Sep 17 00:00:00 2001 From: vbryh-msft Date: Thu, 28 Sep 2023 14:10:04 -0700 Subject: [PATCH 2/3] Address review comments --- specs/ExtendedProcessFailedEventArgs.md | 38 ++++++++++++++++--------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/specs/ExtendedProcessFailedEventArgs.md b/specs/ExtendedProcessFailedEventArgs.md index 408843a09..feeeceb18 100644 --- a/specs/ExtendedProcessFailedEventArgs.md +++ b/specs/ExtendedProcessFailedEventArgs.md @@ -1,9 +1,15 @@ -Title +Code integrity failure source module path === # Background -Code integrity is a feature of Windows that verifies the authenticity and integrity of the code that runs on the system. It helps protect it from malware, tampering, and unauthorized changes. Code integrity checks the digital signatures of the files that are loaded into memory, and prevents any file that does not have a valid signature from running in WebView2. We are extending ProcessFailedEventArgs with BlockedFile property which caused webview2 process to exit with code STATUS_INVALID_IMAGE_HASH. +[Windows Code Integrity](https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-code-integrity) is a feature that verifies the +integrity of the code that runs on the system. It helps protect it from malware, +tampering, and unauthorized changes. Code integrity checks the digital +signatures of the files that are loaded into memory, and prevents any +file that does not have a valid signature from running in WebView2 process. +We are extending ProcessFailedEventArgs with FailureSourceModulePath property +which caused webview2 process to exit with code STATUS_INVALID_IMAGE_HASH. # Examples @@ -13,7 +19,10 @@ Code integrity is a feature of Windows that verifies the authenticity and integr { if (e.ExitCode == -1073740760 /*STATUS_INVALID_IMAGE_HASH*/) { - SendTelemetry(e.BlockedFile); + // If the process crashed because of STATUS_INVALID_IMAGE_HASH, + // then we want to log to our app's telemetry the name of the + // DLL that caused the issue. + SendTelemetry(e.FailureSourceModulePath); } } ``` @@ -28,10 +37,13 @@ Code integrity is a feature of Windows that verifies the authenticity and integr CHECK_FAILURE(args->get_ExitCode(&exit_code)); if (exit_code == -1073740760 /*STATUS_INVALID_IMAGE_HASH*/) { - wil::unique_cotaskmem_string blockedFile; - CHECK_FAILURE(arg_blocked_file->get_BlockedFile(&blockedFile)); + wil::unique_cotaskmem_string modulePath; + CHECK_FAILURE(args->get_FailureSourceModulePath(&modulePath)); - SendTelemetry(blockedFile); + // If the process crashed because of STATUS_INVALID_IMAGE_HASH, + // then we want to log to our app's telemetry the name of the + // DLL that caused the issue. + SendTelemetry(modulePath); } return S_OK; @@ -42,21 +54,21 @@ Code integrity is a feature of Windows that verifies the authenticity and integr # API Details ``` -/// A continuation of the ICoreWebView2ProcessFailedEventArgs2 interface -/// fot getting blocked file for code integrity process failures. [uuid(a9fc1af8-f934-4f0f-a788-7be0808c329b), object, pointer_default(unique)] interface ICoreWebView2ProcessFailedEventArgs : IUnknown { + /// This property is the full path of the module that caused the + /// crash in cases of Windows Code Integrity failures. /// Code Integrity is a feature that verifies the integrity and /// authenticity of dynamic-link libraries (DLLs) /// on Windows systems. It ensures that only trusted /// code can run on the system and prevents unauthorized or /// malicious modifications. /// When ProcessFailed occurred due to a failed Code Integrity check, - /// this property returns the name of the blocked file that was prevented from + /// this property returns the full path of the file that was prevented from /// loading on the system. - /// The webview2 process which tried to load blocked DLL will fail with + /// The webview2 process which tried to load the DLL will fail with /// exit code STATUS_INVALID_IMAGE_HASH(-1073740760). - /// A file can be blocked for various + /// A file can fail integrity check for various /// reasons, such as: /// - It has an invalid or missing signature that does /// not match the publisher or signer of the file. @@ -64,7 +76,7 @@ interface ICoreWebView2ProcessFailedEventArgs : IUnknown { /// - It has been blocklisted by an administrator or a security policy. /// This property always will be empty if failure is not caused by /// STATUS_INVALID_IMAGE_HASH. - [propget] HRESULT BlockedFile([out, retval] LPWSTR* blockedFile); + [propget] HRESULT FailureSourceModulePath([out, retval] LPWSTR* modulePath); } ``` @@ -77,7 +89,7 @@ namespace Microsoft.Web.WebView2.Core [interface_name("Microsoft.Web.WebView2.Core.ICoreWebView2ProcessFailedEventArgs3")] { // ICoreWebView2ProcessFailedEventArgs3 members - String BlockedFile { get; }; + String FailureSourceModulePath { get; }; } } From 43719668226a44a7b90c7071879a6aa9524b9feb Mon Sep 17 00:00:00 2001 From: vbryh-msft Date: Thu, 28 Sep 2023 14:14:20 -0700 Subject: [PATCH 3/3] Address more reveiw comments --- specs/ExtendedProcessFailedEventArgs.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/specs/ExtendedProcessFailedEventArgs.md b/specs/ExtendedProcessFailedEventArgs.md index feeeceb18..a405891d9 100644 --- a/specs/ExtendedProcessFailedEventArgs.md +++ b/specs/ExtendedProcessFailedEventArgs.md @@ -58,7 +58,8 @@ which caused webview2 process to exit with code STATUS_INVALID_IMAGE_HASH. interface ICoreWebView2ProcessFailedEventArgs : IUnknown { /// This property is the full path of the module that caused the /// crash in cases of Windows Code Integrity failures. - /// Code Integrity is a feature that verifies the integrity and + /// [Windows Code Integrity](https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-code-integrity) + /// is a feature that verifies the integrity and /// authenticity of dynamic-link libraries (DLLs) /// on Windows systems. It ensures that only trusted /// code can run on the system and prevents unauthorized or @@ -74,7 +75,7 @@ interface ICoreWebView2ProcessFailedEventArgs : IUnknown { /// not match the publisher or signer of the file. /// - It has been tampered with or corrupted by malware or other software. /// - It has been blocklisted by an administrator or a security policy. - /// This property always will be empty if failure is not caused by + /// This property always will be the empty string if failure is not caused by /// STATUS_INVALID_IMAGE_HASH. [propget] HRESULT FailureSourceModulePath([out, retval] LPWSTR* modulePath); }