blob: b1ddcd92ec847b5b8c52238228fa6fe5b9d092f7 [file] [log] [blame]
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome_elf/chrome_elf_security.h"
#include <assert.h>
#include <windows.h>
#include <versionhelpers.h> // windows.h must be before
#include "chrome_elf/chrome_elf_constants.h"
#include "chrome_elf/nt_registry/nt_registry.h"
void EarlyBrowserSecurity() {
typedef decltype(SetProcessMitigationPolicy)* SetProcessMitigationPolicyFunc;
// This function is called from within DllMain.
// Don't do anything naughty while we have the loader lock.
NTSTATUS ret_val = STATUS_SUCCESS;
HANDLE handle = INVALID_HANDLE_VALUE;
// Check for kRegistrySecurityFinchPath. If it exists,
// we do NOT disable extension points. (Emergency off flag.)
if (nt::OpenRegKey(nt::HKCU, elf_sec::kRegSecurityFinchPath, KEY_QUERY_VALUE,
&handle, &ret_val)) {
nt::CloseRegKey(handle);
return;
}
#ifdef _DEBUG
// The only failure expected is for the path not existing.
if (ret_val != STATUS_OBJECT_NAME_NOT_FOUND)
assert(false);
#endif
if (::IsWindows8OrGreater()) {
SetProcessMitigationPolicyFunc set_process_mitigation_policy =
reinterpret_cast<SetProcessMitigationPolicyFunc>(::GetProcAddress(
::GetModuleHandleW(L"kernel32.dll"), "SetProcessMitigationPolicy"));
if (set_process_mitigation_policy) {
// Disable extension points in this process.
// (Legacy hooking.)
PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
policy.DisableExtensionPoints = true;
set_process_mitigation_policy(ProcessExtensionPointDisablePolicy, &policy,
sizeof(policy));
}
}
return;
}