blob: e8414aff6b41b66411690951d0e7cd4f68744a7f [file] [log] [blame]
pennymac4e0b5f22016-07-19 19:15:451// Copyright 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chrome_elf/chrome_elf_security.h"
6
7#include <assert.h>
8#include <windows.h>
9#include <versionhelpers.h> // windows.h must be before
10
grtb4cab812017-03-31 06:58:4311#include "chrome/install_static/install_util.h"
pennymac4e0b5f22016-07-19 19:15:4512#include "chrome_elf/chrome_elf_constants.h"
13#include "chrome_elf/nt_registry/nt_registry.h"
14
pennymac5446d892016-08-27 10:45:1215namespace elf_security {
16
pennymac4e0b5f22016-07-19 19:15:4517void EarlyBrowserSecurity() {
18 typedef decltype(SetProcessMitigationPolicy)* SetProcessMitigationPolicyFunc;
19
20 // This function is called from within DllMain.
21 // Don't do anything naughty while we have the loader lock.
22 NTSTATUS ret_val = STATUS_SUCCESS;
23 HANDLE handle = INVALID_HANDLE_VALUE;
24
25 // Check for kRegistrySecurityFinchPath. If it exists,
26 // we do NOT disable extension points. (Emergency off flag.)
grtb4cab812017-03-31 06:58:4327 if (nt::OpenRegKey(nt::HKCU,
28 install_static::GetRegistryPath()
29 .append(elf_sec::kRegSecurityFinchKeyName)
30 .c_str(),
31 KEY_QUERY_VALUE, &handle, &ret_val)) {
pennymac4e0b5f22016-07-19 19:15:4532 nt::CloseRegKey(handle);
33 return;
34 }
35#ifdef _DEBUG
36 // The only failure expected is for the path not existing.
37 if (ret_val != STATUS_OBJECT_NAME_NOT_FOUND)
38 assert(false);
39#endif
40
41 if (::IsWindows8OrGreater()) {
42 SetProcessMitigationPolicyFunc set_process_mitigation_policy =
43 reinterpret_cast<SetProcessMitigationPolicyFunc>(::GetProcAddress(
44 ::GetModuleHandleW(L"kernel32.dll"), "SetProcessMitigationPolicy"));
45 if (set_process_mitigation_policy) {
46 // Disable extension points in this process.
47 // (Legacy hooking.)
48 PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
49 policy.DisableExtensionPoints = true;
50 set_process_mitigation_policy(ProcessExtensionPointDisablePolicy, &policy,
51 sizeof(policy));
52 }
53 }
54 return;
55}
pennymac5446d892016-08-27 10:45:1256} // namespace elf_security