Block legacy hooking mechanisms on Win8+

chrome/browser/chrome_elf_init_win.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/bind.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram.h"
 #include "base/metrics/sparse_histogram.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/win/registry.h"
+#include "base/win/windows_version.h"
 #include "chrome/browser/chrome_elf_init_win.h"
 #include "chrome/common/chrome_version.h"
 #include "chrome_elf/blacklist/blacklist.h"
 #include "chrome_elf/chrome_elf_constants.h"
 #include "chrome_elf/dll_hash/dll_hash.h"
 #include "components/variations/variations_associated_data.h"
 #include "content/public/browser/browser_thread.h"
 
 const char kBrowserBlacklistTrialName[] = "BrowserBlacklist";
 const char kBrowserBlacklistTrialDisabledGroupName[] = "NoBlacklist";
@@ skipping 58 matching lines @@
     base::WideToUTF8(blocked_dlls[i], wcslen(blocked_dlls[i]), &dll_name_utf8);
     int uma_hash = DllNameToHash(dll_name_utf8);
 
     UMA_HISTOGRAM_SPARSE_SLOWLY("Blacklist.Blocked", uma_hash);
   }
 }
 
 }  // namespace
 
 void InitializeChromeElf() {
+  if (base::win::GetVersion() >= base::win::VERSION_WIN8 &&
+      base::FieldTrialList::FindFullName("WindowsHookBlocking") != "Disabled") {

[robertshield, 2015/11/18 17:51:03]

Not sure it's useful to apply the policy here. This is the browser end of elf
initialization which isn't terribly early in the process. AppInit_Dlls, etc.
will have already loaded by this point. 

What you probably want is to do this during elf dll initialization, here:
https://code.google.com/p/chromium/codesearch#chromium/src/chrome_elf/chrome_...

There are some constraints: no using base/ and don't do anything that isn't safe
under the loader lock. 

[jschuh, 2015/11/18 18:21:15]

Okay, that makes a lot more sense. Because I traced it through, and this seemed
very late to me as well.

Given the restrictions, it sounds like I won't be able to finch gate this, or am
I wrong?

[robertshield, 2015/11/18 19:50:29]

You can, but there are hoops to jump through and involves cooperation from the
browser process. We do this for the blacklist by proxying through the registry
to communicate finch state to elf. This means on first run, elf does nothing,
when the browser starts up it reads some finch state, writes it to the registry,
on subsequent runs, elf finds this state in the registry and then does stuff. It
ain't pretty, but it works.

Example Elf side of things :
https://code.google.com/p/chromium/codesearch#chromium/src/chrome_elf/blackli...
Browser side of things:
https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/chr...

+    typedef BOOL(WINAPI * SetProcessMitigationPolicyFunction)(
+        PROCESS_MITIGATION_POLICY mitigation_policy, PVOID buffer,
+        SIZE_T length);
+
+    PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
+    policy.DisableExtensionPoints = true;
+    SetProcessMitigationPolicyFunction set_process_mitigation_policy =
+        reinterpret_cast<SetProcessMitigationPolicyFunction>(::GetProcAddress(
+            ::GetModuleHandleA("kernel32.dll"), "SetProcessMitigationPolicy"));
+    bool result = !!set_process_mitigation_policy(
+        ProcessExtensionPointDisablePolicy, &policy, sizeof(policy));
+    DCHECK(result);
+  }
+
   if (base::FieldTrialList::FindFullName(kBrowserBlacklistTrialName) ==
       kBrowserBlacklistTrialDisabledGroupName) {
     // Disable the blacklist for all future runs by removing the beacon.
     base::win::RegKey blacklist_registry_key(HKEY_CURRENT_USER);
     blacklist_registry_key.DeleteKey(blacklist::kRegistryBeaconPath);
   } else {
     AddFinchBlacklistToRegistry();
     BrowserBlacklistBeaconSetup();
   }
 
@@ skipping 98 matching lines @@
 
     blacklist_registry_key.WriteValue(blacklist::kBeaconAttemptCount,
                                       static_cast<DWORD>(0));
 
     // Only report the blacklist as getting setup when both registry writes
     // succeed, since otherwise the blacklist wasn't properly setup.
     if (set_version == ERROR_SUCCESS && set_state == ERROR_SUCCESS)
       RecordBlacklistSetupEvent(BLACKLIST_SETUP_ENABLED);
   }
 }