Block legacy hooking mechanisms on Win8+

chrome/browser/chrome_elf_init_win.cc

Index: chrome/browser/chrome_elf_init_win.cc
diff --git a/chrome/browser/chrome_elf_init_win.cc b/chrome/browser/chrome_elf_init_win.cc
index 28af7f8228ac565760377242847556ba50506668..f1f5847cec469f87a6cc9ebb81fd68b6e2b7c35b 100644
--- a/chrome/browser/chrome_elf_init_win.cc
+++ b/chrome/browser/chrome_elf_init_win.cc
@@ -8,6 +8,7 @@
 #include "base/metrics/sparse_histogram.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/win/registry.h"
+#include "base/win/windows_version.h"
 #include "chrome/browser/chrome_elf_init_win.h"
 #include "chrome/common/chrome_version.h"
 #include "chrome_elf/blacklist/blacklist.h"
@@ -86,6 +87,22 @@ void ReportSuccessfulBlocks() {
 }  // namespace
 
 void InitializeChromeElf() {
+  if (base::win::GetVersion() >= base::win::VERSION_WIN8 &&
+      base::FieldTrialList::FindFullName("WindowsHookBlocking") != "Disabled") {

[robertshield, 2015/11/18 17:51:03]

Not sure it's useful to apply the policy here. This is the browser end of elf
initialization which isn't terribly early in the process. AppInit_Dlls, etc.
will have already loaded by this point. 

What you probably want is to do this during elf dll initialization, here:
https://code.google.com/p/chromium/codesearch#chromium/src/chrome_elf/chrome_...

There are some constraints: no using base/ and don't do anything that isn't safe
under the loader lock. 

[jschuh, 2015/11/18 18:21:15]

Okay, that makes a lot more sense. Because I traced it through, and this seemed
very late to me as well.

Given the restrictions, it sounds like I won't be able to finch gate this, or am
I wrong?

[robertshield, 2015/11/18 19:50:29]

You can, but there are hoops to jump through and involves cooperation from the
browser process. We do this for the blacklist by proxying through the registry
to communicate finch state to elf. This means on first run, elf does nothing,
when the browser starts up it reads some finch state, writes it to the registry,
on subsequent runs, elf finds this state in the registry and then does stuff. It
ain't pretty, but it works.

Example Elf side of things :
https://code.google.com/p/chromium/codesearch#chromium/src/chrome_elf/blackli...
Browser side of things:
https://code.google.com/p/chromium/codesearch#chromium/src/chrome/browser/chr...

+    typedef BOOL(WINAPI * SetProcessMitigationPolicyFunction)(
+        PROCESS_MITIGATION_POLICY mitigation_policy, PVOID buffer,
+        SIZE_T length);
+
+    PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
+    policy.DisableExtensionPoints = true;
+    SetProcessMitigationPolicyFunction set_process_mitigation_policy =
+        reinterpret_cast<SetProcessMitigationPolicyFunction>(::GetProcAddress(
+            ::GetModuleHandleA("kernel32.dll"), "SetProcessMitigationPolicy"));
+    bool result = !!set_process_mitigation_policy(
+        ProcessExtensionPointDisablePolicy, &policy, sizeof(policy));
+    DCHECK(result);
+  }
+
   if (base::FieldTrialList::FindFullName(kBrowserBlacklistTrialName) ==
       kBrowserBlacklistTrialDisabledGroupName) {
     // Disable the blacklist for all future runs by removing the beacon.