[Chrome ELF] Early browser security support.

chrome_elf/chrome_elf_security.cc

+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome_elf/chrome_elf_security.h"
+
+#include <assert.h>
+#include <windows.h>
+#include <versionhelpers.h>  // windows.h must be before
+
+#include "chrome_elf/chrome_elf_constants.h"
+#include "chrome_elf/nt_registry/nt_registry.h"
+
+void EarlyBrowserSecurity() {
+  typedef decltype(SetProcessMitigationPolicy)* SetProcessMitigationPolicyFunc;
+
+  // This function is called from within DllMain.
+  // Don't do anything naughty while we have the loader lock.
+  NTSTATUS ret_val = STATUS_SUCCESS;
+  HANDLE handle = INVALID_HANDLE_VALUE;
+
+  // Check for kRegistrySecurityFinchPath.  If it exists,
+  // we do NOT disable extension points.  (Emergency off flag.)
+  if (nt::OpenRegKey(nt::HKCU, elf_sec::kRegSecurityFinchPath, KEY_QUERY_VALUE,
+                     &handle, &ret_val)) {
+    nt::CloseRegKey(handle);
+    return;
+  }
+#ifdef _DEBUG
+  // The only failure expected is for the path not existing.
+  if (ret_val != STATUS_OBJECT_NAME_NOT_FOUND)
+    assert(false);
+#endif
+
+  if (::IsWindows8OrGreater()) {
+    SetProcessMitigationPolicyFunc set_process_mitigation_policy =
+        reinterpret_cast<SetProcessMitigationPolicyFunc>(::GetProcAddress(
+            ::GetModuleHandleW(L"kernel32.dll"), "SetProcessMitigationPolicy"));
+    if (set_process_mitigation_policy) {
+      // Disable extension points in this process.
+      // (Legacy hooking.)
+      PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
+      policy.DisableExtensionPoints = true;
+      set_process_mitigation_policy(ProcessExtensionPointDisablePolicy, &policy,
+                                    sizeof(policy));
+    }
+  }
+  return;
+}