[Windows Sandbox] MITIGATION_EXTENSION_POINT_DISABLE support for children.

sandbox/win/src/process_mitigations_test.cc

-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "sandbox/win/src/process_mitigations.h"
+
+#include <psapi.h>
+
+#include "base/command_line.h"
 #include "base/files/file_util.h"
 #include "base/files/scoped_temp_dir.h"
+#include "base/memory/free_deleter.h"
 #include "base/path_service.h"
 #include "base/process/launch.h"
+#include "base/scoped_native_library.h"
 #include "base/strings/stringprintf.h"
+#include "base/test/test_timeouts.h"
+#include "base/threading/platform_thread.h"
+#include "base/time/time.h"
+#include "base/win/registry.h"
 #include "base/win/scoped_handle.h"
+#include "base/win/startup_information.h"
+#include "base/win/win_util.h"
 #include "base/win/windows_version.h"
 #include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/process_mitigations.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/target_services.h"
-#include "sandbox/win/src/win_utils.h"
 #include "sandbox/win/tests/common/controller.h"
+#include "sandbox/win/tests/integration_tests/integration_tests_common.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace {
 
 // API defined in winbase.h.
 typedef decltype(GetProcessDEPPolicy)* GetProcessDEPPolicyFunction;
 
 // API defined in processthreadsapi.h.
 typedef decltype(
     GetProcessMitigationPolicy)* GetProcessMitigationPolicyFunction;
 GetProcessMitigationPolicyFunction get_process_mitigation_policy;
 
 // APIs defined in wingdi.h.
 typedef decltype(AddFontMemResourceEx)* AddFontMemResourceExFunction;
 typedef decltype(RemoveFontMemResourceEx)* RemoveFontMemResourceExFunction;
 
+// APIs defined in integration_tests_common.h
+typedef decltype(WasHookCalled)* WasHookCalledFunction;
+typedef decltype(SetHook)* SetHookFunction;
+
 #if !defined(_WIN64)
 bool CheckWin8DepPolicy() {
   PROCESS_MITIGATION_DEP_POLICY policy = {};
   if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy,
                                      &policy, sizeof(policy))) {
     return false;
   }
   return policy.Enable && policy.Permanent;
 }
 #endif  // !defined(_WIN64)
 
 #if defined(NDEBUG)
 bool CheckWin8AslrPolicy() {
   PROCESS_MITIGATION_ASLR_POLICY policy = {};
   if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessASLRPolicy,
                                      &policy, sizeof(policy))) {
-     return false;
+    return false;
   }
   return policy.EnableForceRelocateImages && policy.DisallowStrippedImages;
 }
 #endif  // defined(NDEBUG)
 
 bool CheckWin8StrictHandlePolicy() {
   PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = {};
   if (!get_process_mitigation_policy(::GetCurrentProcess(),
-                                     ProcessStrictHandleCheckPolicy,
-                                     &policy, sizeof(policy))) {
-     return false;
+                                     ProcessStrictHandleCheckPolicy, &policy,
+                                     sizeof(policy))) {
+    return false;
   }
   return policy.RaiseExceptionOnInvalidHandleReference &&
          policy.HandleExceptionsPermanentlyEnabled;
 }
 
 bool CheckWin8Win32CallPolicy() {
   PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = {};
   if (!get_process_mitigation_policy(::GetCurrentProcess(),
-                                     ProcessSystemCallDisablePolicy,
-                                     &policy, sizeof(policy))) {
-     return false;
+                                     ProcessSystemCallDisablePolicy, &policy,
+                                     sizeof(policy))) {
+    return false;
   }
   return policy.DisallowWin32kSystemCalls;
 }
 
-bool CheckWin8DllExtensionPolicy() {
+bool CheckWin8ExtensionPointPolicy() {
   PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
   if (!get_process_mitigation_policy(::GetCurrentProcess(),
                                      ProcessExtensionPointDisablePolicy,
                                      &policy, sizeof(policy))) {
-     return false;
+    return false;
   }
   return policy.DisableExtensionPoints;
 }
 
 bool CheckWin10FontPolicy() {
   PROCESS_MITIGATION_FONT_DISABLE_POLICY policy = {};
   if (!get_process_mitigation_policy(::GetCurrentProcess(),
                                      ProcessFontDisablePolicy, &policy,
                                      sizeof(policy))) {
     return false;
   }
   return policy.DisableNonSystemFonts;
 }
 
 bool CheckWin10ImageLoadNoRemotePolicy() {
   PROCESS_MITIGATION_IMAGE_LOAD_POLICY policy = {};
   if (!get_process_mitigation_policy(::GetCurrentProcess(),
                                      ProcessImageLoadPolicy, &policy,
                                      sizeof(policy))) {
     return false;
   }
   return policy.NoRemoteImages;
 }
 
+// Spawn Windows process (with or without mitigation enabled).
+void SpawnWinProc(PROCESS_INFORMATION* pi, bool success_test, HANDLE* event) {
+  base::win::StartupInformation startup_info;
+  DWORD creation_flags = 0;
+
+  if (!success_test) {
+    DWORD64 flags =
+        PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON;
+    // This test only runs on >= Win8, so I don't have to worry about
+    // illegal 64-bit flags on 32-bit <= Win7.
+    size_t flags_size = sizeof(flags);
+
+    EXPECT_TRUE(startup_info.InitializeProcThreadAttributeList(1));
+    EXPECT_TRUE(startup_info.UpdateProcThreadAttribute(
+        PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &flags, flags_size));
+    creation_flags = EXTENDED_STARTUPINFO_PRESENT;
+  }
+
+  // Command line must be writable.
+  std::unique_ptr<wchar_t, base::FreeDeleter> cmd_writeable(
+      ::wcsdup(g_winproc_file));
+
+  EXPECT_TRUE(::CreateProcessW(NULL, cmd_writeable.get(), NULL, NULL, FALSE,
+                               creation_flags, NULL, NULL,
+                               startup_info.startup_info(), pi));
+  EXPECT_EQ(WAIT_OBJECT_0,
+            ::WaitForSingleObject(*event, g_winproc_event_max_wait_ms));
+
+  return;
+}
+
+//------------------------------------------------------------------------------
+// 1. Spawn our Windows process (with or without mitigation enabled).
+// 2. Load our hook Dll locally.
+// 3. Start the hook (for our WinProc or globally).
+// 4. Send a keystroke event.
+// 5. Ask the hook Dll if it received a hook callback.
+// 6. Cleanup the hooking.
+// 7. Signal our Windows process to shutdown.
+//
+// Do NOT use any ASSERTs in this function.  Cleanup required.
+//------------------------------------------------------------------------------
+void TestWin8ExtensionPointHookWrapper(bool is_success_test, bool global_hook) {
+  // 1. Spawn WinProc.
+  PROCESS_INFORMATION proc_info = {};
+  HANDLE event = ::CreateEventW(NULL, FALSE, FALSE, g_winproc_event);
+  EXPECT_TRUE(event != NULL && event != INVALID_HANDLE_VALUE);
+  SpawnWinProc(&proc_info, is_success_test, &event);
+
+  // 2. Load the hook DLL.
+  base::FilePath hook_dll_path(g_hook_dll_file);
+  base::ScopedNativeLibrary dll(hook_dll_path);
+  EXPECT_TRUE(dll.is_valid());
+
+  HOOKPROC hook_proc =
+      reinterpret_cast<HOOKPROC>(dll.GetFunctionPointer(g_hook_handler_func));
+  WasHookCalledFunction WasHookCalled = reinterpret_cast<WasHookCalledFunction>(
+      dll.GetFunctionPointer(g_was_hook_called_func));
+  SetHookFunction SetHook = reinterpret_cast<SetHookFunction>(
+      dll.GetFunctionPointer(g_set_hook_func));
+  EXPECT_TRUE(hook_proc && WasHookCalled && SetHook);
+
+  // 3. Try installing the hook (either on a remote target thread,
+  //    or globally).
+  DWORD target = 0;
+  if (!global_hook)
+    target = proc_info.dwThreadId;
+  HHOOK hook = ::SetWindowsHookExW(WH_KEYBOARD, hook_proc, dll.get(), target);
+  EXPECT_TRUE(hook);
+  SetHook(hook);
+
+  // 4. Inject a keyboard event.
+
+  // Note: that PostThreadMessage and SendMessage APIs will not deliver
+  // a keystroke in such a way that triggers a "legitimate" hook.
+  // Have to use targetless SendInput or keybd_event.  The latter is
+  // less code and easier to work with.
+  keybd_event(VkKeyScan(L'A'), 0, 0, 0);
+  base::PlatformThread::Sleep(base::TimeDelta::FromMilliseconds(500));
+
+  keybd_event(VkKeyScan(L'A'), 0, KEYEVENTF_KEYUP, 0);
+  // Give it a chance to hit the hook handler...
+  base::PlatformThread::Sleep(base::TimeDelta::FromSeconds(1));
+
+  // 5. Did the hook get hit?  Was it expected to?
+  if (global_hook)
+    EXPECT_EQ((is_success_test ? true : false), WasHookCalled());
+  else
+    // ***IMPORTANT: when targeting a specific thread id, the
+    // PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE
+    // mitigation does NOT disable the hook API.  It ONLY
+    // stops global hooks from running in your process.  Hence,
+    // we expect the hook to have hit (TRUE) even in the "failure"
+    // case for a non-global/targetted hook.
+    EXPECT_EQ((is_success_test ? true : true), WasHookCalled());
+
+  // 6. Disable hook.
+  if (hook)
+    EXPECT_TRUE(::UnhookWindowsHookEx(hook));
+
+  // 7. Trigger shutdown of WinProc.
+  if (::PostThreadMessageW(proc_info.dwThreadId, WM_QUIT, 0, 0)) {
+    // Note: The combination/perfect-storm of a Global Hook, in a
+    // WinProc that has the EXTENSION_POINT_DISABLE mitigation ON, and the
+    // use of the SendInput or keybd_event API to inject a keystroke,
+    // results in the target becoming unresponsive.  If any one of these states
+    // are changed, the problem does not occur.
+    // This means the WM_QUIT message is not handled and the call to
+    // WaitForSingleObject times out.  Therefore not checking the return val.
+    ::WaitForSingleObject(event, g_winproc_event_max_wait_ms);
+    EXPECT_TRUE(::CloseHandle(event));
+  } else {
+    // Make sure we don't leave a stray.
+    ::TerminateProcess(proc_info.hProcess, 0);
+    EXPECT_TRUE(false);
+  }
+  EXPECT_TRUE(::CloseHandle(proc_info.hThread));
+  EXPECT_TRUE(::CloseHandle(proc_info.hProcess));
+}
+
+//------------------------------------------------------------------------------
+// 1. Set up our AppInit Dll in registry settings. (Enable)
+// 2. Spawn our Windows process (with or without mitigation enabled).
+// 3. Check if our AppInit Dll is loaded in our Windows process or not.
+// 4. Signal our Windows process to shutdown.
+// 5. Restore original reg settings.
+//
+// Do NOT use any ASSERTs in this function.  Cleanup required.
+//------------------------------------------------------------------------------
+void TestWin8ExtensionPointAppInitWrapper(bool is_success_test) {
+  // 0.5 Get path of current module.  The appropriate build of the
+  //     AppInit DLL will be in the same directory (and we need to put the
+  //     full path in reg).
+  wchar_t path[MAX_PATH];
+  EXPECT_TRUE(::GetModuleFileNameW(NULL, path, MAX_PATH));
+  // We just want the directory.
+  wchar_t* last_separator = ::wcsrchr(path, L'\\');
+  EXPECT_TRUE(last_separator);
+  last_separator++;
+  *last_separator = L'\0';
+  ::wcsncat(path, g_hook_dll_file, (MAX_PATH - ::wcslen(path)));
+  // Now make sure the path is in "short-name" form for registry.
+  DWORD length = ::GetShortPathNameW(path, NULL, 0);
+  std::vector<wchar_t> short_name(length);
+  EXPECT_TRUE(::GetShortPathNameW(path, &short_name[0], length));
+
+  // 1. Reg setup.
+  wchar_t* app_init_reg_path =
+      L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
+  wchar_t* dlls_value_name = L"AppInit_DLLs";
+  wchar_t* enabled_value_name = L"LoadAppInit_DLLs";
+  wchar_t* signing_value_name = L"RequireSignedAppInit_DLLs";
+  std::wstring orig_dlls;
+  std::wstring new_dlls;
+  DWORD orig_enabled_value = 0;
+  DWORD orig_signing_value = 0;
+  base::win::RegKey app_init_key(HKEY_LOCAL_MACHINE, app_init_reg_path,
+                                 KEY_QUERY_VALUE | KEY_SET_VALUE);
+  // Backup the existing settings.
+  EXPECT_TRUE(app_init_key.Valid());
+  EXPECT_TRUE(app_init_key.HasValue(dlls_value_name) &&
+              app_init_key.HasValue(enabled_value_name));
+  EXPECT_EQ(ERROR_SUCCESS, app_init_key.ReadValue(dlls_value_name, &orig_dlls));
+  EXPECT_EQ(ERROR_SUCCESS,
+            app_init_key.ReadValueDW(enabled_value_name, &orig_enabled_value));
+  if (app_init_key.HasValue(signing_value_name))
+    EXPECT_EQ(ERROR_SUCCESS, app_init_key.ReadValueDW(signing_value_name,
+                                                      &orig_signing_value));
+
+  // Set the new settings we want (obviously requires local admin privileges).
+  new_dlls = orig_dlls;
+  if (0 != orig_dlls.compare(L""))
+    new_dlls.append(L",");
+  new_dlls.append(short_name.data());
+
+  EXPECT_EQ(ERROR_SUCCESS,
+            app_init_key.WriteValue(dlls_value_name, new_dlls.c_str()));
+  if (app_init_key.HasValue(signing_value_name))
+    EXPECT_EQ(ERROR_SUCCESS, app_init_key.WriteValue(signing_value_name,
+                                                     static_cast<DWORD>(0)));
+  EXPECT_EQ(ERROR_SUCCESS,
+            app_init_key.WriteValue(enabled_value_name, static_cast<DWORD>(1)));
+
+  // 2. Spawn WinProc.
+  HANDLE event = ::CreateEventW(NULL, FALSE, FALSE, g_winproc_event);
+  EXPECT_TRUE(event != NULL && event != INVALID_HANDLE_VALUE);
+  base::win::ScopedHandle scoped_event(event);
+  PROCESS_INFORMATION proc_info = {};
+  SpawnWinProc(&proc_info, is_success_test, &event);
+
+  // 3. Check loaded modules in WinProc to see if AppInit dll is loaded.
+  std::vector<HMODULE>(modules);
+  EXPECT_TRUE(
+      base::win::GetLoadedModulesSnapshot(proc_info.hProcess, &modules));
+  bool dll_loaded = false;
+
+  for (auto module : modules) {
+    wchar_t name[MAX_PATH];
+    EXPECT_TRUE(
+        ::GetModuleFileNameExW(proc_info.hProcess, module, name, MAX_PATH));
+
+    // Compare to our dll name!
+    if (::wcsstr(name, g_hook_dll_file)) {
+      // Found it.
+      dll_loaded = true;
+      break;
+    }
+  }
+
+  // Did we pass the test as expected?
+  EXPECT_EQ((is_success_test ? true : false), dll_loaded);
+
+  // 4. Trigger shutdown of WinProc.
+  if (::PostThreadMessageW(proc_info.dwThreadId, WM_QUIT, 0, 0)) {
+    ::WaitForSingleObject(event, g_winproc_event_max_wait_ms);
+  } else {
+    // Make sure we don't leave a stray.
+    ::TerminateProcess(proc_info.hProcess, 0);
+    EXPECT_TRUE(false);
+  }
+  EXPECT_TRUE(::CloseHandle(proc_info.hThread));
+  EXPECT_TRUE(::CloseHandle(proc_info.hProcess));
+
+  // 5. Reg Restore
+  EXPECT_EQ(ERROR_SUCCESS,
+            app_init_key.WriteValue(enabled_value_name, orig_enabled_value));
+  if (app_init_key.HasValue(signing_value_name))
+    EXPECT_EQ(ERROR_SUCCESS,
+              app_init_key.WriteValue(signing_value_name, orig_signing_value));
+  EXPECT_EQ(ERROR_SUCCESS,
+            app_init_key.WriteValue(dlls_value_name, orig_dlls.c_str()));
+  app_init_key.Close();
+}
+
 void TestWin10ImageLoadRemote(bool is_success_test) {
   // ***Insert your manual testing share UNC path here!
   // E.g.: \\\\hostname\\sharename\\calc.exe
   std::wstring unc = L"\"\\\\hostname\\sharename\\calc.exe\"";
 
   sandbox::TestRunner runner;
   sandbox::TargetPolicy* policy = runner.GetPolicy();
 
   // Set a policy that would normally allow for process creation.
   policy->SetJobLevel(sandbox::JOB_NONE, 0);
@@ skipping 112 matching lines @@
     setup_proc.Terminate(desired_exit_code, false);
     return SBOX_TEST_SUCCEEDED;
   }
   // Note: GetLastError from CreateProcess returns 5, "ERROR_ACCESS_DENIED".
   return SBOX_TEST_FAILED;
 }
 
 //------------------------------------------------------------------------------
 // Win8 Checks:
 // MITIGATION_DEP(_NO_ATL_THUNK)
-// MITIGATION_EXTENSION_DLL_DISABLE
 // MITIGATION_RELOCATE_IMAGE(_REQUIRED) - ASLR, release only
 // MITIGATION_STRICT_HANDLE_CHECKS
 // >= Win8
 //------------------------------------------------------------------------------
 
-SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) {
+SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t** argv) {
   get_process_mitigation_policy =
-      reinterpret_cast<GetProcessMitigationPolicyFunction>(
-          ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
-                           "GetProcessMitigationPolicy"));
+      reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
+          ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
   if (!get_process_mitigation_policy)
     return SBOX_TEST_NOT_FOUND;
 
 #if !defined(_WIN64)  // DEP is always enabled on 64-bit.
   if (!CheckWin8DepPolicy())
     return SBOX_TEST_FIRST_ERROR;
 #endif
 
 #if defined(NDEBUG)  // ASLR cannot be forced in debug builds.
   if (!CheckWin8AslrPolicy())
     return SBOX_TEST_SECOND_ERROR;
 #endif
 
   if (!CheckWin8StrictHandlePolicy())
     return SBOX_TEST_THIRD_ERROR;
 
-  if (!CheckWin8DllExtensionPolicy())
-    return SBOX_TEST_FIFTH_ERROR;
-
   return SBOX_TEST_SUCCEEDED;
 }
 
 TEST(ProcessMitigationsTest, CheckWin8) {
   if (base::win::GetVersion() < base::win::VERSION_WIN8)
     return;
 
   TestRunner runner;
   sandbox::TargetPolicy* policy = runner.GetPolicy();
 
-  sandbox::MitigationFlags mitigations = MITIGATION_DEP |
-                                         MITIGATION_DEP_NO_ATL_THUNK |
-                                         MITIGATION_EXTENSION_DLL_DISABLE;
+  sandbox::MitigationFlags mitigations =
+      MITIGATION_DEP | MITIGATION_DEP_NO_ATL_THUNK;
 #if defined(NDEBUG)  // ASLR cannot be forced in debug builds.
-  mitigations |= MITIGATION_RELOCATE_IMAGE |
-                 MITIGATION_RELOCATE_IMAGE_REQUIRED;
+  mitigations |= MITIGATION_RELOCATE_IMAGE | MITIGATION_RELOCATE_IMAGE_REQUIRED;
 #endif
 
   EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK);
 
   mitigations |= MITIGATION_STRICT_HANDLE_CHECKS;
 
   EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK);
 
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8"));
 }
 
 //------------------------------------------------------------------------------
 // DEP (MITIGATION_DEP)
 // < Win8 x86
 //------------------------------------------------------------------------------
 
-SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) {
+SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t** argv) {
   GetProcessDEPPolicyFunction get_process_dep_policy =
-      reinterpret_cast<GetProcessDEPPolicyFunction>(
-          ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
-                           "GetProcessDEPPolicy"));
+      reinterpret_cast<GetProcessDEPPolicyFunction>(::GetProcAddress(
+          ::GetModuleHandleW(L"kernel32.dll"), "GetProcessDEPPolicy"));
   if (get_process_dep_policy) {
     BOOL is_permanent = FALSE;
     DWORD dep_flags = 0;
 
     if (!get_process_dep_policy(::GetCurrentProcess(), &dep_flags,
-        &is_permanent)) {
+                                &is_permanent)) {
       return SBOX_TEST_FIRST_ERROR;
     }
 
     if (!(dep_flags & PROCESS_DEP_ENABLE) || !is_permanent)
       return SBOX_TEST_SECOND_ERROR;
 
   } else {
     NtQueryInformationProcessFunction query_information_process = NULL;
     ResolveNTFunctionPtr("NtQueryInformationProcess",
-                          &query_information_process);
+                         &query_information_process);
     if (!query_information_process)
       return SBOX_TEST_NOT_FOUND;
 
     ULONG size = 0;
     ULONG dep_flags = 0;
     if (!SUCCEEDED(query_information_process(::GetCurrentProcess(),
                                              ProcessExecuteFlags, &dep_flags,
                                              sizeof(dep_flags), &size))) {
       return SBOX_TEST_THIRD_ERROR;
     }
 
     static const int MEM_EXECUTE_OPTION_DISABLE = 2;
     static const int MEM_EXECUTE_OPTION_PERMANENT = 8;
     dep_flags &= 0xff;
 
-    if (dep_flags != (MEM_EXECUTE_OPTION_DISABLE |
-                      MEM_EXECUTE_OPTION_PERMANENT)) {
+    if (dep_flags !=
+        (MEM_EXECUTE_OPTION_DISABLE | MEM_EXECUTE_OPTION_PERMANENT)) {
       return SBOX_TEST_FOURTH_ERROR;
     }
   }
 
   return SBOX_TEST_SUCCEEDED;
 }
 
 #if !defined(_WIN64)  // DEP is always enabled on 64-bit.
 TEST(ProcessMitigationsTest, CheckDep) {
   if (base::win::GetVersion() > base::win::VERSION_WIN7)
     return;
 
   TestRunner runner;
   sandbox::TargetPolicy* policy = runner.GetPolicy();
 
-  EXPECT_EQ(policy->SetProcessMitigations(
-                MITIGATION_DEP |
-                MITIGATION_DEP_NO_ATL_THUNK |
-                MITIGATION_SEHOP),
+  EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_DEP |
+                                          MITIGATION_DEP_NO_ATL_THUNK |
+                                          MITIGATION_SEHOP),
             SBOX_ALL_OK);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep"));
 }
 #endif
 
 //------------------------------------------------------------------------------
 // Win32k Lockdown (MITIGATION_WIN32K_DISABLE)
 // >= Win8
 //------------------------------------------------------------------------------
 
-SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) {
+SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t** argv) {
   get_process_mitigation_policy =
-      reinterpret_cast<GetProcessMitigationPolicyFunction>(
-          ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
-                           "GetProcessMitigationPolicy"));
+      reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
+          ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
   if (!get_process_mitigation_policy)
     return SBOX_TEST_NOT_FOUND;
 
   if (!CheckWin8Win32CallPolicy())
     return SBOX_TEST_FIRST_ERROR;
   return SBOX_TEST_SUCCEEDED;
 }
 
 // This test validates that setting the MITIGATION_WIN32K_DISABLE mitigation on
 // the target process causes the launch to fail in process initialization.
@@ skipping 23 matching lines @@
 
   EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE),
             SBOX_ALL_OK);
   EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
                             sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL),
             sandbox::SBOX_ALL_OK);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown"));
 }
 
 //------------------------------------------------------------------------------
+// Disable extension points (MITIGATION_EXTENSION_POINT_DISABLE).
+// >= Win8
+//------------------------------------------------------------------------------
+SBOX_TESTS_COMMAND int CheckWin8ExtensionPointSetting(int argc,
+                                                      wchar_t** argv) {
+  get_process_mitigation_policy =
+      reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
+          ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
+  if (!get_process_mitigation_policy)
+    return SBOX_TEST_NOT_FOUND;
+
+  if (!CheckWin8ExtensionPointPolicy())
+    return SBOX_TEST_FIRST_ERROR;
+  return SBOX_TEST_SUCCEEDED;
+}
+
+// This test validates that setting the MITIGATION_EXTENSION_POINT_DISABLE
+// mitigation enables the setting on a process.
+TEST(ProcessMitigationsTest, CheckWin8ExtensionPointPolicySuccess) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN8)
+    return;
+
+  TestRunner runner;
+  sandbox::TargetPolicy* policy = runner.GetPolicy();
+
+  EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_EXTENSION_POINT_DISABLE),
+            SBOX_ALL_OK);
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED,
+            runner.RunTest(L"CheckWin8ExtensionPointSetting"));
+}
+
+// This test validates that we CAN add a "legitimate" global hook on the
+// sandboxed
+// proc/thread if the MITIGATION_EXTENSION_POINT_DISABLE mitigation is not set.
+//
+// MANUAL testing only.
+TEST(ProcessMitigationsTest,
+     DISABLED_CheckWin8ExtensionPoint_GlobalHook_Success) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN8)
+    return;
+
+  HANDLE mutex = ::CreateMutexW(NULL, FALSE, g_extension_point_test_mutex);
+  EXPECT_TRUE(mutex != NULL && mutex != INVALID_HANDLE_VALUE);
+  EXPECT_EQ(WAIT_OBJECT_0,
+            ::WaitForSingleObject(mutex, g_test_mutex_max_wait_ms));
+
+  // (is_success_test, global_hook)
+  TestWin8ExtensionPointHookWrapper(true, true);
+
+  EXPECT_TRUE(::ReleaseMutex(mutex));
+  EXPECT_TRUE(::CloseHandle(mutex));
+}
+
+// This test validates that setting the MITIGATION_EXTENSION_POINT_DISABLE
+// mitigation prevents a global hook in our WinProc.
+//
+// MANUAL testing only.
+TEST(ProcessMitigationsTest,
+     DISABLED_CheckWin8ExtensionPoint_GlobalHook_Failure) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN8)
+    return;
+
+  HANDLE mutex = ::CreateMutexW(NULL, FALSE, g_extension_point_test_mutex);
+  EXPECT_TRUE(mutex != NULL && mutex != INVALID_HANDLE_VALUE);
+  EXPECT_EQ(WAIT_OBJECT_0,
+            ::WaitForSingleObject(mutex, g_test_mutex_max_wait_ms));
+
+  // (is_success_test, global_hook)
+  TestWin8ExtensionPointHookWrapper(false, true);
+
+  EXPECT_TRUE(::ReleaseMutex(mutex));
+  EXPECT_TRUE(::CloseHandle(mutex));
+}
+
+// This test validates that we CAN add a "legitimate" hook on the sandboxed
+// proc/thread if the MITIGATION_EXTENSION_POINT_DISABLE mitigation is not set.
+//
+// MANUAL testing only.
+TEST(ProcessMitigationsTest, DISABLED_CheckWin8ExtensionPoint_Hook_Success) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN8)
+    return;
+
+  HANDLE mutex = ::CreateMutexW(NULL, FALSE, g_extension_point_test_mutex);
+  EXPECT_TRUE(mutex != NULL && mutex != INVALID_HANDLE_VALUE);
+  EXPECT_EQ(WAIT_OBJECT_0,
+            ::WaitForSingleObject(mutex, g_test_mutex_max_wait_ms));
+
+  // (is_success_test, global_hook)
+  TestWin8ExtensionPointHookWrapper(true, false);
+
+  EXPECT_TRUE(::ReleaseMutex(mutex));
+  EXPECT_TRUE(::CloseHandle(mutex));
+}
+
+// *** Important: MITIGATION_EXTENSION_POINT_DISABLE does NOT prevent
+// hooks targetted at a specific thread id.  It only prevents
+// global hooks.  So this test does NOT actually expect the hook
+// to fail (see TestWin8ExtensionPointHookWrapper function) even
+// with the mitigation on.
+//
+// MANUAL testing only.
+TEST(ProcessMitigationsTest, DISABLED_CheckWin8ExtensionPoint_Hook_Failure) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN8)
+    return;
+
+  HANDLE mutex = ::CreateMutexW(NULL, FALSE, g_extension_point_test_mutex);
+  EXPECT_TRUE(mutex != NULL && mutex != INVALID_HANDLE_VALUE);
+  EXPECT_EQ(WAIT_OBJECT_0,
+            ::WaitForSingleObject(mutex, g_test_mutex_max_wait_ms));
+
+  // (is_success_test, global_hook)
+  TestWin8ExtensionPointHookWrapper(false, false);
+
+  EXPECT_TRUE(::ReleaseMutex(mutex));
+  EXPECT_TRUE(::CloseHandle(mutex));
+}
+
+// This test validates that we CAN add an AppInit Dll to a target
+// WinProc if the MITIGATION_EXTENSION_POINT_DISABLE mitigation is not set.
+//
+// MANUAL testing only.
+// Must run this test as admin/elevated.
+TEST(ProcessMitigationsTest, DISABLED_CheckWin8ExtensionPoint_AppInit_Success) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN8)
+    return;
+
+  HANDLE mutex = ::CreateMutexW(NULL, FALSE, g_extension_point_test_mutex);
+  EXPECT_TRUE(mutex != NULL && mutex != INVALID_HANDLE_VALUE);
+  EXPECT_EQ(WAIT_OBJECT_0,
+            ::WaitForSingleObject(mutex, g_test_mutex_max_wait_ms));
+
+  TestWin8ExtensionPointAppInitWrapper(true);
+
+  EXPECT_TRUE(::ReleaseMutex(mutex));
+  EXPECT_TRUE(::CloseHandle(mutex));
+}
+
+// This test validates that setting the MITIGATION_EXTENSION_POINT_DISABLE
+// mitigation prevents the loading of any AppInit Dll into our WinProc.
+//
+// MANUAL testing only.
+// Must run this test as admin/elevated.
+TEST(ProcessMitigationsTest, DISABLED_CheckWin8ExtensionPoint_AppInit_Failure) {
+  if (base::win::GetVersion() < base::win::VERSION_WIN8)
+    return;
+
+  HANDLE mutex = ::CreateMutexW(NULL, FALSE, g_extension_point_test_mutex);
+  EXPECT_TRUE(mutex != NULL && mutex != INVALID_HANDLE_VALUE);
+  EXPECT_EQ(WAIT_OBJECT_0,
+            ::WaitForSingleObject(mutex, g_test_mutex_max_wait_ms));
+
+  TestWin8ExtensionPointAppInitWrapper(false);
+
+  EXPECT_TRUE(::ReleaseMutex(mutex));
+  EXPECT_TRUE(::CloseHandle(mutex));
+}
+
+//------------------------------------------------------------------------------
 // Disable non-system font loads (MITIGATION_NONSYSTEM_FONT_DISABLE)
 // >= Win10
 //------------------------------------------------------------------------------
 
 SBOX_TESTS_COMMAND int CheckWin10FontLockDown(int argc, wchar_t** argv) {
   get_process_mitigation_policy =
       reinterpret_cast<GetProcessMitigationPolicyFunction>(::GetProcAddress(
           ::GetModuleHandleW(L"kernel32.dll"), "GetProcessMitigationPolicy"));
   if (!get_process_mitigation_policy)
     return SBOX_TEST_NOT_FOUND;
@@ skipping 144 matching lines @@
       policy->SetDelayedProcessMitigations(MITIGATION_IMAGE_LOAD_NO_REMOTE),
       SBOX_ALL_OK);
   EXPECT_EQ(SBOX_TEST_SUCCEEDED,
             runner.RunTest(L"CheckWin10ImageLoadNoRemote"));
 }
 
 // This test validates that we CAN create a new process from
 // a remote UNC device, if the MITIGATION_IMAGE_LOAD_NO_REMOTE
 // mitigation is NOT set.
 //
-// DISABLED for automated testing bots.  Enable for manual testing.
+// MANUAL testing only.
 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteSuccess) {
   if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
     return;
 
   TestWin10ImageLoadRemote(true);
 }
 
 // This test validates that setting the MITIGATION_IMAGE_LOAD_NO_REMOTE
 // mitigation prevents creating a new process from a remote
 // UNC device.
 //
-// DISABLED for automated testing bots.  Enable for manual testing.
+// MANUAL testing only.
 TEST(ProcessMitigationsTest, DISABLED_CheckWin10ImageLoadNoRemoteFailure) {
   if (base::win::GetVersion() < base::win::VERSION_WIN10_TH2)
     return;
 
   TestWin10ImageLoadRemote(false);
 }
 
 //------------------------------------------------------------------------------
 // Disable image load when "mandatory low label" (integrity level).
 // (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL)
@@ skipping 121 matching lines @@
   cmd = cmd.Append(L"calc.exe");
 
   std::wstring test_command(base::StringPrintf(L"TestChildProcess %ls 0x%08X",
                                                cmd.value().c_str(),
                                                STATUS_ACCESS_VIOLATION));
 
   EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(test_command.c_str()));
 }
 
 }  // namespace sandbox