1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
// Copyright 2013 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/chrome_elf/chrome_elf_security.h"
// clang-format off
#include <windows.h> // Must be included before versionhelpers.h
#include <versionhelpers.h>
// clang-format on
#include <assert.h>
#include <ntstatus.h>
#include <optional>
#include "base/check.h"
#include "base/file_version_info.h"
#include "base/logging.h"
#include "base/threading/thread_checker.h"
#include "base/win/current_module.h"
#include "chrome/chrome_elf/chrome_elf_constants.h"
#include "chrome/chrome_elf/nt_registry/nt_registry.h"
#include "chrome/install_static/install_util.h"
namespace elf_security {
namespace {
// Used to turn off validation in tests
static bool g_validate_not_exe_for_testing = true;
// Used to ensure we are calling a method defined in the correct module.
// In particular, there are often issues where the exe version is called
// instead of the dll version.
void MaybeValidateNotCallingFromExe() {
HMODULE module;
// NULL returns the exe we're running in
DCHECK(::GetModuleHandleExW(0, NULL, &module));
DCHECK(CURRENT_MODULE() != module);
}
class ExtensionPointDisableSet {
public:
~ExtensionPointDisableSet() {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
}
ExtensionPointDisableSet(const ExtensionPointDisableSet&) = delete;
ExtensionPointDisableSet& operator=(const ExtensionPointDisableSet&) = delete;
static ExtensionPointDisableSet* GetInstance() {
static ExtensionPointDisableSet* instance = nullptr;
if (!instance) {
instance = new ExtensionPointDisableSet();
}
return instance;
}
void SetExtensionPointDisabled(bool set) {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
CHECK(!extension_point_disable_set_.has_value());
extension_point_disable_set_ = set;
}
bool GetExtensionPointDisabled() {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
if (extension_point_disable_set_.has_value())
return extension_point_disable_set_.value();
return false;
}
private:
ExtensionPointDisableSet() { DETACH_FROM_THREAD(thread_checker_); }
THREAD_CHECKER(thread_checker_);
std::optional<bool> extension_point_disable_set_
GUARDED_BY_CONTEXT(thread_checker_);
};
} // namespace
void EarlyBrowserSecurity() {
// This function is called from within DllMain.
// Don't do anything naughty while we have the loader lock.
NTSTATUS ret_val = STATUS_SUCCESS;
HANDLE handle = INVALID_HANDLE_VALUE;
// Check for kRegBrowserExtensionPointKeyName. We only disable extension
// points when this exists, for devices that have been vetted by our
// heuristic.
if (!nt::OpenRegKey(nt::HKCU,
install_static::GetRegistryPath()
.append(elf_sec::kRegBrowserExtensionPointKeyName)
.c_str(),
KEY_QUERY_VALUE, &handle, &ret_val)) {
#ifdef _DEBUG
// The only failure expected is for the path not existing.
if (ret_val != STATUS_OBJECT_NAME_NOT_FOUND)
assert(false);
#endif
return;
}
nt::CloseRegKey(handle);
// Disable extension points (legacy hooking) in this process.
PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
policy.DisableExtensionPoints = true;
SetProcessMitigationPolicy(ProcessExtensionPointDisablePolicy, &policy,
sizeof(policy));
ExtensionPointDisableSet::GetInstance()->SetExtensionPointDisabled(true);
return;
}
void ValidateExeForTesting(bool on) {
g_validate_not_exe_for_testing = on;
}
bool IsExtensionPointDisableSet() {
if (g_validate_not_exe_for_testing)
MaybeValidateNotCallingFromExe();
return ExtensionPointDisableSet::GetInstance()->GetExtensionPointDisabled();
}
} // namespace elf_security
|
