[Windows Sandbox] New process mitigations (and tests).
- Dynamic Code Disable >= Win8.1.
- Thread opt-out >= Win10 RS1.
- Prevents the process from generating dynamic code or modifying executable code. Second option to allow thread-specific opt-out.
- VirtualAlloc with PAGE_EXECUTE_*
- VirtualProtect with PAGE_EXECUTE_*
- MapViewOfFile with FILE_MAP_EXECUTE | FILE_MAP_WRITE
- SetProcessValidCallTargets for CFG
- MS Code Signing enforcement >= Win10 TH2.
- Prevents the process from loading binaries NOT signed by MS.
- Image load prefer system32 >= Win10 RS1.
- Forces image load preference to prioritize the Windows install System32
folder before dll load dir, application dir and any user dirs set.
- Affects IAT resolution standard search path only, NOT direct LoadLibrary or executable search path.
TEST= sbox_integration_tests.exe, ProcessMitigationsTest.*
BUG=733739
R=forshaw@chromium.org
TBR=grt@chromium.org
Change-Id: I4347a9002368961e17f3f83ba39d50c469065bdc
Reviewed-on: https://chromium-review.googlesource.com/566286
Commit-Queue: Penny MacNeil <pennymac@chromium.org>
Reviewed-by: James Forshaw <forshaw@chromium.org>
Cr-Commit-Position: refs/heads/master@{#486464}16 files changed
