Add mitigation policy of disabling child process creation for command…

… line version of NanaZip. (#360)
M2Team · Jan 17, 2024 · 0090ebf · 0090ebf
1 parent 1a868c8
commit 0090ebf
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 0 deletions.
diff --git a/NanaZip.Shared/Mitigations.cpp b/NanaZip.Shared/Mitigations.cpp
@@ -100,6 +100,12 @@ namespace
         static bool CachedResult = ::MileIsWindowsVersionAtLeast(10, 0, 0);
         return CachedResult;
     }
+
+    static bool IsWindows10_1709OrLater()
+    {
+        static bool CachedResult = ::MileIsWindowsVersionAtLeast(10, 0, 16299);
+        return CachedResult;
+    }
 }
 
 EXTERN_C BOOL WINAPI NanaZipEnableMitigations()
@@ -169,3 +175,23 @@ EXTERN_C BOOL WINAPI NanaZipThreadDynamicCodeAllow()
         &ThreadPolicy,
         sizeof(DWORD));
 }
+
+EXTERN_C BOOL WINAPI NanaZipDisableChildProcesses()
+{
+    if (!::IsWindows10_1709OrLater())
+    {
+        return TRUE;
+    }
+
+    PROCESS_MITIGATION_CHILD_PROCESS_POLICY Policy = { 0 };
+    Policy.NoChildProcessCreation = 1;
+    if (!::SetProcessMitigationPolicyWrapper(
+        ProcessChildProcessPolicy,
+        &Policy,
+        sizeof(PROCESS_MITIGATION_CHILD_PROCESS_POLICY)))
+    {
+        return FALSE;
+    }
+
+    return TRUE;
+}
diff --git a/NanaZip.Shared/Mitigations.h b/NanaZip.Shared/Mitigations.h
@@ -16,5 +16,6 @@
 
 EXTERN_C BOOL WINAPI NanaZipEnableMitigations();
 EXTERN_C BOOL WINAPI NanaZipThreadDynamicCodeAllow();
+EXTERN_C BOOL WINAPI NanaZipDisableChildProcesses();
 
 #endif // !NANAZIP_SHARED_MITIGATIONS
diff --git a/NanaZip.UI.Classic/SevenZip/CPP/7zip/UI/Console/MainAr.cpp b/NanaZip.UI.Classic/SevenZip/CPP/7zip/UI/Console/MainAr.cpp
@@ -77,6 +77,14 @@ int MY_CDECL main
       << NError::MyFormatMessage(GetLastError())
       << endl;
   }
+  if (!::NanaZipDisableChildProcesses())
+  {
+    FlushStreams();
+    *g_ErrStream
+      << "Cannot disable child processes: "
+      << NError::MyFormatMessage(GetLastError())
+      << endl;
+  }
 
   NConsoleClose::CCtrlHandlerSetter ctrlHandlerSetter;
   int res = 0;

diff --git a/NanaZip.UI.Classic/SevenZip/CPP/7zip/UI/GUI/GUI.cpp b/NanaZip.UI.Classic/SevenZip/CPP/7zip/UI/GUI/GUI.cpp
@@ -400,6 +400,10 @@ int APIENTRY WinMain(HINSTANCE  hInstance, HINSTANCE /* hPrevInstance */,
   {
     ErrorMessage("Cannot enable security mitigations");
   }
+  if (!::NanaZipDisableChildProcesses())
+  {
+    ErrorMessage("Cannot disable child processes");
+  }
 
   InitCommonControls();
 

diff --git a/NanaZip.UI.Modern/SevenZip/CPP/7zip/UI/Console/MainAr.cpp b/NanaZip.UI.Modern/SevenZip/CPP/7zip/UI/Console/MainAr.cpp
@@ -77,6 +77,14 @@ int MY_CDECL main
       << NError::MyFormatMessage(GetLastError())
       << endl;
   }
+  if (!::NanaZipDisableChildProcesses())
+  {
+    FlushStreams();
+    *g_ErrStream
+      << "Cannot disable child processes: "
+      << NError::MyFormatMessage(GetLastError())
+      << endl;
+  }
 
   NConsoleClose::CCtrlHandlerSetter ctrlHandlerSetter;
   int res = 0;

diff --git a/NanaZip.UI.Modern/SevenZip/CPP/7zip/UI/GUI/GUI.cpp b/NanaZip.UI.Modern/SevenZip/CPP/7zip/UI/GUI/GUI.cpp
@@ -400,6 +400,10 @@ int APIENTRY WinMain(HINSTANCE  hInstance, HINSTANCE /* hPrevInstance */,
   {
     ErrorMessage("Cannot enable security mitigations");
   }
+  if (!::NanaZipDisableChildProcesses())
+  {
+    ErrorMessage("Cannot disable child processes");
+  }
 
   InitCommonControls();