From 7a61a0ca898260e012322f72c88644f74c43c992 Mon Sep 17 00:00:00 2001
From: Tu Dinh <1257909+dinhngtu@users.noreply.github.com>
Date: Sun, 31 Dec 2023 00:01:31 +0100
Subject: [PATCH] Disable child processes in NanaZipC and NanaZipG.

---
 NanaZip.Shared/Mitigations.cpp                | 26 +++++++++++++++++++
 NanaZip.Shared/Mitigations.h                  |  1 +
 .../SevenZip/CPP/7zip/UI/Console/MainAr.cpp   |  8 ++++++
 .../SevenZip/CPP/7zip/UI/GUI/GUI.cpp          |  4 +++
 4 files changed, 39 insertions(+)

diff --git a/NanaZip.Shared/Mitigations.cpp b/NanaZip.Shared/Mitigations.cpp
index b7c6efeb3..065d5a0e8 100644
--- a/NanaZip.Shared/Mitigations.cpp
+++ b/NanaZip.Shared/Mitigations.cpp
@@ -100,6 +100,12 @@ namespace
         static bool CachedResult = ::MileIsWindowsVersionAtLeast(10, 0, 0);
         return CachedResult;
     }
+
+    static bool IsWindows10_1709OrLater()
+    {
+        static bool CachedResult = ::MileIsWindowsVersionAtLeast(10, 0, 16299);
+        return CachedResult;
+    }
 }
 
 EXTERN_C BOOL WINAPI NanaZipEnableMitigations()
@@ -169,3 +175,23 @@ EXTERN_C BOOL WINAPI NanaZipThreadDynamicCodeAllow()
         &ThreadPolicy,
         sizeof(DWORD));
 }
+
+EXTERN_C BOOL WINAPI NanaZipDisableChildProcesses()
+{
+    if (!::IsWindows10_1709OrLater())
+    {
+        return TRUE;
+    }
+
+    PROCESS_MITIGATION_CHILD_PROCESS_POLICY Policy = { 0 };
+    Policy.NoChildProcessCreation = 1;
+    if (!::SetProcessMitigationPolicyWrapper(
+        ProcessChildProcessPolicy,
+        &Policy,
+        sizeof(PROCESS_MITIGATION_CHILD_PROCESS_POLICY)))
+    {
+        return FALSE;
+    }
+
+    return TRUE;
+}
diff --git a/NanaZip.Shared/Mitigations.h b/NanaZip.Shared/Mitigations.h
index 0d750683b..00fbdd9c7 100644
--- a/NanaZip.Shared/Mitigations.h
+++ b/NanaZip.Shared/Mitigations.h
@@ -16,5 +16,6 @@
 
 EXTERN_C BOOL WINAPI NanaZipEnableMitigations();
 EXTERN_C BOOL WINAPI NanaZipThreadDynamicCodeAllow();
+EXTERN_C BOOL WINAPI NanaZipDisableChildProcesses();
 
 #endif // !NANAZIP_SHARED_MITIGATIONS
diff --git a/NanaZip.UI.Classic/SevenZip/CPP/7zip/UI/Console/MainAr.cpp b/NanaZip.UI.Classic/SevenZip/CPP/7zip/UI/Console/MainAr.cpp
index a1fbe30c9..04dcf5aad 100644
--- a/NanaZip.UI.Classic/SevenZip/CPP/7zip/UI/Console/MainAr.cpp
+++ b/NanaZip.UI.Classic/SevenZip/CPP/7zip/UI/Console/MainAr.cpp
@@ -77,6 +77,14 @@ int MY_CDECL main
       << NError::MyFormatMessage(GetLastError())
       << endl;
   }
+  if (!::NanaZipDisableChildProcesses())
+  {
+    FlushStreams();
+    *g_ErrStream
+      << "Cannot disable child processes: "
+      << NError::MyFormatMessage(GetLastError())
+      << endl;
+  }
 
   NConsoleClose::CCtrlHandlerSetter ctrlHandlerSetter;
   int res = 0;
diff --git a/NanaZip.UI.Classic/SevenZip/CPP/7zip/UI/GUI/GUI.cpp b/NanaZip.UI.Classic/SevenZip/CPP/7zip/UI/GUI/GUI.cpp
index 230ba5fb4..36203ce8f 100644
--- a/NanaZip.UI.Classic/SevenZip/CPP/7zip/UI/GUI/GUI.cpp
+++ b/NanaZip.UI.Classic/SevenZip/CPP/7zip/UI/GUI/GUI.cpp
@@ -400,6 +400,10 @@ int APIENTRY WinMain(HINSTANCE  hInstance, HINSTANCE /* hPrevInstance */,
   {
     ErrorMessage("Cannot enable security mitigations");
   }
+  if (!::NanaZipDisableChildProcesses())
+  {
+    ErrorMessage("Cannot disable child processes");
+  }
 
   InitCommonControls();