Only pass executable sections to OnDllLoaded for patching

On recent Windows insider builds GetModuleHandleExW loads sections for
inspection as non-executable images, rather than as files. This leads
to our hooks detecting the SEC_IMAGE attribute and potentially patching
functions (e.g. for user32.dll).

This caused content_browsertests to fail as it pinned user32.dll in some
processes. With this change, the tests run again.

See crbug.com/1143397 for a full discussion.

Bug: 1143397
Change-Id: I3b75464d0442160a417e4cb7084306841aaf76f7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2511531Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#823354}

sandbox/win/src/sandbox_nt_util.cc

@@ -404,6 +404,20 @@ bool IsValidImageSection(HANDLE section,
   if (!(basic_info.Attributes & SEC_IMAGE))
     return false;
 
+  // Windows 10 2009+ may open PEs as SEC_IMAGE_NO_EXECUTE in non-dll-loading
+  // paths which looks identical to dll-loading unless we check if the section
+  // handle has execute rights.
+  OBJECT_BASIC_INFORMATION obj_info;
+  ULONG obj_size_returned;
+  ret = g_nt.QueryObject(section, ObjectBasicInformation, &obj_info,
+                         sizeof(obj_info), &obj_size_returned);
+
+  if (!NT_SUCCESS(ret) || sizeof(obj_info) != obj_size_returned)
+    return false;
+
+  if (!(obj_info.GrantedAccess & SECTION_MAP_EXECUTE))
+    return false;
+
   return true;
 }