Harry
Reputation: 179
How to tell if /GS compiler is enabled for a PE Win32
I am able to parse ASLR, DEP, SEH, etc. from the DOS headers but not sure how to tell if the file was compiled with /GS stack canaries.
I am writing a program, so pointing me to a program like PEStudio won't help me unless its open source.
Is this part of the dos headers? Or do I have to scan the .data section for __security_cookie?
Upvotes: 1
Views: 618
Answers (1)
Neitsa
Reputation: 8166
- Go to IMAGE_NT_HEADERS
- Then IMAGE_OPTIONAL_HEADER (IMAGE_NT_HEADERS.OptionalHeader )
- Then IMAGE_DATA_DIRECTORY (IMAGE_NT_HEADERS.OptionalHeader.DataDirectory)
- The 10th entry VirtualAddress member is an RVA to the "Load Configuration Directory".
- IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress
The Load Configuration Directory is an IMAGE_LOAD_CONFIG_DIRECTORY structure.
Check the SecurityCookie member: if it's not 0 then /GS is in use for this PE.
Upvotes: 3
Related Questions
- How to identify if an executable file was compiled from C or C++?
- How to tell whether an executable was compiled for the present machine?
- Is there a cross platform way to detect debug mode compilation?
- Determining whether compiling on Windows or other system
- Detect compiler with #ifdef
- C++ Read PE Optional Headers to determine DEP and ASLR
- Checking if given process is running
- How do I find out if a .exe is running in c++?
- How to tell if a windows PE file is a console subsystem or a windows subsystem programmatically?
- Find out where PE file ends through PE header?