GS edge case #13

woodruffw · 2018-08-30T15:25:24Z

Split out from #5: If the user defines a custom entrypoint via /ENTRY, we should verify that they call call __security_init_cookie(). If they fail to, we should mark GS as not enabled, as the stack cookie will be whatever the compile time value was.

The text was updated successfully, but these errors were encountered:

woodruffw · 2018-09-27T13:29:29Z

https://github.com/olliencc/WinBinaryAudit contains more advanced GS checks that we should probably build off of.

woodruffw · 2020-04-25T03:19:55Z

To elaborate: the current /GS detection is probably over-sensitive, since every recent build of the Windows CRT has stack cookies enabled and uses the default cookie to protect _start at the very minimum.

Instead, we should be checking for /GS instrumentation in non-_start functions, which will look something like this in pseudo-assembly:

mov rax, [__security_cookie]
xor rax, rsp
# ...

where __security_cookie is pointed to by the RVA in the load config's SecurityCookie field.

woodruffw added the enhancement New feature or request label Aug 30, 2018

woodruffw added the good first issue Good for newcomers label Sep 12, 2018

woodruffw added the hacktoberfest label Oct 1, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GS edge case #13

GS edge case #13

woodruffw commented Aug 30, 2018

woodruffw commented Sep 27, 2018

woodruffw commented Apr 25, 2020

GS edge case #13

GS edge case #13

Comments

woodruffw commented Aug 30, 2018

woodruffw commented Sep 27, 2018

woodruffw commented Apr 25, 2020