Since the C language has no native string type, the compiler defines a string buffer as an array of 1 or 2 byte elements with a total size of at least 5 bytes. The GS protection is applied to all functions with arrays that match this description.
......
Visual Studio 2005 SP1 introduced a new compiler directive that enables more aggressive GS heuristics. If #pragma strict_gs_check is turned on, the compiler adds a GS cookie to all functions that use arrays, dereference data through pointer arithmetic or pass the address of any local variable to another function. This results in a much more complete protection at the expense of runtime performance.
而SafeSEH有一个细节:
By default, in processes with DEP enabled there are only two types of exception handlers that are considered valid by the exception dispatcher: 1. handler found in the SafeSEH table of an image without the NO_SEH flag 2. handler on an executable page in an image without the NO_SEH flag, without a SafeSEH table and without the .NET ILonly flag In processes with DEP disabled there are have three valid cases: 1. handler found in the SafeSEH table of an image without the NO_SEH flag 2. handler in an image without the NO_SEH flag, without a SafeSEH table and without the .NET ILonly flag 3. handler on a non-image page, but not on the stack of the current thread
而关于ASLR,原来还有这么个注册表项来控制开关: This behaviour is controlled using the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages, which by default does not exist. The following behaviour is defined for this key: 1 If the value is set to 0, never randomize image bases in memory, always honour the base address 2 If set to -1, randomize any image regardless of whether they have elected to take part in ASLR or not (providing they are relocatable). 3 If set to any other value, randomize only images that have elected to take part in randomization. This is the default behaviour.
