├── .gitignore
├── LICENSE
├── README.md
├── TinyReturnFlowGuard.sln
├── TinyReturnFlowGuard.vcxproj
├── TinyReturnFlowGuard.vcxproj.filters
├── main.cpp
└── security_check_cookie_ex.asm
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | # User-specific files
5 | *.suo
6 | *.user
7 | *.userosscache
8 | *.sln.docstates
9 |
10 | # User-specific files (MonoDevelop/Xamarin Studio)
11 | *.userprefs
12 |
13 | # Build results
14 | [Dd]ebug/
15 | [Dd]ebugPublic/
16 | [Rr]elease/
17 | [Rr]eleases/
18 | x64/
19 | x86/
20 | bld/
21 | [Bb]in/
22 | [Oo]bj/
23 | [Ll]og/
24 |
25 | # Visual Studio 2015 cache/options directory
26 | .vs/
27 | # Uncomment if you have tasks that create the project's static files in wwwroot
28 | #wwwroot/
29 |
30 | # MSTest test Results
31 | [Tt]est[Rr]esult*/
32 | [Bb]uild[Ll]og.*
33 |
34 | # NUNIT
35 | *.VisualState.xml
36 | TestResult.xml
37 |
38 | # Build Results of an ATL Project
39 | [Dd]ebugPS/
40 | [Rr]eleasePS/
41 | dlldata.c
42 |
43 | # DNX
44 | project.lock.json
45 | artifacts/
46 |
47 | *_i.c
48 | *_p.c
49 | *_i.h
50 | *.ilk
51 | *.meta
52 | *.obj
53 | *.pch
54 | *.pdb
55 | *.pgc
56 | *.pgd
57 | *.rsp
58 | *.sbr
59 | *.tlb
60 | *.tli
61 | *.tlh
62 | *.tmp
63 | *.tmp_proj
64 | *.log
65 | *.vspscc
66 | *.vssscc
67 | .builds
68 | *.pidb
69 | *.svclog
70 | *.scc
71 |
72 | # Chutzpah Test files
73 | _Chutzpah*
74 |
75 | # Visual C++ cache files
76 | ipch/
77 | *.aps
78 | *.ncb
79 | *.opendb
80 | *.opensdf
81 | *.sdf
82 | *.cachefile
83 | *.VC.db
84 | *.VC.VC.opendb
85 |
86 | # Visual Studio profiler
87 | *.psess
88 | *.vsp
89 | *.vspx
90 | *.sap
91 |
92 | # TFS 2012 Local Workspace
93 | $tf/
94 |
95 | # Guidance Automation Toolkit
96 | *.gpState
97 |
98 | # ReSharper is a .NET coding add-in
99 | _ReSharper*/
100 | *.[Rr]e[Ss]harper
101 | *.DotSettings.user
102 |
103 | # JustCode is a .NET coding add-in
104 | .JustCode
105 |
106 | # TeamCity is a build add-in
107 | _TeamCity*
108 |
109 | # DotCover is a Code Coverage Tool
110 | *.dotCover
111 |
112 | # NCrunch
113 | _NCrunch_*
114 | .*crunch*.local.xml
115 | nCrunchTemp_*
116 |
117 | # MightyMoose
118 | *.mm.*
119 | AutoTest.Net/
120 |
121 | # Web workbench (sass)
122 | .sass-cache/
123 |
124 | # Installshield output folder
125 | [Ee]xpress/
126 |
127 | # DocProject is a documentation generator add-in
128 | DocProject/buildhelp/
129 | DocProject/Help/*.HxT
130 | DocProject/Help/*.HxC
131 | DocProject/Help/*.hhc
132 | DocProject/Help/*.hhk
133 | DocProject/Help/*.hhp
134 | DocProject/Help/Html2
135 | DocProject/Help/html
136 |
137 | # Click-Once directory
138 | publish/
139 |
140 | # Publish Web Output
141 | *.[Pp]ublish.xml
142 | *.azurePubxml
143 | # TODO: Comment the next line if you want to checkin your web deploy settings
144 | # but database connection strings (with potential passwords) will be unencrypted
145 | *.pubxml
146 | *.publishproj
147 |
148 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
149 | # checkin your Azure Web App publish settings, but sensitive information contained
150 | # in these scripts will be unencrypted
151 | PublishScripts/
152 |
153 | # NuGet Packages
154 | *.nupkg
155 | # The packages folder can be ignored because of Package Restore
156 | **/packages/*
157 | # except build/, which is used as an MSBuild target.
158 | !**/packages/build/
159 | # Uncomment if necessary however generally it will be regenerated when needed
160 | #!**/packages/repositories.config
161 | # NuGet v3's project.json files produces more ignoreable files
162 | *.nuget.props
163 | *.nuget.targets
164 |
165 | # Microsoft Azure Build Output
166 | csx/
167 | *.build.csdef
168 |
169 | # Microsoft Azure Emulator
170 | ecf/
171 | rcf/
172 |
173 | # Windows Store app package directories and files
174 | AppPackages/
175 | BundleArtifacts/
176 | Package.StoreAssociation.xml
177 | _pkginfo.txt
178 |
179 | # Visual Studio cache files
180 | # files ending in .cache can be ignored
181 | *.[Cc]ache
182 | # but keep track of directories ending in .cache
183 | !*.[Cc]ache/
184 |
185 | # Others
186 | ClientBin/
187 | ~$*
188 | *~
189 | *.dbmdl
190 | *.dbproj.schemaview
191 | *.pfx
192 | *.publishsettings
193 | node_modules/
194 | orleans.codegen.cs
195 |
196 | # Since there are multiple workflows, uncomment next line to ignore bower_components
197 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
198 | #bower_components/
199 |
200 | # RIA/Silverlight projects
201 | Generated_Code/
202 |
203 | # Backup & report files from converting an old project file
204 | # to a newer Visual Studio version. Backup files are not needed,
205 | # because we have git ;-)
206 | _UpgradeReport_Files/
207 | Backup*/
208 | UpgradeLog*.XML
209 | UpgradeLog*.htm
210 |
211 | # SQL Server files
212 | *.mdf
213 | *.ldf
214 |
215 | # Business Intelligence projects
216 | *.rdl.data
217 | *.bim.layout
218 | *.bim_*.settings
219 |
220 | # Microsoft Fakes
221 | FakesAssemblies/
222 |
223 | # GhostDoc plugin setting file
224 | *.GhostDoc.xml
225 |
226 | # Node.js Tools for Visual Studio
227 | .ntvs_analysis.dat
228 |
229 | # Visual Studio 6 build log
230 | *.plg
231 |
232 | # Visual Studio 6 workspace options file
233 | *.opt
234 |
235 | # Visual Studio LightSwitch build output
236 | **/*.HTMLClient/GeneratedArtifacts
237 | **/*.DesktopClient/GeneratedArtifacts
238 | **/*.DesktopClient/ModelManifest.xml
239 | **/*.Server/GeneratedArtifacts
240 | **/*.Server/ModelManifest.xml
241 | _Pvt_Extensions
242 |
243 | # Paket dependency manager
244 | .paket/paket.exe
245 | paket-files/
246 |
247 | # FAKE - F# Make
248 | .fake/
249 |
250 | # JetBrains Rider
251 | .idea/
252 | *.sln.iml
253 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2017 TheEragon
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # TinyReturnFlowGuard
2 | TinyReturnFlowGuard is a minimal MSVC project that demonstrates how to enable Return Flow Guard in current builds of Microsoft Visual Studio 2017
3 |
4 | ### Requirements
5 | - [Visual Studio 2017 RC3 (or newer)](https://www.visualstudio.com/vs/visual-studio-2017-rc/)
6 | - [Microsoft Windows 10 15021 (or newer) SDK](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewSDK)
7 |
8 | ### Instructions
9 | Open in Visual Studio, select ReleaseRfEnabled or ReleaseRfInstrumented, compile and enjoy RFG
10 |
11 | ### TODO
12 | - Implement a test that would demonstrate RFG in action
13 | - Support ReleaseRfStrict
14 | - Exception handling in __security_check_cookie_ex and __security_check_cookie_ex_sp
15 |
16 | License
17 | ----
18 | MIT
19 |
20 | Links
21 | ----
22 | http://xlab.tencent.com/en/2016/11/02/return-flow-guard/
23 |
--------------------------------------------------------------------------------
/TinyReturnFlowGuard.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.26127.3
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TinyReturnFlowGuard", "TinyReturnFlowGuard.vcxproj", "{940A78EB-65DD-4897-B959-EE3F0876AE8B}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | ReleaseRfEnabled|x64 = ReleaseRfEnabled|x64
15 | ReleaseRfEnabled|x86 = ReleaseRfEnabled|x86
16 | ReleaseRfInstrumented|x64 = ReleaseRfInstrumented|x64
17 | ReleaseRfInstrumented|x86 = ReleaseRfInstrumented|x86
18 | ReleaseRfStrict|x64 = ReleaseRfStrict|x64
19 | ReleaseRfStrict|x86 = ReleaseRfStrict|x86
20 | EndGlobalSection
21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
22 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.Debug|x64.ActiveCfg = Debug|x64
23 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.Debug|x64.Build.0 = Debug|x64
24 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.Debug|x86.ActiveCfg = Debug|Win32
25 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.Debug|x86.Build.0 = Debug|Win32
26 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.Release|x64.ActiveCfg = Release|x64
27 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.Release|x64.Build.0 = Release|x64
28 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.Release|x86.ActiveCfg = Release|Win32
29 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.Release|x86.Build.0 = Release|Win32
30 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.ReleaseRfEnabled|x64.ActiveCfg = ReleaseRfEnabled|x64
31 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.ReleaseRfEnabled|x64.Build.0 = ReleaseRfEnabled|x64
32 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.ReleaseRfEnabled|x86.ActiveCfg = ReleaseRfEnabled|Win32
33 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.ReleaseRfEnabled|x86.Build.0 = ReleaseRfEnabled|Win32
34 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.ReleaseRfInstrumented|x64.ActiveCfg = ReleaseRfInstrumented|x64
35 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.ReleaseRfInstrumented|x64.Build.0 = ReleaseRfInstrumented|x64
36 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.ReleaseRfInstrumented|x86.ActiveCfg = ReleaseRfInstrumented|Win32
37 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.ReleaseRfInstrumented|x86.Build.0 = ReleaseRfInstrumented|Win32
38 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.ReleaseRfStrict|x64.ActiveCfg = ReleaseRfStrict|x64
39 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.ReleaseRfStrict|x64.Build.0 = ReleaseRfStrict|x64
40 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.ReleaseRfStrict|x86.ActiveCfg = ReleaseRfStrict|Win32
41 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}.ReleaseRfStrict|x86.Build.0 = ReleaseRfStrict|Win32
42 | EndGlobalSection
43 | GlobalSection(SolutionProperties) = preSolution
44 | HideSolutionNode = FALSE
45 | EndGlobalSection
46 | EndGlobal
47 |
--------------------------------------------------------------------------------
/TinyReturnFlowGuard.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | ReleaseRfEnabled
10 | Win32
11 |
12 |
13 | ReleaseRfEnabled
14 | x64
15 |
16 |
17 | ReleaseRfInstrumented
18 | Win32
19 |
20 |
21 | ReleaseRfInstrumented
22 | x64
23 |
24 |
25 | ReleaseRfStrict
26 | Win32
27 |
28 |
29 | ReleaseRfStrict
30 | x64
31 |
32 |
33 | Release
34 | Win32
35 |
36 |
37 | Debug
38 | x64
39 |
40 |
41 | Release
42 | x64
43 |
44 |
45 |
46 | 15.0
47 | {940A78EB-65DD-4897-B959-EE3F0876AE8B}
48 | Win32Proj
49 | TinyReturnFlowGuard
50 | 10.0.15021.0
51 |
52 |
53 |
54 | Application
55 | true
56 | v141
57 | Unicode
58 |
59 |
60 | Application
61 | false
62 | v141
63 | true
64 | Unicode
65 |
66 |
67 | Application
68 | false
69 | v141
70 | true
71 | Unicode
72 |
73 |
74 | Application
75 | false
76 | v141
77 | true
78 | Unicode
79 |
80 |
81 | Application
82 | false
83 | v141
84 | true
85 | Unicode
86 |
87 |
88 | Application
89 | true
90 | v141
91 | Unicode
92 |
93 |
94 | Application
95 | false
96 | v141
97 | true
98 | Unicode
99 |
100 |
101 | Application
102 | false
103 | v141
104 | true
105 | Unicode
106 |
107 |
108 | Application
109 | false
110 | v141
111 | true
112 | Unicode
113 |
114 |
115 | Application
116 | false
117 | v141
118 | true
119 | Unicode
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 | true
160 |
161 |
162 | true
163 |
164 |
165 | false
166 |
167 |
168 | false
169 |
170 |
171 | false
172 |
173 |
174 | false
175 |
176 |
177 | false
178 |
179 |
180 | false
181 |
182 |
183 | false
184 |
185 |
186 | false
187 |
188 |
189 |
190 |
191 |
192 | Level3
193 | Disabled
194 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
195 |
196 |
197 | Console
198 |
199 |
200 |
201 |
202 |
203 |
204 | Level3
205 | Disabled
206 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
207 |
208 |
209 | Console
210 |
211 |
212 |
213 |
214 | Level3
215 |
216 |
217 | MaxSpeed
218 | true
219 | true
220 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
221 |
222 |
223 | Console
224 | true
225 | true
226 |
227 |
228 |
229 |
230 | Level3
231 |
232 |
233 | MaxSpeed
234 | true
235 | true
236 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
237 |
238 |
239 | Console
240 | true
241 | true
242 |
243 |
244 |
245 |
246 | Level3
247 |
248 |
249 | MaxSpeed
250 | true
251 | true
252 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
253 |
254 |
255 | Console
256 | true
257 | true
258 |
259 |
260 |
261 |
262 | Level3
263 |
264 |
265 | MaxSpeed
266 | true
267 | true
268 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
269 |
270 |
271 | Console
272 | true
273 | true
274 |
275 |
276 |
277 |
278 | Level3
279 |
280 |
281 | MaxSpeed
282 | true
283 | true
284 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
285 | Guard
286 |
287 |
288 | Console
289 | true
290 | true
291 |
292 |
293 |
294 |
295 | Level3
296 |
297 |
298 | MaxSpeed
299 | true
300 | true
301 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
302 | Guard
303 |
304 |
305 | Console
306 | true
307 | true
308 | /guard:rfinstr %(AdditionalOptions)
309 |
310 |
311 |
312 |
313 | Level3
314 |
315 |
316 | MaxSpeed
317 | true
318 | true
319 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
320 | Guard
321 |
322 |
323 | Console
324 | true
325 | true
326 | /guard:rf %(AdditionalOptions)
327 |
328 |
329 |
330 |
331 | Level3
332 |
333 |
334 | MaxSpeed
335 | true
336 | true
337 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
338 | Guard
339 | /guard:rf %(AdditionalOptions)
340 |
341 |
342 | Console
343 | true
344 | true
345 | /guard:rfstrict %(AdditionalOptions)
346 |
347 |
348 |
349 |
350 |
351 |
352 |
353 | true
354 | true
355 | true
356 | true
357 | true
358 |
359 |
360 |
361 |
362 |
363 |
364 |
--------------------------------------------------------------------------------
/TinyReturnFlowGuard.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Source Files
25 |
26 |
27 |
--------------------------------------------------------------------------------
/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | // Minimal application that shows how to enable RFG (Return Flow Guard) in
5 | // current builds of Visual Studio 2017
6 | //
7 | // Richard Baranyi
8 | //
9 | // https://github.com/TheEragon/TinyReturnFlowGuard
10 | //
11 |
12 | // declare variables that we will need later
13 | #if defined(_M_IX86) || defined(_X86_)
14 | extern "C" PVOID __safe_se_handler_table[];
15 | extern "C" BYTE __safe_se_handler_count;
16 | #endif
17 |
18 | extern "C" PVOID __guard_fids_table[];
19 | extern "C" ULONG __guard_fids_count;
20 | extern "C" ULONG __guard_flags;
21 |
22 | extern "C" PVOID __guard_iat_table[];
23 | extern "C" ULONG __guard_iat_count;
24 |
25 | extern "C" PVOID __guard_longjmp_table[];
26 | extern "C" ULONG __guard_longjmp_count;
27 |
28 | extern "C" PVOID __dynamic_value_reloc_table[];
29 |
30 | extern "C" PVOID __guard_dispatch_icall_fptr;
31 | extern "C" PVOID __guard_check_icall_fptr;
32 |
33 | #if defined(_AMD64_)
34 | extern "C" PVOID __guard_ss_verify_failure;
35 | extern "C" PVOID __guard_ss_verify_failure_fptr;
36 | extern "C" PVOID __guard_ss_verify_sp_fptr;
37 | #endif
38 |
39 | // define custom load configuration that supports RFG
40 | #pragma warning(push)
41 | #pragma warning(disable:4838;disable:4244)
42 | extern "C" const __declspec(selectany)
43 | IMAGE_LOAD_CONFIG_DIRECTORY _load_config_used =
44 | {
45 | sizeof(_load_config_used),
46 | 0,
47 | 0,
48 | 0,
49 | 0,
50 | 0,
51 | 0,
52 | 0,
53 | 0,
54 | 0,
55 | 0,
56 | 0,
57 | 0,
58 | 0,
59 | 0,
60 | 0,
61 | 0,
62 | (SIZE_T)&__security_cookie,
63 | #if defined(_M_IX86) || defined(_X86_)
64 | (SIZE_T)__safe_se_handler_table,
65 | (SIZE_T)&__safe_se_handler_count,
66 | #else
67 | 0,
68 | 0,
69 | #endif
70 | (SIZE_T)&__guard_check_icall_fptr,
71 | #if defined(_AMD64_)
72 | (SIZE_T)&__guard_dispatch_icall_fptr,
73 | #else
74 | 0,
75 | #endif
76 | (SIZE_T)&__guard_fids_table,
77 | (SIZE_T)&__guard_fids_count,
78 | (SIZE_T)&__guard_flags,
79 | { 0, 0, 0, 0 },
80 | (SIZE_T)&__guard_iat_table,
81 | (SIZE_T)&__guard_iat_count,
82 | (SIZE_T)&__guard_longjmp_table,
83 | (SIZE_T)&__guard_longjmp_count,
84 | (SIZE_T)&__dynamic_value_reloc_table,
85 | 0,
86 | #if defined(_AMD64_)
87 | (SIZE_T)&__guard_ss_verify_failure,
88 | (SIZE_T)&__guard_ss_verify_failure_fptr,
89 | #else
90 | 0,
91 | 0,
92 | #endif
93 | 0,
94 | 0,
95 | 0,
96 | #if defined(_AMD64_)
97 | (SIZE_T)&__guard_ss_verify_sp_fptr,
98 | #else
99 | 0,
100 | #endif
101 | 0,
102 | };
103 | #pragma warning(pop)
104 |
105 | int _tmain(int argc, TCHAR *argv[])
106 | {
107 | #if defined(_M_IX86) || defined(_X86_)
108 | _tprintf(_T("RFG is not supported in x86 builds\n"));
109 | #else
110 | // very simple implementation that checks if RFG is present and enabled
111 |
112 | _tprintf(_T("First 9 bytes of main function:\n"));
113 | const BYTE *fnc = (const BYTE *)_tmain;
114 | for (unsigned int i = 0; i < 9; i++)
115 | _tprintf(_T("%02x "), fnc[i]);
116 | _tprintf(_T("\n"));
117 |
118 | // standard prolog of instrumented function after OS patches it
119 | // mov rax, [rsp]
120 | // mov fs : [rsp], rax
121 | static constexpr BYTE MiRfgInstrumentedPrologueBytes[] = { 0x48, 0x8b, 0x04, 0x24, 0x64, 0x48, 0x89, 0x04, 0x24 };
122 |
123 | // standard prolog of instrumented function
124 | // xchg ax, ax
125 | // nop dword ptr [rax+00000000h]
126 | static constexpr BYTE MiRfgNopPrologueBytes[] = { 0x66, 0x90, 0x0f, 0x1f, 0x80, 0x00, 0x00, 0x00, 0x00 };
127 |
128 | if (memcmp(fnc, MiRfgInstrumentedPrologueBytes, sizeof(MiRfgInstrumentedPrologueBytes)) == 0)
129 | _tprintf(_T("RFG is enabled for this image\n"));
130 | else if (memcmp(fnc, MiRfgNopPrologueBytes, sizeof(MiRfgNopPrologueBytes)) == 0)
131 | _tprintf(_T("RFG is present in this image\n"));
132 | else
133 | _tprintf(_T("RFG is not present in this image\n"));
134 |
135 | PROCESS_MITIGATION_RETURN_FLOW_GUARD_POLICY policy;
136 | if (GetProcessMitigationPolicy(GetCurrentProcess(), ProcessReturnFlowGuardPolicy, &policy, sizeof(policy)))
137 | _tprintf(_T("\nGetProcessMitigationPolicy\nEnableReturnFlowGuard: %u\nStrictMode: %u\n"), policy.EnableReturnFlowGuard, policy.StrictMode);
138 | else
139 | _tprintf(_T("Calling GetProcessMitigationPolicy failed\n"));
140 |
141 | // let's test if RFG works
142 | if (argc > 1)
143 | {
144 | // TODO: implement an example
145 | }
146 | #endif
147 |
148 | return 0;
149 | }
150 |
--------------------------------------------------------------------------------
/security_check_cookie_ex.asm:
--------------------------------------------------------------------------------
1 | ; Functions taken from ntdll.dll bundled in Windows 10 15025, so they are copyright of Microsoft
2 | ;
3 | ; Functions are needed once you allocate something on stack
4 | ; TODO: exception handling
5 |
6 | .code
7 |
8 | public __security_check_cookie_ex
9 | public __security_check_cookie_ex_sp
10 |
11 | extern __security_cookie:qword
12 | extern __report_gsfailure:proc
13 | extern __guard_ss_verify_sp:proc
14 |
15 | __security_check_cookie_ex proc
16 | mov r8, [rsp+0]
17 | cmp rcx, __security_cookie
18 | jnz report_gsfailure
19 | rol rcx, 10h
20 | test cx, 0FFFFh
21 | jnz restore_cookie
22 | nop
23 | cmp r8, [rsp+0]
24 | jnz report_fast_fail
25 | ret
26 | restore_cookie:
27 | ror rcx, 10h
28 | report_gsfailure:
29 | jmp __report_gsfailure
30 | report_fast_fail:
31 | mov rdx, [rsp+0]
32 | mov ecx, 2Ch
33 | int 29h
34 | __security_check_cookie_ex endp
35 |
36 | __security_check_cookie_ex_sp proc
37 | mov r8, [rsp+0]
38 | cmp rcx, __security_cookie
39 | jnz report_gsfailure
40 | rol rcx, 10h
41 | test cx, 0FFFFh
42 | jnz restore_cookie
43 | nop
44 | mov rcx, rdx
45 | cmp r8, [rsp+0]
46 | jnz report_fast_fail
47 | jmp __guard_ss_verify_sp
48 | restore_cookie:
49 | ror rcx, 10h
50 | report_gsfailure:
51 | jmp __report_gsfailure
52 | report_fast_fail:
53 | mov rdx, [rsp+0]
54 | mov ecx, 2Ch
55 | int 29h
56 | __security_check_cookie_ex_sp endp
57 |
58 | end
59 |
--------------------------------------------------------------------------------