[SOLVED] How to tell if /GS compiler is enabled for a PE Win32

How to tell if /GS compiler is enabled for a PE Win32

I am able to parse ASLR, DEP, SEH, etc. from the DOS headers but not sure how to tell if the file was compiled with /GS stack canaries.

I am writing a program, so pointing me to a program like PEStudio won't help me unless its open source.

Is this part of the dos headers? Or do I have to scan the .data section for __security_cookie?

Solution

Go to IMAGE_NT_HEADERS
Then IMAGE_OPTIONAL_HEADER (IMAGE_NT_HEADERS.OptionalHeader )
Then IMAGE_DATA_DIRECTORY (IMAGE_NT_HEADERS.OptionalHeader.DataDirectory)
The 10th entry VirtualAddress member is an RVA to the "Load Configuration Directory".
- IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress

The Load Configuration Directory is an IMAGE_LOAD_CONFIG_DIRECTORY structure.

Check the SecurityCookie member: if it's not 0 then /GS is in use for this PE.