Uninformed: Informative Information for the Uninformed

Vol 7» 2007.May

Epilogue Modifications

When a function returns, it must check to make sure that the cookie that was stored on the stack has not been tampered with. To accomplish this, the compiler inserts the following instructions into a function's prologue:

.text:00402223     mov ecx, [ebp+2A8h+var_4]
.text:00402229     xor ecx, ebp
.text:0040222B     pop esi
.text:0040222C     call __security_check_cookie

The value of the cookie that was stored on the stack is moved into ecx and then XOR'd with the current frame pointer to get it back to the expected value. Following that, a call is made to __security_check_cookie where the stack frame's cookie value is passed in the ecx register. The __security_check_cookie routine is very short and sweet. The passed in cookie value is compared with the image file's global cookie. If they don't match, __report_gsfailure is called and the process eventually terminates. This is what one would expect in the case of a buffer overflow scenario. However, if they do match, the routine simply returns, allowing the calling function to proceed with execution and cleanup.

.text:0040634B     cmp ecx, __security_cookie
.text:00406351     jnz short loc_406355
.text:00406353     rep retn
.text:00406355 loc_406355:
.text:00406355     jmp __report_gsfailure