__stack_chk_fail in PE files

[Artoria2e5]

Some of the "ELF" safety mechanisms are actually quite generic and found in other formats. Like PE, if you use GCC to compile an exe:

# This is MSYS2, "MSYS" environment.
printf '%s\n%s' '#include <stdio.h>' 'int main(){char e[64]; gets(e); puts(e);}' > 1.c
gcc -O2 -fstack-protector-all 1.c
nm a.exe | grep stack

You get:

0000000100403010 r .rdata$.refptr.__stack_chk_guard
0000000100403010 R .refptr.__stack_chk_guard
0000000100403010 R __fu0___stack_chk_guard
00000001004080e4 I __imp___stack_chk_fail
00000001004080ec I __imp___stack_chk_guard
00000001004080ec I __imp___stack_chk_guard
000000010040819c I __nm___stack_chk_guard
0000000000001000 A __size_of_stack_commit__
0000000000200000 A __size_of_stack_reserve__
00000001004010a0 T __stack_chk_fail

(Well, it's exactly one of the ELF mechanisms for now. But there are some not-yet-implemented things like SafeStack and selfrando that will also use simple symbol or section existence. Maybe clang CFI too...)

[Artoria2e5]

FORTIFY_SOURCE is surprisingly widespread. macOS libc have their independently implemented functions. So does the mingw-w64 libc. On other systems, the gcc "libssp", which is independent of the libc, can also provide that. Scanning the libc is going to provide an incomplete picture...

Why didn't I find it on MSYS2 binaries? Because gasp they turned it off.