The function count should be non-zero, the Control Flow Guard dll characteristics flag should be set, then the CF Instrumented and FID Table Present guard flags should be set. Be aware that this filters out a lot of other details and misrepresents the full list of flags.
- C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.10.25017\bin\HostX64\x64\dumpbin.exe
- C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.10.25017\bin\HostX64\x86\dumpbin.exe
- C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.10.25017\bin\HostX86\x64\dumpbin.exe
- C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.10.25017\bin\HostX86\x86\dumpbin.exe
You can just setup a Visual Studio command prompt environment and run it:
- cmd /k "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\tools\VsDevCmd.bat"
Then you can then call dumpbin on something like MsMpEng for a relevant example and filter for CFG related items:
- dumpbin /headers /loadconfig "c:\program files\windows defender\msmpeng.exe" | findstr /i /c:"dll characteristics" /c:"control flow guard" /c:"guard cf" /c:"guard flags" /c:"cf instrumented" /c:"fid table present"
The function count should be non-zero, the Control Flow Guard dll characteristics flag should be set, then the CF Instrumented and FID Table Present guard flags should be set. Be aware that this filters out a lot of other details and misrepresents the full list of flags.