PE (Windows) Security Rules
Rules for analyzing Windows PE (Portable Executable) binaries including executables (.exe) and dynamic libraries (.dll).
Memory Protection
| Rule |
Name |
Severity |
Description |
| AD2001 |
LoadImagesAboveFourGigabyteAddress |
Warning |
Enable /LARGEADDRESSAWARE for 64-bit ASLR |
| AD2009 |
EnableAddressSpaceLayoutRandomization |
Error |
Enable ASLR (/DYNAMICBASE) |
| AD2015 |
EnableHighEntropyVirtualAddresses |
Warning |
Enable high-entropy ASLR |
| AD2016 |
MarkImageAsNXCompatible |
Error |
Enable DEP/NX (/NXCOMPAT) |
Stack Protection
| Rule |
Name |
Severity |
Description |
| AD2011 |
EnableStackProtection |
Error |
Enable stack canaries (/GS) |
| AD2012 |
DoNotModifyStackProtectionCookie |
Error |
Don't modify security cookie |
| AD2013 |
InitializeStackProtection |
Error |
Initialize stack protection |
| AD2014 |
DoNotDisableStackProtectionForFunctions |
Warning |
Don't disable /GS for functions |
| AD2018 |
EnableSafeSEH |
Error |
Enable SafeSEH (32-bit) |
| AD2031 |
EnableControlStackChecking |
Warning |
Enable /RTC stack checking |
Control Flow
| Rule |
Name |
Severity |
Description |
| AD2008 |
EnableControlFlowGuard |
Error |
Enable CFG (/guard:cf) |
| AD2025 |
EnableShadowStack |
Warning |
Enable CET Shadow Stack |
| AD2030 |
EnableCastGuard |
Warning |
Enable CastGuard (/guard:cast) |
| AD2054 |
EnableReturnFlowGuard |
Note |
Enable RFG (deprecated) |
Compiler Settings
| Rule |
Name |
Severity |
Description |
| AD2006 |
BuildWithSecureTools |
Error |
Use up-to-date compiler |
| AD2007 |
EnableCriticalCompilerWarnings |
Warning |
Enable critical warnings |
| AD2024 |
EnableSpectreMitigations |
Warning |
Enable Spectre mitigations |
| AD2026 |
EnableMicrosoftCompilerSdlSwitch |
Warning |
Enable /sdl |
Code Signing
| Rule |
Name |
Severity |
Description |
| AD2022 |
SignSecurely |
Error |
Use SHA-256 for signing |
| AD2052 |
RequireAuthenticode |
Warning |
Require Authenticode signature |
| AD2029 |
EnableIntegrityCheck |
Warning |
Enable /INTEGRITYCHECK |
Section Properties
| Rule |
Name |
Severity |
Description |
| AD2010 |
DoNotMarkImportsSectionAsExecutable |
Error |
Imports should not be executable |
| AD2019 |
DoNotMarkWritableSectionsAsShared |
Error |
Writable sections shouldn't be shared |
| AD2021 |
DoNotMarkWritableSectionsAsExecutable |
Error |
No W+X sections |
GCC/Clang on Windows (DWARF)
| Rule |
Name |
Severity |
Description |
| AD2033 |
PeEnableStackProtectorDwarf |
Warning |
GCC/MinGW stack protector |
| AD2036 |
PeEnableControlFlowIntegrity |
Warning |
Clang CFI |
| AD2037 |
PeEnableStackClashProtection |
Warning |
Stack clash protection |
| AD2038 |
PeEnableClangSafeStack |
Warning |
Clang SafeStack |
ARM64 Windows
| Rule |
Name |
Severity |
Description |
| AD2039 |
PeEnableArmPAC |
Warning |
ARM Pointer Authentication |
| AD2040 |
PeEnableArmBTI |
Warning |
ARM Branch Target Identification |
| AD2047 |
PeEnableShadowCallStack |
Warning |
Shadow Call Stack |