In-Reply-To: <254c01c1eb18$7af4f1a0$2e58a8c0@ffornicario>
The MS /GS switch has an equally fatal flaw in its stack layout that makes it unnecessary to deal with the random canary: the Structured Exception Handler frame (which has a function pointer) comes after the canary (or cookie in MS parlance). All it takes is to induce an exception by overflowing some local variable (there are fair chances for this since functions manipulating buffers normally have pointer variables as well). Of course moving the canary after the SEH frame would/will put things back where you state they are now.