Delay load IAT is protected by CF guard, but is not in the separate section

ID PE061 Level INFO Category Security

Description

Control flow guard security mitigation is enabled, and the executable uses delay loaded libraries. The delay load import address table (IAT) is protected by the control flow guard, but is not placed in a separate read-write section. Having delay load IAT in a separate read-write section is recommended to keep compatibility with older non-CFG aware operating system versions.

Read more information in the official Microsoft resources.

Mitigation

When using Visual C++:

  • Make sure you do not merge the delay load IAT section (usually .didat) with other sections.
  • Make sure you do not change the defaul attributes of the delay load IAT section. It should be read+write only.

Arguments

This rule has the following output arguments:

  • library_name - Affected import address table imported library name