What is GuardMemcpyFunctionPointer?

Microsoft added a new field, GuardMemcpyFunctionPointer, to the PE load config structure in Windows 22H2. I couldn’t find any documentation on this at all, either from Microsoft or from reverse engineers, so I thought I’d post my initial findings here.

The field is a virtual address (VA) that typically points into the .rdata section. At this virtual address there is another virtual address, which (in every binary I have checked so far) points to the memcpy implementation in the .text section. As is tradition, the VAs themselves are either 32-bit or 64-bit in size depending on whether the binary is x86_32 or x86_64.

This arrangement is comparable to other load config fields like GuardCFDispatchFunctionPointer and GuardRFFailureRoutineFunctionPointer.

We can infer that the field is related to control flow guard (CFG) and/or extended flow guard (XFG). Unfortunately, I have not yet been able to discern the exact purpose of this new field. It is possible that this is related to memory tagging extensions (MTE) on ARM64 binaries, although that wouldn’t necessarily explain why the field is filled out for x86_32 and x86_64 executables, unless MTE is also being used during x86 emulation on ARM64.

If you know what it does, let me know.

Side note: If anyone knows what CastGuardOsDeterminedFailureMode is for, I’d also appreciate info on that. I couldn’t find any information on this field, or any feature called “cast guard”. I found a bunch of executables that have a valid VA in this field, but it always points to 8 bytes of zeroes. It is possible that the OS writes something into this memory location at runtime, but that seems unlikely given that the VA points into .rdata in every case I could find, which is mapped as read-only.

Update: CastGuard was spoken about by Joe Bialek at BH2022. [Slides] – it still isn’t fully clear to me what the load config field is for, but I sent him a message to ask.