The defenses behind these compiler and linker options are described in detail in Chapter 3, “Buffer Overrun Defenses.” In summary, /GS is a compiler switch that adds stack-based buffer overrun detection to the code. /SafeSEH is a linker option that protects exception handlers, /DynamicBase randomizes the image’s base address and /NXCompat is also a linker flag that means the application will be protected by the CPU’s Data Execution Prevention (DEP) capability. DEP is also referred to as No Execute (NX) on AMD CPUs and Execution Disable (XD) on Intel chips. These options are explained in more detail in Chapter 4.