Sources that are compiled with
/GS
(which is enabled by default) can detect the alteration of the return address. The compiler causes the function to insert a »cookie« (a value) on the stack right after (before?) the
frame pointer and before (after?) the
exception handler frame or return address when the function is entered. When the function is left, the value of the cookie is compareed to the value it had when the function is entered. If those values are different, this is a sign that indeed a buffer overflow has happened and an error reporting function (defined in
gs_report.c
is called.