Control Flow Guard

Control Flow Guard, CFG for short, is relatively a recent exploit mitigation technique and it is targeting invalid indirect function calls. CFG is actually a compiler and OS feature. In simple words, compiler inserts new check function just before the real function call and OS handles the rest.

Without CFG flag, a function call may just as simple as:

call esi

With CFG flag enabled:

mov ecx, esi    ;save real function as parameter
call ___guard_check_icall_function_pointer ;this is the control flow checking function
call esi; if everything goes well call the real function

Guard check function (on Windows 10 and 8.1 update 3) jumps to "ntdll!LdrpValidateUserCallTarget". Function addresses are checked against an updating bitmap table and at the end if result is 1 then everything is ok, otherwise process terminates with int 29 call (ntdll!RtlpHandleInvalidUserCallTarget takes care of it).

CFG works pretty good especially in heap overflows.

Sure it's not a panacea. Not every function in the process may benefit from CFG. Moreover, some modules of the process can be compiled without CFG support. As shown by Francisco Falcón from Core Security, any software like Flash which contains JIT like dynamic code generation feature also probably missing CFG functions. So, try your jumping and ROP there.

Also always remember that, redirecting to a valid and already existing function which calling is reasonable in application logic may simply work for attacker's good and those cases are the weak sides of the exploit mitigation features.

Anyway, control flow guard is a strong and very good security feature and sure it will make exploit writer's work harder.