GS edge case

[woodruffw]

Split out from #5: If the user defines a custom entrypoint via /ENTRY, we should verify that they call call __security_init_cookie(). If they fail to, we should mark GS as not enabled, as the stack cookie will be whatever the compile time value was.

[woodruffw]

https://github.com/olliencc/WinBinaryAudit contains more advanced GS checks that we should probably build off of.

[woodruffw]

To elaborate: the current /GS detection is probably over-sensitive, since every recent build of the Windows CRT has stack cookies enabled and uses the default cookie to protect _start at the very minimum.

Instead, we should be checking for /GS instrumentation in non-_start functions, which will look something like this in pseudo-assembly:

mov rax, [__security_cookie]
xor rax, rsp
# ...

where __security_cookie is pointed to by the RVA in the load config's SecurityCookie field.