Current state of affairs, on Windows DEP/ASLR/CFG are not used:
> Get-PESecurity -File 'C:\ProgramData\chocolatey\bin\duplicacy.exe'
FileName : C:\ProgramData\chocolatey\bin\duplicacy.exe
ARCH : AMD64
DotNET : False
ASLR : False
DEP : False
Authenticode : False
StrongNaming : N/A
SafeSEH : N/A
ControlFlowGuard : False
HighentropyVA : False
Reading through the go documentation, necessary flag seems to be available:
-buildmode=pie
Build the listed main packages and everything they import into
position independent executables (PIE). Packages not named
main are ignored.
Interestingly, Wireguard manages to score points for DEP and /HIGHENTROPYVA:
> Get-PESecurity -File 'C:\Program Files\WireGuard\wireguard.exe'
FileName : C:\Program Files\WireGuard\wireguard.exe
ARCH : AMD64
DotNET : False
ASLR : True
DEP : True
Authenticode : True
StrongNaming : N/A
SafeSEH : N/A
ControlFlowGuard : False
HighentropyVA : True
Here is how they do it: wireguard-windows/build.bat at 3ca5d24273d0a8bf943332c3fe0b2b5040ac49fb · WireGuard/wireguard-windows · GitHub
Can it be enabled for future Duplicacy builds?