Consider this: edi is what we want to call, eg. vtable->AddRef for some Com Object. We were able to corrupt this vtable of an object thus edi has something else like our shellcode or rop payload, and now check will happen: 6E6A07E8 8BCF MOV ECX,EDI 6E6A07EA FF15 ACF16A6E CALL DWORD PTR DS:[___guard_check_icall_> 6E6A07F0 FFD7 CALL EDI If our exploit chain is not part of the registered functions, code will fail, and we will never come to call edi. So look at these two codes, one without Control Flow Guard: mov eax, [edx] call [eax] <--- vtable->AddRef and with control flow guard application: mov eax, [edx] mov eax, [eax] <--- vtable->AddRef call [__guard_check_icall] <--- check if known list of functions (Bitmap check); call eax <--- if so execute this function If cfg is enabled __guard_check_icall will be replaced with ntdll!LdrpValidateUserCallTarget: .text:6A29839F mov ebx, [esp+30h+var_14] .text:6A2983A3 test ebx, ebx .text:6A2983A5 jz __no_flow_guard_enabled .text:6A2983AB cmp [ebx+IMAGE_LOAD_CONFIG_DIRECTORY32.Size], 5Ch ; IMAGE_LOAD_CONFIG_DIRECTORY32 .text:6A2983AE jb __no_flow_guard_enabled .text:6A2983B4 test [ebx+IMAGE_LOAD_CONFIG_DIRECTORY32.GuardFlags], 100h ; pLoadConfig->GuardFlags .text:6A2983BB jz __no_flow_guard_enabled .text:6A2983C1 mov ebx, [ebx+IMAGE_LOAD_CONFIG_DIRECTORY32.GuardCFCheckFunctionPointer] .text:6A2983C4 test ebx, ebx It will use System provided interface. However if flag 0x100 is not set, how it looks like it's up to the user to instrument it. Also it's possible to define functions which will not be protected by control flow guard, by using: __declspec(guard(ignore)) according to ms header... Also, seems that there is option to also instrument writes to memory, but I haven't seen it yet, so I have no idea how it's implemented, but for sure it's planed to be supported. #define IMAGE_GUARD_CF_INSTRUMENTED 0x00000100 // Module performs control flow integrity checks using system-supplied support #define IMAGE_GUARD_CFW_INSTRUMENTED 0x00000200 // Module performs control flow and write integrity checks #define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT 0x00000400 // Module contains valid control flow target metadata What's good for reversers, is that we can use pLoadConfig->GuardCFCheckFunctionPointer to hook all indirect calls.