At process startup, if the PE header of the main executable does not have
the "IMAGE_DLLCHARACTERISTICS_NX_COMPAT" bit flag set, then the
"LdrpIsImageSEHValidationCompatible" function is called to determine if
the current executable should be exempted/Opted-Out of the "SEH overwrite
protection" a.k.a SEHOP.
One typical example of executables that are not compatible with SEHOP is
The function takes the "MajorLinkerVersion" and "MinorLinkerVersion" fields
as sign of these executables, where they have the values of 0x53 and 0x52
If 0x53 and 0x52 are found, then the function returns false and a global ntdll
variable called "_RtlpProcessECVDisabled" is set to 1. The function is of no
use unless the SEHOP is enabled system-wide.
Later on, this "_RtlpProcessECVDisabled" variable is checked for the value "1" and
if found, the "ZwSetInformationProcess" function is called with the
"ProcessInformationClass" parameter set to 0x22 (ProcessExecuteFlags). This ZwSet-
InformationProcess call ends up setting the "DisableExceptionChainValidation" bit flag
of the "_KEXECUTE_OPTIONS" structure in corresponding "_KPROCESS" structure.