1

The CFF Explorer is able to detect the VC complier version from PE file. it shows "Microsoft Visual C++ 8" for my exe file which is statically linked to libCMT(no dll dependency).

How is that done? It must replies on some structure in PE file which is unknown to me.

UPDATE:

  1. CFF Explorer can get the correct VC complier version for a statically linked PE file (no DLL dependency to msvcmXX.dll, msvcpXX.dll or msvcrXX.dll)
  2. Even I cleared the LinkerVersion / ImageVersion / SubsytstemVersion / OperratingSystemVersion fields in PE optional header to ZERO, CFF explorer still can know the correct VC compiler version.

Seems CFF explorer is using a much reliable way to detect VC compiler version.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Mr.Wang from Next Door
  • 13,670
  • 12
  • 64
  • 97

1 Answers1

2

The PE Header have some info about linker(or compiler). Check out:

http://wiki.osdev.org/PE

and also:

http://mirror.sweon.net/madchat/vxdevl/papers/winsys/pefile/pefile.htm

The magic word in the PE header maybe the key to your answer.

edit:

Seems CFF explorer rely on the code signature. I've found some interesting post here:

Determining Which Compiler Built a Win32 PE

In RBerteig's reply, the internal symbols can be used to determine compiler.

http://www.codeproject.com/Articles/24417/Portable-Executable-P-E-Code-Injection-Injecting-a

From this post, the _main address is one of the signature to determine it.

and this post: http://ntcore.com/files/richsign.htm

give more clue about Microsoft compiler signature.

Community
  • 1
  • 1
spin6lock
  • 155
  • 1
  • 9
  • CFF Explorer does not rely on MajorLinkerVersion / MiniLinkerVersion. I tried to clear these fields to ZERO, then open the PE file again with CFF Explorer, it can still get the correct compiler and shown in "File Info". – Mr.Wang from Next Door Dec 21 '12 at 04:32
  • @user325320 Search with compiler signature and you'll get some interesting result:) – spin6lock Dec 21 '12 at 06:42
  • Thanks, I reset the rich signature part to zero and it still can get correct version number. quite amazing, I will send an email to the author for this, hope he can get back to me – Mr.Wang from Next Door Dec 22 '12 at 03:20
  • For me CFF Explorer and PE Detective don't work, they always report that the compiler has been Microsft Visual C++ 8.0 even if Intel, Mingw64 or any other was used instead. Is there any other better tool? Regards. – skan Oct 31 '14 at 18:27