19

Given an executable that is compiled from C to run on Solaris, is it possible to determine which compiler was used to compile the associated incomplete executable?

I can't see anything when using either the strings or the file command, and magic doesn't seem to contain anything specific.

Do compilers generally put a fingerprint in their executable output files?

cheers,

Rob Wells
  • 36,220
  • 13
  • 81
  • 146
  • Nice question. I assume there are differences (even between versions and compiler settings) but detection of the compiler won't be a trivial task. – Toon Krijthe Mar 06 '09 at 11:20
  • Interesting question. What OS are you thinking of? – John Sibly Mar 06 '09 at 11:24
  • It also depends on how much you have to work with. For instance gcc creates different o files than cc. If you have a static program or a dynamically loadable program you can also see which libraries is used. IN other words, your fingerprint is in logic not strings. – Thorbjørn Ravn Andersen Oct 25 '09 at 16:07

7 Answers7

6

Yes IDA is great for this. It uses a technology called FLIRT.

Tim Matthews
  • 5,031
  • 8
  • 38
  • 45
4

PEID will do the trick. It generally works just great. Obviously PEID is a windows tool but it shouldn't matter and should show you to compiler (sometimes even specific version information)

dr. evil
  • 26,944
  • 33
  • 131
  • 201
3

If the executable isn't stripped, try /usr/ccs/bin mcs-p This will usually show the compiler, linker and all the header files used

DaveS
  • 46
  • 1
2

Build small test apps with each compiler you're trying to identify. Then look at the results in a hex editor, and try to find patterns. It might turn out to be really obvious -- for example the "Rich" signatures from Microsoft's linker.

zildjohn01
  • 11,339
  • 6
  • 52
  • 58
1

Not stripped:

$ cc -O hello.c

$ file a.out

a.out: ELF 32-bit MSB executable SPARC32PLUS Version 1, V8+ Required, dynamically linked, not stripped

$ strings -a a.out | grep cc

/opt/solarisstudio12.3/prod/bin/cc -O hello.c

$ dwarfdump -i a.out | grep compile_o

DW_AT_SUN_compile_options Xa;O;R=Sun C 5.12 SunOS_sparc Patch 148917-07 2013/10/18;backend;raw;cd;

Stripped:

$ strip a.out

$ file a.out

a.out: ELF 32-bit MSB executable SPARC32PLUS Version 1, V8+ Required, dynamically linked, stripped

$ strings -a a.out | grep cc

(none)

Jeff Taylor
  • 471
  • 2
  • 4
  • 11
0

Visual Studio and GCC typically follow different startup routines (which call main). That maybe a hint. I don't know about others though. For dlls, can't think of something similar off the top of my head.

dirkgently
  • 108,024
  • 16
  • 131
  • 187
0

Compilers usually add their own personal "signature" as plaintext in the compiled files. You can use a tool such as strings to suss the plaintext out.

Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358