Given an executable that is compiled from C to run on Solaris, is it possible to determine which compiler was used to compile the associated incomplete executable?
I can't see anything when using either the strings or the file command, and magic doesn't seem to contain anything specific.
Do compilers generally put a fingerprint in their executable output files?
cheers,
-
Yes IDA is great for this. It uses a technology called FLIRT.
-
Visual Studio and GCC typically follow different startup routines (which call main). That maybe a hint. I don't know about others though. For dlls, can't think of something similar off the top of my head.
-
PEID will do the trick. It generally works just great. Obviously PEID is a windows tool but it shouldn't matter and should show you to compiler (sometimes even specific version information)
MSalters : Works for PE files only. Solaris is ELF or possibly a.outTim Matthews : IDA works for solaris elfs. See my post.dr. evil : ops miss that, good point. -
Build small test apps with each compiler you're trying to identify. Then look at the results in a hex editor, and try to find patterns. It might turn out to be really obvious -- for example the "Rich" signatures from Microsoft's linker.
-
Compilers usually add their own personal "signature" as plaintext in the compiled files. You can use a tool such as strings to suss the plaintext out.
Rob Wells : @Ignacio, I tried that but nothing really jumped out at me.
0 comments:
Post a Comment