Given an executable that is compiled from C to run on Solaris, is it possible to determine which compiler was used to compile the associated incomplete executable?
I can't see anything when using either the strings or the file command, and magic doesn't seem to contain anything specific.
Do compilers generally put a fingerprint in their executable output files?
cheers,
If the executable isn't stripped, try /usr/ccs/bin mcs-p
This will usually show the compiler, linker and all the header files used
Yes IDA is great for this. It uses a technology called FLIRT.
PEID will do the trick. It generally works just great. Obviously PEID is a windows tool but it shouldn't matter and should show you to compiler (sometimes even specific version information)
Build small test apps with each compiler you're trying to identify. Then look at the results in a hex editor, and try to find patterns. It might turn out to be really obvious -- for example the "Rich" signatures from Microsoft's linker.
Not stripped:
$ cc -O hello.c
$ file a.out
a.out: ELF 32-bit MSB executable SPARC32PLUS Version 1, V8+ Required, dynamically linked, not stripped
$ strings -a a.out | grep cc
/opt/solarisstudio12.3/prod/bin/cc -O hello.c
$ dwarfdump -i a.out | grep compile_o
DW_AT_SUN_compile_options Xa;O;R=Sun C 5.12 SunOS_sparc Patch 148917-07 2013/10/18;backend;raw;cd;
Stripped:
$ strip a.out
$ file a.out
a.out: ELF 32-bit MSB executable SPARC32PLUS Version 1, V8+ Required, dynamically linked, stripped
$ strings -a a.out | grep cc
(none)
Visual Studio and GCC typically follow different startup routines (which call main). That maybe a hint. I don't know about others though. For dlls, can't think of something similar off the top of my head.
Compilers usually add their own personal "signature" as plaintext in the compiled files. You can use a tool such as strings to suss the plaintext out.