Identifying compiler version from Windows executable

Question

Is there a reliable way to detect which compiler was used to compile and build a given Windows executable?

Alone this would be too broad of a topic so I narrow it down:

• I'm only interested in the languages of the C family (C, C++, C#)
• Let's assume the executable was not tampered with on the purpose of hiding this information.
• Visual Studio and the most notable gnu compilers are enough, so no need to handle very old, or not widely used compilers.

In case of C# it's obvious that it the compiler shipped with Visual Studio was used, so in this case is it possible to get the version (year) and type (express, etc.) of the Studio?

Edit:

From the answers it seems that it's difficult and not always reliable to determine, because heuristics must be used. So, is there any compiler which deliberately inserts some kind of "watermark" in the executable? I was guessing if there is any, Visual Studio could be such a compiler (if for nothing else, I can imagine them doing it just for the sake of knowing if someone used the free express edition, or just another version than what they officially bought). However, I could not find any definitive answer on Google.

Answer 1

IDA disassembler capable to identify compiler's standard libraries compiled statically:

http://www.hex-rays.com/products/ida/index.shtml

http://www.hex-rays.com/products/ida/tech/flirt/in_depth.shtml

If to talk only about MSVC, it passes this pointer in ECX register, so if you see this, the code is probably C++ (not C) and use objects. More here: http://en.wikipedia.org/wiki/X86_calling_conventions

C# code is so different that you don't even need disassembler to identify it.

Answer 2

You could try out the dumpbin tool (call it as dumpbin /HEADERS). It will list the linker version in the OPTIONAL HEADERS and from that you could find out what version of the compiler that was likely used. See dumpbin help page

Answer 3

This is actually two questions, since C/C++ and C# are entirely different. I will attempt to answer the C# question.

A C# assembly is always built for a specific .NET Framework version. By examining which version an assembly is, you can determine which version of the compiler was used. Each version of the Framework has its own compiler.

There is no way to find out details about Visual Studio from the compiled assembly, because the compiler is not part of VS. You can assume that a .NET 4 assembly was built with VS 2010, but that's about it. It could have been written in Notepad, for all we know.

There is also a possibility that a compiler besides csc was used, but that doesn't happen often, except with Mono, so I would ignore that.

As for the native languages:

There is no reliable way to know which compiler was used. There isn't even a way to determine which language was used. All you have to work with is machine code and binary data, so you have to make educated guesses based on known patterns of compilers.

Answer 4

There is no official or standard method to identify the tools used to make a binary or executable object. The Windows executable format does not require information about the tools; nor the language used.

One may be able to distinguish tools by identifying code patterns, but this is very difficult. It is so difficult and time consuming the people rewrite software using different tools.

BTW, there are other tools out there besides Visual Studio and GNU.

Answer 5

For native code, you use "Library Fingerprinting". See ftp://ftp.cs.wisc.edu/paradyn/papers/Jacobson11Unstrip.pdf

Many signatures available here: http://code.google.com/p/flairdatabase/

And see http://www.hex-rays.com/products/ida/tech/flirt/in_depth.shtml