Reputation: 29
How to identify if an executable file was compiled from C or C++?
My college professor asked me how to identify if a .exe file was created using C or C++?
Does anyone know how to identify that?
Upvotes: 1
Views: 1499
Answers (1)
Reputation: 41281
The easy approach: If your binary has not been stripped of symbols, its C++ components will include mangled names, e.g. ?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@, .?AVbad_typeid@@, or _ZNSt8ios_base4InitC1Ev. A C binary should not have mangled symbols. On the other hand, symbols starting with _R strongly suggest Rust name mangling.
If you don't have any symbols, you can use imports or strings to get hints, but you're starting to get into the realm of guesswork:
If the binary is a C++ binary from MSVC, it will be linked against either the MSVC++ runtime or another C++ runtime (e.g. libstdc++). As a result, you'll either see the literal string "Microsoft Visual C++ Runtime Library" embedded in the binary, or you'll see a file named similar to msvcp###.dll (note the P in the name) in the imports table.
If you're using something like msys/mingw/cygwin, you'll still see strings related to the C++ runtime library, but the exact wording will be different. I observed GLIBCXX_3.4 as well as some mangled names even in a stripped binary from clang++, but your outcomes may vary. Other hints are the names of C++ exceptions or classes, e.g. basic_string or bad_typeid.
Failing that, you can look for strings that look like mangled names (see first paragraph); I looked at a few C++ binaries on my system and even though their symbol tables were stripped, they still had tons of mangled names showing up as strings.
Other giveaways are tables of pointers that point into the code section, which might form virtual dispatch tables, or Windows RTTI. On windows x86, expect a large number of these functions to take a pointer input from ECX/RCX (which is this).
Note that this is not foolproof; if so inclined I could create a C++ binary and then carefully obfuscate all of these hints. A true reverse engineering tool, such as Ghidra, can help you make these determinations as well as many more insights, once you know how to use it responsibly and effectively.
Upvotes: 5
Related Questions
- How to know if a project is C or C++ in Visual Studio?
- Identifying compiler version from Windows executable
- How to determine which compiler has been used to compile an executable?
- How to detect that a C/C++ file is using windows specific stuff
- Write a program that will print "C" if compiled as an (ANSI) C program, and "C++" if compiled as a C++ program
- How to tell if you're compiling on Windows?
- How to find out if a exe file is a .Net exe or regular exe?
- How do I find out if a .exe is running in c++?
- how visual studio tell c++ and c?
- How to judge whether a project is a c or c++ project?