Can we get compiler information from an elf binary?

linux debugging executable elf compiler

89,932

Solution 1

There isn't a universal way, but you can make an educated guess by looking for things only done by one compiler.

GCC is the easiest; it writes a .comment section that contains the GCC version string (the same string you get if you run gcc --version). I don't know if there's a way to display it with readelf, but with objdump it's:

objdump -s --section .comment /path/binary

I just realized I ignored the rest of your question. Flags aren't generally saved anywhere; they would be in a comment section most likely, but I've never seen that done. There's a spot in the COFF header for a timestamp, but there's no equivalent in ELF, so I don't think the compile time is available either

Solution 2

How about:

readelf -p .comment a.out

Solution 3

You can try using the strings command. It will create a lot of text output; by checking it you might guess the compiler.

pubuntu@pubuntu:~$ strings -a a.out |grep -i gcc GCC: (Ubuntu 4.4.3-4ubuntu5) 4.4.3

Here I know it's compiled with gcc but you can always redirect strings output to a file and examine it.

There is one very good utility called peid for Windows but I can't find any alternative for it on Linux.

Solution 4

There are two methods . Both will give the same result

objdump -s --section .comment path/to/binary

Using readelf command, readelf -S binary will display the 40 section headers in the binary . Note the serial number of .comment section header. In my system , it showed as 27 (may be different for your case)

readelf -x 30 path/to/binary -> which will display the Hex dump of section '.comment' . In that dump , you can see the compiler used for building the binary.

Solution 5

readelf or objdump both can do this.

ELF file compiled by gcc will add .note.ABI-tag and .note.gnu.build-id two sections. both could displayed by

objdump -sj .note.ABI-tag ELFFILE
objdump -sj .note.gnu-build-id ELFFILE

option "s" means display full contents, "j" for indicate section name. This style get hex contents of that sections.

readelf -n

will show human-readable content of ELFFILE once. option "n" means NOTES.

Choose one as your like.

By the way, use objcopy, you can add your own section in elf file.

View more solutions

89,932

elmarco

Red Hat developer, working on virtualization, and sometime on GNOME related stuff.

Updated on September 17, 2022

Comments

elmarco over 1 year

Is there some chance to know how a binary was built, under Linux? (and or other Unix)

Compiler, version, time, flags etc...

I looked at readelf and couldn't find much, but there might be other ways at analyzing the binary code/section etc...

Anything you know how to extract?
tcoolspy over 12 years

How is this different than Michael's objdump? Does it give more information? Available on different platforms? Cleaner output format?
Marcin Krasowski about 11 years

Cleaner output format.
Ivan Black over 9 years

+1, allows you to see the compilation flags (if gcc)
Victor Sergienko almost 5 years

Worth noting that it's x86 only.
Den-Jason over 4 years

readelf -n worked for me - example output: Displaying notes found in: .note.gnu.build-id Owner Data size Description GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring) Build ID: b88bae04e9043b71b329bac0ce2a2e5314183272
Irfan Latif over 3 years

It's .note.gnu.build-id, not .note.gnu-build-id.
KFL over 2 years

readelf -p .comment <binary> see stackoverflow.com/a/42820439/695964