And executable file contains machine instructions, encoded in a format understandable by a processor or interpreter, and can be executed directly by the operating system.
There are several executable file formats: their Format It depends on the operating system on which they are used. Some common examples include PE (Portable Executable)used mainly in Windows environments for executables (for example EXEs) and DLL libraries (Dynamic Link Libraries). However, we also mention, for example, the ELF format (Executable and Linkable Format), common in Unix operating systems and Unix-likecome Linux; Mach-O (Mach Object), used on macOS; the format Java Archive (JAR), which hosts Java applications that can be executed via the Java Virtual Machine (JVM).
What is an executable file
In another article we saw the differences between compilation and interpretation: during the compilation, the source code is translated into machine language or an intermediate language by a program called a compiler. In this case the operating system can directly manage the executable or intermediate code without the need to recompile the source code every time. Being already translated and available in machine languagecompiled code tends to run faster than interpreted code.
During the’interpretation, the source code is executed by an interpreter, which reads and executes instruction by instruction without the need to generate a separate executable. Interpreted code is usually slower than compiled code because each statement must be interpreted at each execution. However, the same source code works the same on any device and platform, as long as you use a suitable interpreter.
Java, for example, uses a hybrid approach. The source code is compiled into a bytecode which can be run from a virtual machine (such as the JVM). The JVM interprets the bytecode, but can also perform runtime optimizations, with an intermediate approach between compilation and interpretation. In general, bytecode describes the operations that make up a program by reducing dependency on hardware platform.
How to recognize the compiler used to create an executable file
Executable files can be generated by compilers of different programming languages such as C, C++, Java, Python and many others. The specific form and contents of the executable file depend on the compiler and the programming language used.
Each executable file may contain compiled machine language source code, function libraries, data, resources, and other information necessary forprogram execution. When you launch an executable file, the operating system or virtual machine processes the instructions contained in the file and executes them by managing the flow of the corresponding program.
Inside an executable file there is a “fingerprint” that allows you to trace the compiler used to generate the software object. An application like Dependency Walker, is able to examine the contents of the ed executable extract functions used by it. A clear tree structure returns the list of addictions identified following inspection of the executable file.
A useful tool for obtaining an identikit of an executable file is the TrID utility: download it and then save the most updated definitions file in the same folder (TrIDDefs.TRD package), you can issue the command
trid followed by the full path of the file to check to get an indication of the compiler used.
As you can see, in the example in the figure, TrID indicates that the executable file was previously compiled with Microsoft Visual C++.
Another valid alternative is Exeinfo PE: to use it, just extract the entire contents of its compressed archive into a folder of your choice and then double-click on its executable. To obtain information on an executable file, simply drag the element to be checked (from the File Explorer) in the window Exeinfo PE.
The compiler used to generate the executable file is clearly shown in the penultimate field in the main application window.
Another excellent tool to use for the same purposes is Detect It Easy, the most recent version of which can also be downloaded from the GitHub repository for all the various operating systems.
Difference between disassembler e decompiler
Both the disassembler and the decompiler are tools used in software analysis and computing activities reverse engineering. And disassembler converts the binary code (machine language) of a program into Assembly language, a representation that is certainly more understandable for human beings although still quite close to machine language.
Disassemblers allow you to examine the structure of executable files, including the components on which their functioning depends (for example, libraries).
And decompiler instead, it performs a more advanced task than the disassembler: it converts machine code into source code at a higher level, trying to recreate the source code original or something that can in some way come close to it.
These are tools often used to understand more closely the functioning of the source code of a certain program, with the possibility of examining its behavior and applying any changes. Especially in situations where the original source code is not available. In general, therefore, the decompiler provides ahigher abstraction compared to the disassembler.
Which decompilers to use
The Dogbolt (Decompiler Explorer) project provides the ability to send an executable file no larger than 2MB in size to your web application. In this way you can examine the behavior of the various decompilers supported by the project and look for relevant information about the behavior of each executable.
DotPeek for .NET executables
Not included in Dogbolt, one of the best decompilers for i of the .NET program it is undoubtedly dotPeek. Developed by JetBrains, the same company that created popular integrated development environments (IDEs) such as I understand the idea, ReSharper, PyCharm and other, dotPeek is designed to help .NET developers examine application source code from compiled assemblies, without the availability of any useful information.
dotPeek can generate a representation in C# of the original source code, making the operation of any .NET application (.NET Framework, .NET Core and .NET 5/6/7) more understandable. The JetBrains program interface allows users to view classes, methods, properties, and other code elements. Additionally, it supports advanced navigation features, such as those for search for referencesnavigation between definitions and quick access to declarations.
dotPeek is available as a tool free e autonomous, which can be downloaded and used independently of other JetBrains tools. To use dotPeek, simply download it from the official website, install it then open the EXE or DLL file you want to examine.
Snowman for executable files in C/C++ language
Snowman is an open source disassembler and decompiler (it is also “portable” as it does not require installation) designed to convert the codice assembly in C. Its main goal is to provide a more readable representation of the source code starting from the assembly.