TransWikia.com

Find out version of statically linked MFC from an exe

Reverse Engineering Asked by H Bellamy on June 24, 2021

I have an exe with symbols stripped that I am trying to reverse engineer. I know the library is linked with MFC but I don’t know which version. (Therefore, I can’t use something like FLIRT signatures etc. to import known symbols and help reverse engineering).

Is there a way to deduce the version of MFC statically linked into an exe from the exe itself?

I have tried some trial and error approaches but really it caused a lot of trouble as some symbols matched and others don’t. I’m looking for a tried and tested way – is something embedded in the metadata of an exe?

One Answer

All statically linked MFC binaries I've seen always include strings for some internal classes. The naming convention can be found in afximpl.h:

#define AFX_WNDCLASS(s) 
    _T("Afx") _T(s) _T(_MFC_FILENAME_VER) _STATIC_SUFFIX _UNICODE_SUFFIX _DEBUG_SUFFIX

#define AFX_WND             AFX_WNDCLASS("Wnd")
#define AFX_WNDCONTROLBAR   AFX_WNDCLASS("ControlBar")
#define AFX_WNDMDIFRAME     AFX_WNDCLASS("MDIFrame")
#define AFX_WNDFRAMEORVIEW  AFX_WNDCLASS("FrameOrView")
#define AFX_WNDOLECONTROL   AFX_WNDCLASS("OleControl")

So, for example, AfxWnd100s means that the program has been compiled with the static release MFC 10.0 library while AfxWnd140sd will be present in the static debug build of MFC 14.0 (VS2015). The string will be in Unicode (UTF-16) and with the u suffix for Unicode builds (e.g. AfxWnd140sud).

Answered by Igor Skochinsky on June 24, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP