Comparing the Checksums of Two executables built from the same exact source

Question

I have a question regarding the verification of executable files, compiled with visual studio, using a checksum: If I build a project from src, I end up with an executable, call it exec1.exe, that has some metadata in it. If I later rebuild the same exact src, I get another executable, say exec2.exe, it also has its own metadata section.

If I create a checksum for each of the two files, they differ since the metadata information between the two files is different. Does anyone know of a way to bypass the metadata when I do a checksum of the files, so that regardless of the metadata, doing a checksum of the two files will result in the same checksum value? Or how to compile the binaries, such that as long as the src is identical, I end up with the same executables?

Thanks in advance for your input, Regards

Answer 1

There is no guarantee that Visual C++ will generate the same binary image when building the same source files on successive builds. The checksum is not intended to be used in this manner, and after a bit of research it seems that this is difficult to achieve. Rather, resources such as this kb article can help in comparing files.

Checksums are usually used to find errors resulting from sending/storing data, not to compare versions/builds of an executable.

Answer 2

If you have the pdb file as well you can use the DIA sdk to query all the source files that were used to build the executable. Basically enumerate all the IDiaSourceFile and each IDiaSourceFile has a get_checksum method. You can generate a master checksum that is combination of all the checksums of source files that were used to make the executable. If any of the checksum of any source file has changed you can kind of assume that the executable has changed as well.

This is the same mechanism that Visual Studio uses to determine if a source file is in sync with the pdb so that it can be stepped into for debugging purposes.