Monday, May 8, 2017

Software made with Delphi. How do you know?

How many times have we heard someone talking about how Delphi was used to make one piece of software or another or that it's being used by some well known company?

It happens all the time.

Of course, the obvious first question is "How do you know?"

I suppose the best way would be to hear it directly from the companies themselves. Or at least from the people doing the development. Here are some that I found interesting:


Embarcadero has published some case studies with more examples.

However, this is kind of the exception. Companies don't necessarily go out of their way to talk about what development tools they use. At least not the companies I've dealt with. You usually have to do a little bit of digging.

And take anecdotal stories with a grain of salt. Unless someone has direct knowledge about the tools a company is using, their information could be outdated or just flat out wrong. If you want to be sure, then you need to check for yourself.


How do you check?


If you have access to the software, the easiest and most reliable way is to look at the executables. If an executable has a DVCLAL and/or PACKAGEINFO resource, then you can be pretty sure it was created with Delphi or C++ Builder.

That's all there is to it. Simple, right?

If you dig a little deeper, GetPackageInfo returns some interesting flags that can identify, among other things, whether the Delphi or C++ Builder compiler was used. The constants are defined in SysUtils.

{ Package Info flags }
const
  [...]
  pfV3Produced 
= $00000000; // Delphi or C++ Builder 3
  pfProducerUndefined = $04000000; // Unknown
  pfBCB4Produced = $08000000; // C++ Builder
  pfDelphi4Produced = $0C000000; // Delphi


The contents of the DVCLAL resource can identify which edition was used; Personal, Professional or Enterprise. The Starter edition shows as Personal and editions above Enterprise (Ultimate and Architect) show as Enterprise. Interestingly, the Turbo editions show as Professional.

Personal [23 78 5D 23 B6 A5 F3 19 43 F3 40 02 26 D1 11 C7]
Professional  [A2 8C DF 98 7B 3C 3A 79 26 71 3F 09 0F 2A 25 17]
Enterprise  [26 3D 4F 38 C2 82 37 B8 F3 24 42 03 17 9B 3A 83]


IsDelphi


I thought it would be interesting to search my entire hard drive and see what kind of applications were built with Delphi (or C++ Builder).

IsDelphi was written in Delphi (naturally) and the source code can be found on Code Central. I have tested it against Delphi 10.1 Berlin and 10.2 Tokyo, including the Starter Edition. It may compile with older versions of Delphi, but I have not tried it yet.

Drag one or more files and/or folders from Windows Explorer to IsDelphi's main form and it will examine any executable files that it finds. It searches subfolders, so if you drag C:\ to the main form, expect it to take a while.

The results can be copied to the clipboard as a comma separated list or a file in the results list can be opened in Windows Explorer to see it in context.




What is an executable file?

For the purposes of this discussion IsDelphi considers an executable to be a portable executable file with one of the following file extensions:

.EXE - Applicaiton
.DLL - Application extension
.OCX - ActiveX control
.CPL - Control panel item
.SCR - Screen saver
.BPL - Borland package library


Potential Complications

Not every version of Delphi or C++ Builder included DVCLAL or PACKAGEINFO resources, and if an executable has been compressed or encrypted using an EXE compression tool like UPX, the contents of resources might be altered or they might not be readable at all through normal means. Sometimes you need to make an educated guess.

If these resources can be enumerated but can't be read or if they can be read but contain unexpected values, then Delphi or C++ Builder is assumed.

If the resources aren't found in an executable, IsDelphi looks for forms. Form resources begin with "TPF0" [54 50 46 30]. It doesn't matter if a form is from the VCL (.DFM), FireMonkey (.FMX), CLX (.XFM) or Lazarus (.LFM). The resources are all encoded the same way.

If an executable has one or more form resources, then Delphi or C++ Builder was probably used. Unless one of the forms includes a reference to "LCLVersion", which means it was likely made with Lazarus.


Inno Setup and False Positives

Inno Setup is a popular installer written in Delphi. The installation executable that gets generated shows as Delphi and the install includes a file named something like "unins000.exe" which also shows as being written in Delphi, even if the application itself isn't. This is the case with Microsoft's Visual Studio Code, for example.


Additional Information

More information, tools and techniques to help identify Delphi applications can be found on the Determine Delphi Application wiki page.

If someone wanted to take a closer look at the inner workings of executable files, I recommend Anders Melander's Resource Editor, the XN Resource Editor and Detect It Easy.


Some Interesting Finds


As you can imagine, when I looked through my own hard drives, I found more than a few Delphi applications, including some from notable companies that I don't think I've seen mentioned before as using Delphi.

Hewlett-Packard - HPePrint was installed with my HP printer driver and was written in Delphi.

ASUS - Several Delphi and C++ Builder executables are installed on computers with ASUS motherboards and on ASUS laptops for things like their installer, registration and TurboV (overclocking).

DELL - Someone kindly pointed out in the comments that the Dell Display Manager was written in Delphi. And so is their Dell Monitor Driver Installer.

If anyone tries IsDelphi, let me know if you find anything interesting.

13 comments:

Unknown said...

A couple that showed up on my system:

Reolink Client - http://www.reolink.com
VisiPics - http://www.visipics.info

Bruce McGee said...

Are you sure about the Reolink Client? The latest version isn't, but it does use Inno Setup, so the install includes a file named unins000.exe that reads as being written in Delphi.

Matthias said...

Skype (Windows desktop version, both old and new) is written in Delphi, I have from developer source. Yes, Skype by Microsoft.

Unknown said...

Bruce:

My mistake, the ReoLink detection is for the Inno unins000.exe file. However, I found hits for the following on a different machine:

- Dell Display Manager
- HeidiSQL

Bruce McGee said...

No worries. I still get caught myself.

I have seen HeidiSQL before, but Dell Display Manager is really cool. I'll add it to the list of "Interesting Finds".

Thanks

Leus said...

Well,

Those darn antivirus sure can check if an application is written in Delphi. My customers are always complaining that their antivirus (Avast and eSet) mark my software as virus.

Bah.

Esteban Pacheco said...

Another good find.

It seems that the Git windows client version 2.10.2-64 bit (latest). Is built with Delphi.

https://git-scm.com/

Bruce McGee said...

Do you mean Git GUI? The most recent version (2.12.2) wasn't written with Delphi, but it does use Inno. Is it possible that you have a false positive?

On a related note, does anyone NOT use Inno Setup? It's popping up everywhere.

John Terwiske said...

On my home computer your program revealed: MediaMonkey.

Milan Vydareny said...

Found a few things--
DBF Manager http://dbfmanager.com/ Manages and manipulates DBF files.
helpndoc https://www.ibe-software.com/ Help authoring environment that produces CHM, responsive Web, PDF, Word, ePub, Kindle and QtHelp files from a common code base.
IcoFX Icon and Cursor Editor http://www.icofx.ro Graphic editing tool for icons and cursors
IDrive Backup and File Sync Utility (May be a false positive because of install/uninstall) https://www.idrive.com/ Scheduled cloud backups along with file syncronization (similar to Google Drive or Dropbox)
ImgBurn http://www.imgburn.com/ Lightweight CD/DVD/HD DVD/Blu-ray burning application
Junior Icon Editor http://www.sibcode.com/junior-icon-editor/ Free utility for editing Windows icons
Diagram Designer et al http://meesoft.logicnet.dk/ Diagram designer plus a number of other utilities that I don't have so I don't know if they're all Delphi
PingPlotter https://www.pingplotter.com/ Graphical display of network routers and router responses
QDAMiner Lite https://provalisresearch.com/ Qualitative Data Analysis
URL Gather http://www.zqware.com/ Internet bookmark manager

Bruce McGee said...

@Milan: Very nice list, and you're right about MeeSoft and Zquare having multiple utilities written in Delphi.

IDrive is kind of a false positive. It has the Inno uninstaller and the application uses one Delphi DLL, but the application itself isn't written in Delphi. And PingPlotter appears to be a .Net application, so it may have been rewritten.

Gerry Coll said...

For running apps, SPYXX (from Visual Studio) and similar apps allow you to see the window class names.

TPanel, TToolBar etc a bit of a give away.

Esteban Pacheco said...

Hi Bruce,

You are completely right. It is a false positive. Inno Setup. My fault. Thank you for the correction.