compiling from source

[rick2718]

Compiling from source is not an absolute guarantee of safety... unless you read and understand all the code, but how many people can/will do that?  It is not too difficult to obfuscate at the source code level (look at the obfuscated C contest each year).

Bad binary behavior starts to get noticed quickly when people start losing something. Until then, it is unlikely the time would be spent to uncover 'issues'.

[1badbullitt]

There are a couple obfuscated C Code testing apps out there, that will check for possible malicious code. A simple Google search should get you on your way.

[rick2718]

It's not really possible to detect in any systematic way.  Suppose I have:
unsigned char obf[BUFSIZ];

then memcpy(obf, pointer-to-some-known-place, sizeof(obf));, where the 'known place'
has the ascii values I need. then a bit of pointer arithmetic can construct the file name/process name/whatever
I am looking for in a manner which would not show up via grep or strings() on the binary.

So, if I wanted to open a wallet.dat file in source it would be pretty easy to hide it from all but other
knowledgeable and interested developers.

A google search for 'obfuscated C Code testing apps' isn't going to help out.