Advertisement
waliedassar

TimeDateStamps In PE Files

Sep 13th, 2012
658
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.31 KB | None | 0 0
  1. //http://waleedassar.blogspot.com/
  2. //http://www.twitter.com/waleedassar
  3. //This shows several places where you can find TimeDateStamp occurrences in PE files.
  4.  
  5. 1) The "TimeDateStamp" field of the "IMAGE_FILE_HEADER" structure.
  6. //This is the most notorious place, always a target for both malware designers and forensic guys.
  7. //N.B. Certain versions of Delphi linkers always emit a fixed TimeDateStamp of 0x2A425E19, in this case you should not rely on this TDS field.
  8.  
  9. 2) The "TimeDateStamp" field of the "IMAGE_EXPORT_DIRECTORY" structure.
  10. //Usually the same as or very close to the "TimeDateStamp" field of the "the "IMAGE_FILE_HEADER" structure".
  11. //N.B. Not all linkers fill this field, but Microsoft Visual Studio linkers do fill it for both DLL's and EXE's.
  12.  
  13. 3) The "TimeDateStamp" field of the "IMAGE_IMPORT_DESCRIPTOR" structure.
  14. //Unlike what the name implies, this field is abit useless if you are trying to determine when the executable was built. It is -1 if the executable/dll is bound (see #8) and zero if not bound.
  15.  
  16. 4) The "TimeDateStamp" field of the "IMAGE_RESOURCE_DIRECTORY" structure.
  17. //Usually Microsoft Visual Studio linkers don't set it (I have tested with linker versions of 6.0, 8.0, 9.0, // and 10.0).
  18. //Borland C and Delphi set this field for the main IMAGE_RESOURCE_DIRECTORY and its subdirectories.
  19. //Sometimes spoofers may forget to forge this field for subdirectories, beware of that.
  20.  
  21. 5) The "TimeDateStamp" of the "IMAGE_DEBUG_DIRECTORY" structures.
  22. //Microsoft Visual Studio linkers emitting debug info. in the final PE always set this field.
  23. //Spoofers may forge the field in the first "IMAGE_DEBUG_DIRECTORY" structure and forget the following ones.
  24.  
  25. 6) If the IMAGE_DEBUG_DIRECTORY has the "Type" field set to 0x2 (IMAGE_DEBUG_TYPE_CODEVIEW), then by following the "PointerToRawData" field we can find another TimeDateStamp.
  26. http://uploadpic.org/v.php?img=beQsqVavvW
  27.  
  28. 7) The "TimeDateStamp" field of the "IMAGE_LOAD_CONFIG_DIRECTORY" structure.
  29. //I have not seen it being used before.
  30.  
  31. 8) The "TimeDateStamp" field of the "IMAGE_BOUND_IMPORT_DESCRIPTOR" structures.
  32. //The TimeDateStamp of the DLL that the executable is bound to.
  33. //We can't use this field to know when the executable was build, but we can use it to determine on which Windows version/Service pack the file was built/bound.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement