TimeDateStamps In PE Files

1. //http://waleedassar.blogspot.com/
2. //http://www.twitter.com/waleedassar
3. //This shows several places where you can find TimeDateStamp occurrences in PE files.
4.  
5. 1) The "TimeDateStamp" field of the "IMAGE_FILE_HEADER" structure.
6. //This is the most notorious place, always a target for both malware designers and forensic guys.
7. //N.B. Certain versions of Delphi linkers always emit a fixed TimeDateStamp of 0x2A425E19, in this case you should not rely on this TDS field.
8.  
9. 2) The "TimeDateStamp" field of the "IMAGE_EXPORT_DIRECTORY" structure.
10. //Usually the same as or very close to the "TimeDateStamp" field of the "the "IMAGE_FILE_HEADER" structure".
11. //N.B. Not all linkers fill this field, but Microsoft Visual Studio linkers do fill it for both DLL's and EXE's.
12.  
13. 3) The "TimeDateStamp" field of the "IMAGE_IMPORT_DESCRIPTOR" structure.
14. //Unlike what the name implies, this field is abit useless if you are trying to determine when the executable was built. It is -1 if the executable/dll is bound (see #8) and zero if not bound.
15.  
16. 4) The "TimeDateStamp" field of the "IMAGE_RESOURCE_DIRECTORY" structure.
17. //Usually Microsoft Visual Studio linkers don't set it (I have tested with linker versions of 6.0, 8.0, 9.0, // and 10.0).
18. //Borland C and Delphi set this field for the main IMAGE_RESOURCE_DIRECTORY and its subdirectories.
19. //Sometimes spoofers may forget to forge this field for subdirectories, beware of that.
20.  
21. 5) The "TimeDateStamp" of the "IMAGE_DEBUG_DIRECTORY" structures.
22. //Microsoft Visual Studio linkers emitting debug info. in the final PE always set this field.
23. //Spoofers may forge the field in the first "IMAGE_DEBUG_DIRECTORY" structure and forget the following ones.
24.  
25. 6) If the IMAGE_DEBUG_DIRECTORY has the "Type" field set to 0x2 (IMAGE_DEBUG_TYPE_CODEVIEW), then by following the "PointerToRawData" field we can find another TimeDateStamp.
26. http://uploadpic.org/v.php?img=beQsqVavvW
27.  
28. 7) The "TimeDateStamp" field of the "IMAGE_LOAD_CONFIG_DIRECTORY" structure.
29. //I have not seen it being used before.
30.  
31. 8) The "TimeDateStamp" field of the "IMAGE_BOUND_IMPORT_DESCRIPTOR" structures.
32. //The TimeDateStamp of the DLL that the executable is bound to.
33. //We can't use this field to know when the executable was build, but we can use it to determine on which Windows version/Service pack the file was built/bound.