TimeDate stamp in Property Edit

Post Reply
gdv
Posts: 6
Joined: 27 Mar 2010 00:15

TimeDate stamp in Property Edit

Post by gdv » 04 Nov 2010 01:51

Hello Maël!

I hope you won't mind my posting a non-HxD question here.

I'm not a programmer, but just a self-taught computer hardware/software hobbyist, and I've enjoyed trying out your HxD Hex Editor and your Property Edit program. I've even started a small list of questions and suggestions re HxD (and maybe re Property Edit) that I hope to post at some point, but that file is on another computer which is down right now with a failed motherboard. :(

I've been trying to learn a bit about various programming and computer forensic issues, and in particular have been looking at various date formats/encodings. I noticed that Property Edit will reveal a PE Header TimeDate stamp which, if I understand correctly, usually represents when the executable was compiled. I've also been playing around with Digital Detective's DCode v4.02a (Nov 2, 2009) to check various TimeDate stamps. Recently, for example, I used both Property Edit and DCode to clarify the version, or at least the compilation TimeDate, of another developer's updated executable that still showed the same internal versioning information as the previous version.

However, as I was looking at this, I happened to use Property Edit to look at the Property Edit v2.5.0.0 executable itself (PropEdit.exe, md5=c53c32d441799600d516bca9e2e95ea6, sha1=1fa0e81c8237e9095f83f595d1772a440a10f8f4) and found a TimeDate stamp of 708992537, which as near as I can figure doesn't correspond to any TimeDate stamp format included with DCode, or any other I can discover.

More specifically, the PropEdit.exe Modified TimeDate stamp inside the ZIP file downloaded from your site is the file is Thu, Jul 12 2007 01.57.42pm PDT (local time) on my system or Thu, Jul 12 2007 20.57.42pm UTC (not, BTW, Jan 26, 2005 as indicated on your webpage :)). The PropEdit.exe PE Header TimeDate stamp as revealed in Property Edit (708992537) probably most resembles a Unix Epoch format, but that format converts to Fri, 19 Jun 1992 22.22.17 UTC, which makes no sense, nor do any of the other conversions I've attempted.

Here's a summary of the results for all the TimeDate formats included in DCode (presented as code so I could get the columns to line up, and including my own local time in addition to UTC, which I hope doesn't confuse things):

Code: Select all

                                                                     PropEdit.exe (708992537)
                                                            Modified Thu, Jul 12 2007 01.57.42pm Local PDT
Format                       DCodeExample                   Modified Thu, Jul 12 2007 20.57.42pm UTC
======                       ============                   ==============================================
Win 64bit Hex LE             FF03D2315FE1C701                                  Invalid
Win 64bit Hex BE             01C7E15F31D202FF                                  Invalid
Win Cookie (Lo,Hi)           1713586176,30212469                               Invalid
Win Filetime                 CD4E55C3:01C7DD3E                                 Invalid
Win OLR (64bit Double)       FBE8DF975D3FE340                                  Invalid
Win 128bit SYSTEM Structure  D9070B00010002000600090013000000                  Invalid
Unix 32bit Hex LE            A2C3B446                                Sat, 07 Jun 2014 03.39.28 UTC
                                                             ...or:  Fri, 06 Jun 2014 20.39.28 -0700
Unix 32bit Hex BE            46C3B400                                Tue, 30 Oct 2029 14.14.43 UTC
                                                             ...or:  Tue, 30 Oct 2029 07.14.43 -0700
Unix Numeric                 1170245478                              Fri, 19 Jun 1992 22.22.17 UTC
                                                             ...or:  Fri, 19 Jun 1992 15.22.17 -0700
Unix Millisecond             1176469232719                                     Invalid
Google Chrome                12883423549317375                                 Invalid
MAC Absolute                 219216022                               Tue, 20 Jun 2023 22.22.17 UTC
                                                             ...or:  Tue, 20 Jun 2023 15.22.17 -0700
DOS 32bit Hex                3561A436                                Sat, 18 Dec 2021 17.11.32 Local
DOS wFatDate wFatTime        A4363561                                Mon, 16 Nov 2048 10.28.36 Local
HFS 32bit Hex LE             CD4E55C3                                Sun, 06 Jun 1948 03.39.28 Local
HFS 32bit Hex BE             C3554ECD                                Wed, 30 Oct 1963 14.14.43 Local
HFS+ 32bit Hex LE            CD4E55C3                                Sun, 06 Jun 1948 03.39.28 UTC
                                                             ...or:  Sat, 05 Jun 1948 20.39.28 -0700
HFS+ 32bit Hex BE            C3554ECD                                Wed, 30 Oct 1963 14.14.43 UTC
                                                             ...or:  Wed, 30 Oct 1963 07.14.43 -0700
As you can see, none of the format conversions are remotely close to the PropEdit.exe July 12, 2007 Modified date. I'm sure there's a simple answer to this puzzle (e.g., Delphi uses yet another TimeDate stamp I haven,t been able to discover, or PropEdit.exe was compiled on a machine with an inaccurate system date, or...???), but I've run into a dead-end trying to figure it out myself... ...So I thought I'd ask you if you might be able to clarify it for me.

While I'm at it, I might also ask if you know of any good resources for getting a good overview of all the PEInfo Property Edit reveals.

I will very much appreciate any help or guidance you're able to offer!

Thanks! :D

Maël
Site Admin
Posts: 936
Joined: 12 Mar 2005 14:15

Re: TimeDate stamp in Property Edit

Post by Maël » 06 Nov 2010 05:13

Hello gdv!

You can get the official PE-file format specification from MS.
For TimeDateStamp it says:
The low 32 bits of the number of seconds since 00:00 January 1, 1970 (a C run-time time_t value), that indicates when the file was created.
The PropEdit.exe PE Header TimeDate stamp as revealed in Property Edit (708992537) probably most resembles a Unix Epoch format, but that format converts to Fri, 19 Jun 1992 22.22.17 UTC, which makes no sense, nor do any of the other conversions I've attempted.
The date you mention above is correct. It is supposed to be the link time, but older Delphi versions don't properly set the timestamp. See this thread if you want to know more: https://forums.embarcadero.com/thread.j ... eID=292748

You can also have different link times even if the executable's code hasn't changed (see http://support.microsoft.com/kb/164151 for a solution).

And you are right about the ZIP-file, I updated some text-files in it, but the German executable is from 2005. I don't remember the details but probably the only change was the translation, which explains why the English version is more recent than the German.
While I'm at it, I might also ask if you know of any good resources for getting a good overview of all the PEInfo Property Edit reveals.
I think the PE specification is a good link. In case you use Delphi JclPeImage.pas contains lots of useful functions/classes.

I hope that answers your questions :)

gdv
Posts: 6
Joined: 27 Mar 2010 00:15

Re: TimeDate stamp in Property Edit

Post by gdv » 07 Nov 2010 00:58

Hello Maël! Thank you so much for your helpful reply!!! :D
Maël wrote:You can get the official PE-file format specification from MS.
For TimeDateStamp it says:
The low 32 bits of the number of seconds since 00:00 January 1, 1970 (a C run-time time_t value), that indicates when the file was created.
gdv wrote:The PropEdit.exe PE Header TimeDate stamp as revealed in Property Edit (708992537) probably most resembles a Unix Epoch format, but that format converts to Fri, 19 Jun 1992 22.22.17 UTC, which makes no sense, nor do any of the other conversions I've attempted.
Yes, and 00:00 January 1, 1970 UTC is the same zero-time anchor used for Unix Epoch time (...but I'm sure you already knew that ;)).
Maël wrote:The date you mention above is correct.
I assume you mean that Fri, 19 Jun 1992 22.22.17 UTC is the correct conversion (i.e., from WinPE/Unix Epoch time), not the correct time of the PropEdit.exe build.
Maël wrote:It is supposed to be the link time, but older Delphi versions don't properly set the timestamp. See this thread if you want to know more: https://forums.embarcadero.com/thread.j ... eID=292748
Yes, that was very helpful... ...especially two links mentioned in the thread which both appear to be reports of the same Delphi linker 1992 PE header date issue.
Maël wrote:You can also have different link times even if the executable's code hasn't changed...
And if I correctly understand this link from the same thread, the reason would be that although the linker is not inserting the build time into the PE header, it IS inserting the build time elsewhere in the executable.
gdv wrote:While I'm at it, I might also ask if you know of any good resources for getting a good overview of all the PEInfo Property Edit reveals.
Maël wrote:I think the PE specification is a good link...
Thank you! Looks like a great place to start!
(...Now, see, if I was a programmer, I'm sure I would have already known that! :D)

Please let me know if I've misunderstood or misstated anything above...

...If not, thanks again for your help! :D

Maël
Site Admin
Posts: 936
Joined: 12 Mar 2005 14:15

Re: TimeDate stamp in Property Edit

Post by Maël » 07 Nov 2010 04:44

All I can say is "yes", haha, to all your questions. And you are welcome.

gdv
Posts: 6
Joined: 27 Mar 2010 00:15

Re: TimeDate stamp in Property Edit

Post by gdv » 07 Nov 2010 10:05

Thank you once again! :)

Perhaps one final question (although I'm afraid I might be getting in over my head here): Since older Delphi versions don't provide the correct compilation TimeDate stamp in the PE header, but it appears the correct TimeDate stamp data is actually included elsewhere in the executable, do you know of an easy way to extract the correct compilation TimeDate stamp data from elsewhere in a Delphi executable (e.g., the actual 2005 or 2007 PropEdit.exe compilation TimeStamp)?

Thanks! :)

Maël
Site Admin
Posts: 936
Joined: 12 Mar 2005 14:15

Re: TimeDate stamp in Property Edit

Post by Maël » 07 Nov 2010 21:39

gdv wrote:Since older Delphi versions don't provide the correct compilation TimeDate stamp in the PE header, but it appears the correct TimeDate stamp data is actually included elsewhere in the executable, do you know of an easy way to extract the correct compilation TimeDate stamp data from elsewhere in a Delphi executable (e.g., the actual 2005 or 2007 PropEdit.exe compilation TimeStamp)?
Actually it's the link-time not compilation-time. That's usually almost the same but since we are getting precise here, I thought I should mention it: You compile parts of a program that result in binary files. These files are then linked together to an executable in a second step. So in theory you could just link something again and though the compiled parts didn't change, the linked result (=executable) has a new time/date. Uncommon but possible.
It may also be that no internal date/time is updated. For example when translating my programs I use my Babelfish tool, which just adapts the resources but leaves the rest of the program untouched. You will see that the link time/compile time of the German and English version are the same, though the English version came out later.

The solution is mentioned here: https://forums.embarcadero.com/message. ... 669#291669
Getting at this information would mean being able to browse PE files, for example with a hex editor that supports structured views of files. HxD is currently not capable of doing that. I did a quick and dirty program that implements what's mentioned in the linked thread above: http://mh-nexus.de/downloads/GetLinkCompileDateTime.exe

gdv
Posts: 6
Joined: 27 Mar 2010 00:15

Re: TimeDate stamp in Property Edit

Post by gdv » 08 Nov 2010 02:01

Maël wrote:Actually it's the link-time not compilation-time. That's usually almost the same but since we are getting precise here, I thought I should mention it: You compile parts of a program that result in binary files. These files are then linked together to an executable in a second step. So in theory you could just link something again and though the compiled parts didn't change, the linked result (=executable) has a new time/date. Uncommon but possible.
I appreciate both the clarification and the precision. I'm always a little hesitant to even ask such questions because I figure that in my ignorance I'm likely to say something embarrassingly nonsensical :oops: just trying to phrase my question. :wink: And although I have a vague idea of what is going on when code is compiled, the first time I even heard about "linkers" was in your reply to my OP. :lol:
Maël wrote:The solution is mentioned here: https://forums.embarcadero.com/message. ... 669#291669
I figured that might be a solution when I read through that thread earlier, although as a non-programmer, I can't begin to comprehend it much. And even though the post was very recent (Oct 13, 2010), the link embedded in the author's (Clovis Valadares) code is either dead or incorrect, so I didn't much know what to make of it or where to go with it.
Maël wrote:Getting at this information would mean being able to browse PE files, for example with a hex editor that supports structured views of files. HxD is currently not capable of doing that.
Yes I thought it might require either a hex editor or some kind of reverse engineering. And although it looks like I won't need it now (since you wrote GetLinkCompileDateTime.exe), do you happen to know of a good shareware or freeware example of the kind of hex editor you mean (i.e., one that supports structured views of files)?
Maël wrote:I did a quick and dirty program that implements what's mentioned in the linked thread above: http://mh-nexus.de/downloads/GetLinkCompileDateTime.exe
Pardon me for "shouting," but WOW, THAT'S FANTASTIC!!! :D
Maël wrote:It may also be that no internal date/time is updated. For example when translating my programs I use my Babelfish tool, which just adapts the resources but leaves the rest of the program untouched. You will see that the link time/compile time of the German and English version are the same, though the English version came out later.
So with GetLinkCompileDateTime.exe, for example, I'm getting linker TimeDate stamps of:
  • 2010.11.07 09.34.22 pm for GetLinkCompileDateTime.exe [Just whipped that together today, did ya? !!! 8) ]
    2005.01.26 07.15.42 pm for PropEdit.exe (German and English, with different Modified TimeDates)
    2009.04.01 09.36.24 pm for HxD.exe (German, English, Spanish, and Chinese, all with different Modified TimeDates)
...even though all have the same incorrect PE header TimeDate stamp of (708992537 =) Fri, 19 June 1992 22.22.17 UTC.

Again, I say, FANTASTIC!!! :D

Now I presume GetLinkCompileDateTime.exe is only applicable to Delphi executables? If so, is it applicable to all Delphi versions, or just the version you are using, or...? :?:

If applicable to all Delphi versions, I'm guessing it might already be of value in its existing "quick and dirty" form to other Delphi programmers and possibly to forensic investigators. If you agree, I hope you will (and am guessing you will) write up a description and make it available to others! :)

I notice the GetLinkCompileDateTime.exe output is in the default format (yyyy.mm.dd hh.mm.ss am/pm) I have set up on my system, which I like. I'm assuming you adapted Clovis Valadares' code, but it appears that had you used the other method suggested later in the thread by Ulrich Gerhardt, the output would be hard-coded as "yyyy-mm-dd hh:nn:ss" (...almost the same as mine, but your approach has the advantage of being whatever the user is already most familiar with).

However, I'm not sure whether the GetLinkCompileDateTime.exe is in UTC, or my local time, or your local time...??? :?:

Ironically, the executable for which I was trying to check the TimeDate stamp is on my computer with the dead motherboard (along with the notes I had made about questions/suggestions re PropEdit and HxD), and I honestly can't even remember right now what program it was... ...but when I get that computer resurrected, GetLinkCompileDateTime.exe will do what I was wanting to do!!! :D

I don't know if you plan any more development of PropEdit, but I think I'm recalling one of my suggestions/requests was going to be to either have a way to copy/paste specific lines from the PropEdit PEInfo (e.g., the PE header TimeDate stamp) or to output all the PropEdit PEInfo results to a text file. One other thing I think I had noted to mention is that PropEdit seems to lock files that are viewed in it so they can't be deleted, even after another file has been loaded into PropEdit [edit: actually, it may be only after another file has been loaded into PropEdit, as I just now tried and was able to delete a couple of files while :!: :?: they were loaded in PropEdit]. However, Cedric Collomb's Unlocker reports that no locking handles are found, and it seems the files can be moved :!: :?: even though they cannot be deleted. I'm not sure this locking is 100% repeatable (i.e., it seems like maybe a very few times it did not happen), but when I've encountered it, I've had to close PropEdit before I could delete the file in question. These are minor problems, and easy enough to work around, if you don't plan to develop PropEdit any further, but I thought I'd mention them in case you do.

Thanks again! :D

gdv
Posts: 6
Joined: 27 Mar 2010 00:15

Re: TimeDate stamp in Property Edit

Post by gdv » 08 Nov 2010 05:03

:idea: BTW, if (as far as you know) most other compilers correctly insert the compilation date into the PE header, how easy or difficult would it be to incorporate extraction of the PE header TimeDate stamp for non-Delphi EXEs into the code for your GetLinkCompileDateTime.exe, so it could be more universally applicable to most/all EXEs?

If it is easy, I would be VERY interested in that modification!!! :!: :D

I don't know if it would matter to others, but if you are able to make it work for most/all EXEs, then for my own obsessive need for certainty, it would also be nice to have it specify the source of the TimeDate stamp (PE header or linker) or the nature of the EXE (e.g, Delphi, VB, or whatever), so I wouldn't also have to load it into PropEdit to figure that out. Maybe this would be even more important if other compilers also have the same potential for compiler and linker times to be different, or if any other compilers also fail to correctly insert the compile date into the PE header (...but I'm way beyond my own personal "knowledge base" here and really have no idea how complicated what I'm suggesting might be).

If it is easily doable, maybe one way would be to label and display both the PE header and the linker TimeDate stamps ??? ...or if all compilers insert info that specifies the compiler, maybe that could just be displayed along with the TimeDate stamp ??? ...But I'm sure you would have a much better idea than I would about what info and presentation format might make it more universally useful across the widest range of EXEs.

Thanks! :)

Maël
Site Admin
Posts: 936
Joined: 12 Mar 2005 14:15

Re: TimeDate stamp in Property Edit

Post by Maël » 08 Nov 2010 19:57

gdv wrote:Yes I thought it might require either a hex editor or some kind of reverse engineering. And although it looks like I won't need it now (since you wrote GetLinkCompileDateTime.exe), do you happen to know of a good shareware or freeware example of the kind of hex editor you mean (i.e., one that supports structured views of files)?
The ones I tested didn't have PE-file-structures that showed the date of the resource directory (which is where Delphi stores the link time/date).
gdv wrote:Now I presume GetLinkCompileDateTime.exe is only applicable to Delphi executables? If so, is it applicable to all Delphi versions, or just the version you are using, or...? :?:
It should work with all Delphi versions. I just compiled the source code mentioned in the forum post and added a graphical interface to it. But I haven't tested if it works with recent Delphi versions. What is does is checking if the linker time stamp is equal to "(708992537 =) Fri, 19 June 1992 22.22.17 UTC.", if it is then it's assumed this date/time is wrong and the date/time in the resource directory of the PE file (directory refers to the internal structure of the file) is returned instead of the linker timestamp. That means it should work for executables generated by other compilers (because it will return the linker time/stamp in this case), but there was a bug in the forum post which is fixed now.
gdv wrote:I notice the GetLinkCompileDateTime.exe output is in the default format (yyyy.mm.dd hh.mm.ss am/pm) I have set up on my system, which I like.
Yes it uses the user settings for the time/date format, which is what "Clovis Valadares'" code does, too. (there is just a little mistake, it should be DateTimeToStr not DateTimeToString and UnixDateTime for the linker time stamp).
gdv wrote:However, I'm not sure whether the GetLinkCompileDateTime.exe
It should be your local time if the date/time was stored in UTC in the PE file (as it should be usually, of course I cannot guarantee that the compiler/linker set it properly).
gdv wrote: I don't know if you plan any more development of PropEdit, but I think I'm recalling one of my suggestions/requests was going to be to either have a way to copy/paste specific lines from the PropEdit PEInfo (e.g., the PE header TimeDate stamp) or to output all the PropEdit PEInfo results to a text file.
You can right-click on the list and click copy to achieve that.

About the locking, that's probably because the files are loaded into memory like executables so they can be analyzed. Windows automatically locks files loaded that way. I could work around that using temporary files or something like that, but don't really plan to work on PropertyEdit that much. Sorry.

I updated the program, it had a small mistake. Old Delphi versions (i.e. <=2006) used DosDateTime instead of UnixDateTime, but linker datetimestamp should always be interpreted as UnixDateTime. Fixed this, now it should also work with non-Delphi programs see here: (it includes the source code) http://mh-nexus.de/downloads/GetLinkCompileDateTime.zip

gdv
Posts: 6
Joined: 27 Mar 2010 00:15

Re: TimeDate stamp in Property Edit

Post by gdv » 09 Nov 2010 03:21

Thank you again!!! :D

After some quick testing, the revised GetLinkCompileDateTime.exe seems to be working properly on all the EXEs I had previously tried, including the non-Delphi EXEs which previously yielded either an incorrect TimeDate stamp (2018.01.17 12.14.22 am instead of 2010.07.04 09.48.59 pm) or invalid time or date arguments ("Ungültiges Argument zum Codieren der Uhrzeit" or "Ungültiges Argument zum Codieren des Datums"). Very cool!!! 8)

I'll do a little more testing when I get a chance and let you know if I find any EXEs for which it doesn't seem to work. And I may have another question or two, but I've already been able to answer most of them myself through exploring and testing. (Your explanation of the logic of the code was particularly helpful, and I can see it myself in the code now that you clarified it!)

I hope putting GetLinkCompileDateTime.exe together was at least enjoyable, and hopefully beneficial to you in some way, because the time you spent, the education I got, and the GetLinkCompileDateTime.exe program are certainly beneficial to me. I wish I was in a position to make a donation, but I've been out of work for several years, have depleted my savings, and currently can't meet my own living expenses. So I really appreciate your time and thoughtfulness in replying to my questions and providing the GetLinkCompileDateTime.exe file!!!

And I hope to eventually get back to you re the HxD questions/suggestions I mentioned earlier, since I've understood from some other forum post that's where you're wanting to invest your development time and energy.

Finally, I figured you might not be planning to do much more with PropertyEdit, and like I said, the problems I mentioned are minor and easy enough to work around. I appreciate the program as it is, and I certainly don't need an update. ...
Maël wrote:You can right-click on the list and click copy to achieve that.
... But I thought I would let you know that I have no right-click functionality (except highlighting) in PropertyEdit on my existing WinXP Pro SP3 system (nor did I on my WinXP Home SP3 machine that is currently down). In other words, when viewing any of the PEInfo in PropertyEdit, the only thing that happens with a right-click (or left-click for that matter) is that a single line is highlighted (not able to highlight multiple lines). No context menu appears, nor anything else. Is the right-click functionality working on your system? If so, any thoughts/ideas about why it wouldn't on mine?

Thanks again! :D

Maël
Site Admin
Posts: 936
Joined: 12 Mar 2005 14:15

Re: TimeDate stamp in Property Edit

Post by Maël » 10 Nov 2010 18:56

I wish you you get a new and good job soon :) (and no worries about a donation)

You are right, that right-click feature is only available on my developer version. There are more changes and it would need some polishing and translating before publishing, and as there isn't a huge interest in Property Edit I probably won't do so.

Thanks for your interest.

Post Reply