For instance, regedit.exe comprises a TimeDateStamp value 0xBB9B6911 as can be seen in the following screenshot (using the tool pestudio). Let’s have a look at a Windows 10 binary to verify this behavior. Therefore, timestamps are set to the hash of the resulting binary, which preserves reproducibility. Obviously, timestamps are one obstacle in the way to reproducible builds. ![]() In a nutshell, a reproducible build means starting a build from the exact same source code yields the exact same binary code. Windows 10 timestamps are nonsensical since Microsoft moved towards reproducible builds. Windows 10 reproducible builds timestamps If there are resources, then you may get at least a compilation estimate from the timestamp found in _IMAGE_RESOURCE_DIRECTORY. But be aware that the value is not an epoch timestamp but a MS DOS timestamp.īottom line: if you see a binary with a timestamp value of 22:22:17, then you are likely dealing with a Delphi binary that was compiled with a Delphi version before Delphi 2007. If the sample comprises a resources directory ( _IMAGE_RESOURCE_DIRECTORY), we can read its TimeDateStamp field instead. However, there is a way to determine the real compilation timestamp of these binaries. Maybe they used a PE stub that they filled out accordingly. It seems that they just used a preconfigured value for this field. Delphi versions before Delphi 2007 (likely Delphi 4 – Delphi 2006) did not set the field TimeDateStamp at all. What sounds like a very productive programmer evening is actually a bug in many Delphi compiler versions. Something different happened, at least, if you believe the PE timestamps of likely thousands or even millions of Delphi binaries. But that’s only relevant for Batman fans and not really related to timestamps. Delphi timestampsĭo you know what happened on ? I googled it and found out that this was the day Batman Returns was released in the USA. The following sections will look into three of these cases and show possible ways to circumvent this limitation. There are several noteworthy special cases where the timestamps are either not reliable or other timestamps should be preferred. Note that the field dwAge is not a timestamp in epoch but rather an ever-increasing value that indicates an update to the PDB information. If it is not in PDB format, then dwSignature may comprises an unique identifier for each build. In this case, the dwSignature contains an epoch value describing when the debug information was created. If the _CV_HEADER‘s signature in dwSignature equals CV_SIGNATURE_NB10, then the PDB format is 2.0. ` typedef struct _IMAGE_FILE_HEADER CV_INFO_PDB20, * PCV_INFO_PDB20 It is a DWORD (32 bit / 4 bytes) member of the struct _IMAGE_FILE_HEADER / COFF File Header. The probably most cited field of the PE format that holds a compilation timestamp is the field TimeDateStamp of the COFF File Header. I am standing on the shoulders of giants! I refer to these posts and papers in the following whenever possible. This work wouldn’t have been possible without many great blog posts and papers published by the infosec community. As a follow-up, Ange Albertini wrote a much more detailed technical article on the PE format. Good beginner write-ups are “ An In-Depth Look into the Win32 Portable Executable File Format” and “ Portable Executable File Format“. This article assumes a basic understanding of the PE format. Finally, I’ll give you some ideas how you can utilize PE timestamps to reveal certain behaviors or characteristics of threat actors. Of course, there are several real-world applications for malware / cyber threat intelligence analysts of what we’ll learn in this blog post. Afterward, we’ll learn how to read PE timestamps with a wide range of tools and how to automate this work in order to deal with larger datasets. We’ll look into these cases and see how we can still get some information about the compilation date. While the COFF header field TimeDateStamp is the most-known place to look for a compilation timestamp, there are more places where we can find timestamps in a PE file.īut there are also special cases where PE timestamps are not correct due to new build features, linker bugs, or simply forging. But be aware: even though PE timestamps can be a valuable forensic artifact, they can be forged with ease. ![]() For instance, it is possible to deduce a threat actor’s working hours and use this information – hopefully together with other artifacts – for attribution purposes. These PE timestamps may even reveal details about a threat actor. More exactly, timestamps found in Portable Executable (PE) files that describe a (possible) compilation date.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |