Hi Guys,

I?m trying to convert the value found on the TimeDateStamp member of the header....but iut?s not working.

Anyone knows a way to convert the timedatestamp to string ?

The format should contains the year, month day, hour, minutes and seconds...

I?m pointing the file to the FileHeader.TimeDateStamp and when the data is found, i have his result (0989868, for example), the problem is i can?t convert it to string.

The data is being outputed on a edit box.

This is part of the code;





[My_Fmt: B$ "%08lX" 0]
[My_Buffer: B$ 0 #256]


[Sz_Year: B$ "yyyy/MM/dd ddd ",0] ; This format should be joined together with the one below
[Sz_Hour: B$ "HH:mm:ss UTC",0] ; So, both will be displayed in the edit box.


; Time Date Stamp
C_call 'USER32.wsprintfA' My_Buffer My_Fmt D$edi+FileHeader.TimeDateStampDis ; This is the same as the assume instruction in masm.
call 'USER32.SendDlgItemMessageA' D@hWnd IDC_TIMESTAMP &WM_SETTEXT 0 My_Buffer

; Time date stamp signature string
;mov edx D$edi+FileHeader.TimeDateStampDis

call GetTime D$My_Buffer ; This is the function that needs to be implemented.

call 'USER32.SendDlgItemMessageA' D@hWnd IDC_TIMESTAMPSTRING &WM_SETTEXT 0 datebuff;My_Buffer



; Symbol Table Pointer
C_call 'USER32.wsprintfA' My_Buffer My_Fmt D$edi+FileHeader.PointerToSymbolTableDis
call 'USER32.SendDlgItemMessageA' D@hWnd IDC_SYMTBLPTR &WM_SETTEXT 0 My_Buffer



The converted string needs to take into account all the possible things on a regular calendar, i mean, like the months containing 31 days, or 28 (or 29 in bisixth years - february)

I tried several different ways and nothing is working...can someone write a functioning function that can translate the timedata to string ?

Best Regards,

Guga
Posted on 2004-05-28 12:47:17 by Beyond2000!
You would generally convert a filetime to systemtime then use the GetDateFormat and GetTimeFormat functions to convert that to readable text...

ftCreate FILETIME <>

ftAccess FILETIME <>
ftWrite FILETIME <>
stUTC SYSTEMTIME <>
stLocal SYSTEMTIME <>

szDateString db 64 DUP (?)
szTimeString db 64 DUP (?)

.code

invoke GetFileTime,[hFile], offset ftCreate, offset ftAccess, offset ftWrite
invoke FileTimeToSystemTime, offset ftCreate, offset stUTC
; convert UTC file time to local timezone ...
invoke SystemTimeToTzSpecificLocalTime, NULL, offset stUTC, offset stLocal

invoke GetDateFormat,LOCALE_SYSTEM_DEFAULT,NULL,\
OFFSET stLocal,"dd MMM yyyy",OFFSET szDateString,64

invoke GetTimeFormat,LOCALE_SYSTEM_DEFAULT,NULL,\
OFFSET stLocal,"hh:mm tt",OFFSET szTimeString,64
Posted on 2004-05-28 13:11:39 by donkey
Tks Egdar :)

But it is not working...i tried the way you told, but the result is zero.

Not sure what i?m doing wrong yet.

You told to insert the hFile data, and then i modified it to hold the data grabbed from the header. I mean, like in peView (From Wayne Bradbury)....loading 3dframes, results in 03836401D as the data fro Time Stamp.

I used this value as the handle (hFile), since i found nowhere else to insert it on your code...But the result was zero.

On My coide, "My_Buffer" hold this value....So, i have to use the "hFile" as the "hWnd" (in my code) ? I mean, using the handle found in the parameters in the beginning of the functino ?

If yes, why ? Hoe the gettime function will now how and what is the data to be translated ? (I mean, how he will get the value of 03836401D ?)


Best Regards,

Guga
Posted on 2004-05-29 23:41:57 by Beyond2000!
Hi Guga,

Where exactly is the date stamp coming from ? Is it from inside the PE file ? If so what is the FileHeader structure you are talking about, all PE structures begin with IMAGE_xxx. If you could explain where it comes from I could look up the reference material and do somthing for you. The code I posted is to get the file time from the Windows Shell, you open the file with CreateFile and pass the resulting handle (hFile) to the function.
Posted on 2004-05-30 00:26:36 by donkey
ftCreate FILETIME <>

ftAccess FILETIME <>
ftWrite FILETIME <>
stUTC SYSTEMTIME <>
stLocal SYSTEMTIME <>

szDateString db 64 DUP (?)
szTimeString db 64 DUP (?)

hFile DD ?

.code

invoke CreateFile, offset FileName, GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0
mov [hFile],eax

invoke GetFileTime,[hFile], offset ftCreate, offset ftAccess, offset ftWrite

invoke CloseHandle, [hFile]

invoke FileTimeToSystemTime, offset ftCreate, offset stUTC
; convert UTC file time to local timezone ...
invoke SystemTimeToTzSpecificLocalTime, NULL, offset stUTC, offset stLocal

invoke GetDateFormat,LOCALE_SYSTEM_DEFAULT,NULL,\
OFFSET stLocal,"dd MMM yyyy",OFFSET szDateString,64

invoke GetTimeFormat,LOCALE_SYSTEM_DEFAULT,NULL,\
OFFSET stLocal,"hh:mm tt",OFFSET szTimeString,64
Posted on 2004-05-30 00:29:16 by donkey
Hi Edgar,

it comes from inside the PE...It belongs to IMAGE_FILE_HANDER.

The structure is like this:



Basically the part of the code that get the value is from here:




Proc DlgProc:
Arguments @hWin, @uMsg, @wParam, @lParam


...If D@uMsg = &WM_COMMAND

..If D@wParam = IDB_OPEN

call 'comdlg32.GetOpenFileNameA' ofn

.If eax = &TRUE

call 'USER32.SendDlgItemMessageA' D@hWin IDC_OPENPEFILE &WM_SETTEXT 0 filename

call 'USER32.SendDlgItemMessageA' D@hWin IDC_OPENPEFILE &WM_GETTEXT 256 filename ; GET THE FILENAME
call OpenPEFile D@hWin filename ; ----> Opens the file

.End_If

..End_If

(..................)

Proc OpenPEFile:
Arguments @hWnd, @szTargetPEFile

pushad
call 'KERNEL32.CreateFileA' D@szTargetPEFile &GENERIC_READ+&GENERIC_WRITE &NULL 0 &OPEN_EXISTING &FILE_ATTRIBUTE_NORMAL &NULL
mov D$hFile eax

If eax = &INVALID_HANDLE_VALUE

call Error D$Err_hWnd FileOpenError
call CleanMem
Exit

End_If

call 'KERNEL32.CreateFileMappingA' D$hFile 0 &PAGE_READWRITE 0 0 0
mov D$hMem eax

If eax = &NULL

call Error D$Err_hWnd FileMapError
call CleanMem
Exit

End_If

call 'KERNEL32.MapViewOfFile' D$hMem &FILE_MAP_WRITE 0 0 0
mov D$pMem eax

If eax = &NULL

call Error D$Err_hWnd FileMapError
call CleanMem
Exit

End_If

mov edi D$pMem

If W$edi <> 'MZ' ; CHECK FOR DOS SIGNATURE 'MZ'

call Error D$Err_hWnd PEError
call CleanMem
Exit

End_If

call ShowMZInfo D$hTabDlg1 D$pMem ; SHOW ALL MZ INFO in the 1st Tab dialog...

add edi D$edi+e_lfanewDis ; 3Ch IS WHERE THE ADDRESS OF THE PE HEADER IS SAVED

If W$edi <> 'PE' ; CHECK FOR WIN32 SIGNATURE 'PE'

call Error D$Err_hWnd PEError
call CleanMem
Exit

End_If

call ShowPEInfo D$hTabDlg2 D$pMem ; SHOW ALL PE INFO in the 2nd Tab dialog...
popad

EndP


(....)


Proc ShowPEInfo:
Arguments @hWnd, @PEFileMem

mov edi D@PEFileMem
add edi D$edi+e_lfanewDis ; GET THE PE HEADER

; PE Signature
C_call 'USER32.wsprintfA' zoen_buf zoen_fmt D$edi+SignatureDis
call 'USER32.SendDlgItemMessageA' D@hWnd IDC_PESIG &WM_SETTEXT 0 zoen_buf

; CPU TYPE
movzx esi W$edi+FileHeader.MachineDis
C_call 'USER32.wsprintfA' zoen_buf zoen_fmt esi
call 'USER32.SendDlgItemMessageA' D@hWnd IDC_CPUTYPE &WM_SETTEXT 0 zoen_buf

; NUMBER OF SECTIONS
movzx esi W$edi+FileHeader.NumberOfSectionsDis
C_call 'USER32.wsprintfA' zoen_buf zoen_fmt esi
call 'USER32.SendDlgItemMessageA' D@hWnd IDC_SECTION &WM_SETTEXT 0 zoen_buf

; Time Date Stamp
C_call 'USER32.wsprintfA' zoen_buf zoen_fmt D$edi+FileHeader.TimeDateStampDis
call 'USER32.SendDlgItemMessageA' D@hWnd IDC_TIMESTAMP &WM_SETTEXT 0 zoen_buf

; Time date stamp signature string
; mov edx D$edi+FileHeader.TimeDateStampDis ?????????
lea eax D$zoen_buf ???????
call GetTime ???????????? How ?

call 'USER32.SendDlgItemMessageA' D@hWnd IDC_TIMESTAMPSTRING &WM_SETTEXT 0 datebuff;zoen_buf



This file was origanlly coded by avl!s...The file below is where i got so far.
There are several things to be implemented.So, on the 3rd tab the directory entries names are not yet valid ...I?ll parse them as long i finish understanding and fixing the time stamp thing.


Best Regards,

Guga
Posted on 2004-05-30 01:45:31 by Beyond2000!
Ah, OK that is completely different,

TimeDateStamp (DWORD)

Time stamp of the image. This represents the date and time the image was created by the linker. The value is represented in the number of seconds elapsed since midnight (00:00:00), January 1, 1970, Universal Coordinated Time, according to the system clock.


There is no time function that I know of to make the conversion but I will look for something. You will have to get it into a SYSTEMTIME structure eventually but how to do that is something I am not familiar with. I will have a look through MSDN.
Posted on 2004-05-30 09:53:52 by donkey
Hi Guga,

This will do it.

BaseTimeLow equ 0D53E8000h

BaseTimeHigh equ 19DB1DEh

.data
ftTimeStamp FILETIME <>

stUTC SYSTEMTIME <>
stLocal SYSTEMTIME <>

szDateString db 64 DUP (?)
szTimeString db 64 DUP (?)

.code

mov eax,[TimeStamp]
mov edx,10000000
mul edx
add eax,BaseTimeLow
adc edx,BaseTimeHigh

mov [ftTimeStamp],eax
mov [ftTimeStamp+4],edx

invoke FileTimeToSystemTime, offset ftTimeStamp, offset stUTC
; convert UTC file time to local timezone (NT only) ...
invoke SystemTimeToTzSpecificLocalTime, NULL, offset stUTC, offset stLocal

invoke GetDateFormat, LOCALE_SYSTEM_DEFAULT, NULL,\
OFFSET stLocal, "dd MMM yyyy", OFFSET szDateString, 64

invoke GetTimeFormat, LOCALE_SYSTEM_DEFAULT, NULL,\
OFFSET stLocal, "hh:mm tt", OFFSET szTimeString, 64


Edit forgot the data decalrations...
Posted on 2004-05-30 11:46:10 by donkey
BTW Guga,

If you want to go from FileTime to DateStamp for any reason this will do it...

FileTime2DateStamp FRAME pFileTime


mov ecx,[pFileTime]
mov eax,[ecx]
mov edx,[ecx+4]
sub eax, BaseTimeLow
sbb edx, BaseTimeHigh

mov ecx,10000000
div ecx

RET
ENDF
Posted on 2004-05-30 19:20:22 by donkey
Hi Edgar,

tks again :) But this function only works on windows NT or windows2000....and not to win95 or 98 etc...


I did some adaptations and now the file is fully working. I was pointing incorrectly to the data stamp.

The changes are here:



; Time Date Stamp

C_call 'USER32.wsprintfA' zoen_buf zoen_fmt D$edi+FileHeader.TimeDateStampDis
call 'USER32.SendDlgItemMessageA' D@hWnd IDC_TIMESTAMP &WM_SETTEXT 0 zoen_buf

mov eax D$edi+FileHeader.TimeDateStampDis ; Wahooooo !!! BINGO!! 03836401D
xor edx edx
mov ecx 10000000
mul ecx

add eax 0D53E8000
adc edx 019DB1DE

mov D$ftTimeStamp.dwLowDateTime eax
mov D$ftTimeStamp.dwHighDateTime edx

call 'kernel32.FileTimeToSystemTime' ftTimeStamp stLocal
call 'KERNEL32.GetDateFormatA' &LOCALE_SYSTEM_DEFAULT &NULL stLocal Sz_Year2 szDateString 64
call 'KERNEL32.GetTimeFormatA' &LOCALE_SYSTEM_DEFAULT &NULL stLocal Sz_Hour2 szTimeString 64

C_call 'USER32.wsprintfA' zoen_buf zoen_fmt3 szDateString szTimeString
call 'USER32.SendDlgItemMessageA' D@hWnd IDC_TIMESTAMPSTRING &WM_SETTEXT 0 zoen_buf

; Symbol Table Pointer
C_call 'USER32.wsprintfA' zoen_buf zoen_fmt D$edi+FileHeader.PointerToSymbolTableDis
call 'USER32.SendDlgItemMessageA' D@hWnd IDC_SYMTBLPTR &WM_SETTEXT 0 zoen_buf



This versino should work on windows95, 98, ME NT, 2000.

I?ll clean the code and build an functino for it (Instead an inner routine), and then i?ll try to tst the files which has the date stamp older then 1970....Liuke those weird ones from 1690 or something.

Tks a LOT for the help Edgar.

When i finish the 1st cleanintgs and tests i?ll post here the resutls....I guess it won?t be hard to find some errors on older timedate stamp (I hope so :) )

Best Regards,

Guga
Posted on 2004-05-30 21:39:08 by Beyond2000!
Hi Guga,

As I said you have only to remove the conversion to local time...

BaseTimeLow equ 0D53E8000h

BaseTimeHigh equ 19DB1DEh

.data
ftTimeStamp FILETIME <>

stUTC SYSTEMTIME <>
stLocal SYSTEMTIME <>

szDateString db 64 DUP (?)
szTimeString db 64 DUP (?)

.code

mov eax,[TimeStamp]
mov edx,10000000
mul edx
add eax,BaseTimeLow
adc edx,BaseTimeHigh

mov [ftTimeStamp],eax
mov [ftTimeStamp+4],edx

invoke FileTimeToSystemTime, offset ftTimeStamp, offset stUTC

invoke GetDateFormat, LOCALE_SYSTEM_DEFAULT, NULL,\
OFFSET stUTC, "dd MMM yyyy", OFFSET szDateString, 64

invoke GetTimeFormat, LOCALE_SYSTEM_DEFAULT, NULL,\
OFFSET stUTC, "hh:mm tt", OFFSET szTimeString, 64


I?ll clean the code and build an functino for it (Instead an inner routine), and then i?ll try to tst the files which has the date stamp older then 1970....Liuke those weird ones from 1690 or something.


It is not possible to have a datestamp prior to January 1, 1970, so there is no need to worry about them.
Posted on 2004-05-30 22:21:32 by donkey
Better to make a check for invalid entries. Who knows what some people save into it. ;)
Posted on 2004-05-31 19:32:22 by JimmyClif