-1

Where would I need to look to change the time and date stamp of a PE32 file? I apologize if this is too open ended, perhaps someone here can point me in the right direction or to the correct resource. I've been looking around to no avail.

I have access to a wide array of reverse engineering tools such as IDAPRo, PEBear, etc etc

Thanks again.

Midge_Mong
  • 33
  • 2
  • 8

1 Answers1

1

The procedure to change the TimeDateStamp of a PE32 executable (.exe or .dll) is simple and can be derived from this Microsoft article.

  • Find the "real" header by by looking up its starting offset, which is stored in the MS-DOS stub header.

  • Calculate its address:

    pNTHeader = dosHeader + dosHeader->e_lfanew;

  • Now you have the IMAGE_NT_HEADER which is defined as follows in WinNT.h

    DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader;

  • Parse the the IMAGE_FILE_HEADER

  • Change the DWORD TimeDateStamp field as you like
zx485
  • 28,498
  • 28
  • 50
  • 59