2

Does anybody know of a way to prevent the timestamp of an executable from changing? I'm trying to generate a consistent hash code for the .exe but I think the timestamp may be preventing that from happening. Each time I recompile the code (VS C++) the FastSum generates a different checksum.

Thanks!

Ramon Johannessen
  • 173
  • 5
  • 14
  • Why are you trying to do that? What is the actual problem that you need to solve? – johnsyweb Apr 26 '11 at 19:27
  • 1
    Well, I'm not entirely sure to be honest, and I'm beginning to think I've been sent on a rabbit trail. This was a request by my manager... – Ramon Johannessen Apr 26 '11 at 20:40
  • @johnsywebsupportsourmods: As absurd as it seems, many companies decide to rely on the failed strategy of 'detecting' which binaries have changed from one software release to another, instead of having a decent change traking system, or a delta deployment/installation system. Such decisions usually come from the ignorance of how deep the rabbit hole of a software linker can be, and how unpredictable a microchange in C++ spaguetti code can affect a compiler's/linker's output. Incredibly, I've just heard the same from some managers in 2023. In any case, this question is still valid. – sɐunıɔןɐqɐp Jul 06 '23 at 07:44

3 Answers3

3

The PE file format (as in your EXE) has a timestamp field. Check out "Table 2. IMAGE_FILE_HEADER Fields" at this link: http://msdn.microsoft.com/en-us/library/ms809762.aspx

It seems like if you really wanted to, you could edit TimeDateStamp in a hex editor, or write a small program to do it for you. If I read the above document correctly, it looks like it's 4 bytes at offset 10.

I'm not sure what the consequences are of changing this. My guess is it may make you unable to find symbols when you debug the program. Maybe instead of changing this field in your binary you should hash regions outside the PE header. (The link I provide may help you determine where that would make sense.)

asveikau
  • 39,039
  • 2
  • 53
  • 68
  • I did a binary difference, and there's two sections that are different. One is right at the beginning. There's a line "This program cannot be run in DOS mode." newline, then "$00000000000000", and the next chunk is where the first difference is. The second is about halfway through the data and must have something to do with the compiler moving stuff around just because it feels like it... – Ramon Johannessen Apr 26 '11 at 19:55
  • sorry, the previous reply was mistakenly placed. Thanks for the link. I'll look into that. But the more I think about this, the more it seems pointless, I mean, basically they want me to generate an exe based on the hash code, not the other way around, which is the point of a hash code. – Ramon Johannessen Apr 26 '11 at 20:46
2

Depending on what you have to checksum, you can either strip off the COFF header (where the timestamp resides) or the Optional Header. In the latter case, you just only save the section table and section data (the binary content of the executable). If you make sure your source code is not changed and compile and link flags are not changed, the section data should remain the same. If you want to include version numbers or size of code in the checksum, you must include the Optional Header.

To find the start of Optional Header, follow the procedure:

  1. Read 4-byte signature base address from 0x3c.
  2. Goto the signature offset.
  3. Offset 20 bytes. This is the start of the Optional Header.
  4. You should expect 0x10b here if it is 32-bit exe file or 0x20b if 64-bit.

To find the start of section table, follow the procedure:

  1. Read 4-byte signature base address from 0x3c.
  2. Goto the signature offset.
  3. offset 16 bytes.
  4. Read 2-byte Optional Header size here.
  5. Goto the Optional Header.
  6. Offset Optional Header size bytes. This is the start of the section table.
  7. You should expect a section name here (like ".text", ".data", etc).

For complete specification of PE & COFF format, download this: Microsoft PE and COFF Specification.

Reci
  • 4,099
  • 3
  • 37
  • 42
  • Awesome :D, thanks for that info. That should do the trick, I wasn't aware you could remove that part of the header... learn something new today. – Ramon Johannessen May 06 '11 at 03:05
-3

File timestamps are something controlled and maintained by the OS - they're not internal to the file (including executables) itself.

Matt Kline
  • 10,149
  • 7
  • 50
  • 87