Various technical articles, IT-related tutorials, software information, and development journals
Tuesday, August 13, 2019
Windows DLLs' PE timestamps aren't timestamps
One user wondered why the "create time" entries for many DLLs in the output of listdlls -v were incorrect and "all over the place." I investigated and found that ListDLLs takes that time from the PE/COFF headers, confirming matches with dumpbin /headers. I'm guessing that the timestamp field is intentionally filled in with not a time, but a hash of source code or the rest of the binary to allow reproducible builds. That way, recompiling the module produces another binary that can be trivially checked for identity with the first, showing that the binary hasn't been tampered with.
Labels:
windows
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment