PE Compilation Timestamps vs. forensics

Posted on by

If you use PE Viewers, Editors, Dumpers for forensic purposes, you are most likely using them to extract a compilation timestamp from a binary – to determine when a specific file was compiled.

There is a little ‘gotcha’ here.

Some of these tools show the timestamps as UTC, some localize them to your timezone. This is far from ideal. Without being sure, you may be writing down incorrect information in your report.

We can fix it.

If you don’t know the algorithm your tool of choice is using to display the time you can quickly test it.

How?

As per the PE documentation, the Compilation timestamp is:

Date and time stamp value. The value is represented in the number of seconds that have elapsed since midnight (00:00:00), January 1, 1970, Universal Coordinated Time, according to the system clock. The time stamp can be printed by using the C runtime (CRT) time function.’

So, there is no better way to test your fav. programs other than using atest executable with a timestamp set to 0, and observe the results (make sure you change your timezone to a different one from UTC!).

If the result is 1970-01-01 00:00:00 then your tool is using UTC. If it is different, then it’s a local time, and perhaps in some cases, it may be wrong (better test with two different tools). As such, you may even see compilation year 1969!

Quick test shows that:

  • Die, IDA, Efd, PE Studio – use local time

and

  • PE Bear, PPEE, VirusTotal – use UTC

After I published this post, Brian provided additional comment (thx!):

I would also take note of daylight saving time. Offset of UTC changes from your local time zone.


And here is the test .exe I used, in case you need it.

the art of staying ghidrated

Posted on by

Last few days were very exciting. The NSA folks released ghidra – a killer reversing app they use internally.

The software is great; I played with it for a bit, and like many other reversers shared some screenshots, and comments on Twitter. Over last few days I looked through many Twitter and blog posts referencing the tool, and it’s pretty obvious this is going to be a gamechanger.

It’s free, it’s feature-rich, it’s expandable, and it warms our heart every time it shows us cute ‘dragonian’ animations. And speaking of ‘draconian’, there is a lot of negative sentiment about eligibility rules, and a price tag that prevent non-corporate users from purchasing IDA License.

Having to choose free vs. unreachable, the choice is pretty obvious.

There is one thing though that I don’t see covered in posts that are focused on this exciting new toy. It is the mission.

(For the record, I am going to wear my tinfoil hat now.)

When it comes to a mission, organizations like NSA always have one. It is somehow bizarre that government orgs known for their secrecy release tools that are giving them an edge. GCHQ releases a CyberChef, NSA releases Ghidra. Should we expect more tools ? Released by DGSE, BND, and others?

The reason I am saying they are giving the respective orgs an edge is because these orgs rely on reversing a lot. They can obviously purchase exploits from brokers, intel from vendors, or access source code by any means necessary, but ultimately, they do have a special task group that is responsible for cracking stuff en masse. And ghidra’s architecture supporting collaboration makes a good case for a circumstantial evidence to support my hypothesis here.

I am curious what is the mission when it comes to ghidra. Only a fool would believe that a release like this is just for ‘the good of the <input your preferred good reason here>’.

I believe both CyberChef and Ghidra support missions that are pretty obvious:

  • PR – we are not that bad; we share with community; we advance the science of security/reversing/etc.
  • Recruitment – kinda PR-related, but if the goal is to find geek recruits who want to work at the respective agencies then this works pretty well; these are excellent, mature tools, youngsters can use them, learn from them (for free!), and eventually become experts in using them; at that stage they can enter the respective agency, and immediately jump on solving problems, saving lots of training time (in a similar manner large companies sponsoring labs at school train students to use the ‘sponsored’ tools which they will surely prefer to stick to, and purchase when they become decision makers in the future)

The other motives are not clear.

One that comes to my mind is an easy access to products of work of reversers who will surely jump on an occasion to add plugins, support new file formats, firmware modules, possibly in areas that are less mainstream.

Will such input create a snowball effect and give the agency access to resources that will improve the efficiency and reach of the tool, especially its internal version not shared with public?

I don’t think this is a very good mission per se, but I can easily imagine release being a product of someone’s annual objective to ‘enhance ghidra capability to e.g. triple number of supported firmware modules’. Open sourcing the software could be one attempt to achieve this objective with a minimal input, maybe a bit of social media manipulation could steer people towards cracking problems interesting from agency’s perspective?

Hard to say. Again, I don’t buy this idea of a mission too much, because management and quality check of such crowd-sourced code would probably require more work than actually writing your own modules, or gaining access to the source code.

I do describe the above mission for a reason tho. Because even if it is not a true mission, it may end up being one. And it leads to a question, and that is one that non-US reversers need to ask themselves. Will your work become a building block in enhancing the capabilities of the US foreign agency? Could it be that one day your parser, dumper, plug-in will allow that foreign agency to faster crack software of the router at your country’s ISP, or your IoT toys? One may argue that all our public research can serve such role, and it’s a fair point, but the important distinction is that by contributing to ghidra there is that direct link to the agency that makes the action a conscious decision, and may be seen as a direct contribution.

This is an open question. This is also non-judgmental question. It is potentially a legal question tho. And perhaps a moral one too.