Search code examples
vb.netvb6updatesdecompiling

How to determine VB app compile/created date

My company uses a software that, in the footer of it's about section lists the year 2001-2002. Is this sufficient grounds to believe that the last major overhaul or update that this program received would have been in 2001-02?

If not, is there a way through decompiling the software, it's written in VB6?

Solution

  • I forgot the linker sticks a timestamp into the PE Header. Here is a short VB.NET applet to read the PE Header and convert the timestamp:

    Private Function GetPEDate(filename As String) As DateTime

    Dim dtUINT As UInt32
    Using fs As Stream = New FileStream(filename, 
                        FileMode.Open, FileAccess.Read),
        rdr As New BinaryReader(fs)

        ' move to PE location (60; 70 for 64 bit but
        ' there is no such thing as a 64bit VB6 app)
        fs.Position = &H3C
        Dim peHDR As UInt32 = rdr.ReadUInt32()       ' offset of start location
        fs.Position = peHDR

        Dim tmpUINT = rdr.ReadUInt32()            ' PE sig
        Dim tmpShrt = rdr.ReadUInt16              ' machine
        tmpShrt = rdr.ReadUInt16                  ' sections

        dtUINT = rdr.ReadUInt32()                 ' linker timestamp

    End Using
    ' SEE NOTE
    Dim dtCompiled As New DateTime(1970, 1, 1, 0, 0, 0)

    dtCompiled = dtCompiled.AddSeconds(dtUINT)
    dtCompiled = dtCompiled.AddHours( _ 
            TimeZone.CurrentTimeZone.GetUtcOffset(dtCompiled).Hours)

    Return dtCompiled
End Function

    To use it:

    Dim dt = GetPEDate(FullFilePath)
Console.WriteLine("App was compiled approx: {0}", dt.ToString)

    Output:

    App was compiled approx: 4/6/2004 11:54:07 AM

    I tested this with some actual old VB6 apps as well as some x86 VB.NET apps and the DateTime returned is spot on compared to that of CreatedDate and/or Modified Date reported by Explorer.

    Initially the time was off by 3 hours. The MSDN docs clearly state:

    This field holds the number of seconds since December 31st, 1969, at 4:00 P.M.

    But it was off by exactly 3 hrs and my TZ is not 3 away from East Coast US, Seattle or GMT. A quick Google yielded this article by Jeff Atwood (which includes another PE reader). Changing the base date to 1/1/1970 00:00:00 and adding the UTC adjustment returns times matching Explorer.

    Apparently MSDN is wrong or out of date as to the base date. 1/1/1970 also seems more likely since corresponds to POSIX/Unix timestamps.