Image Header vs. File Timestamps.
人们可以使用术语“模块时间戳”来表示文件时间戳和Image头时间戳。虽然他们通常非常接近,但他们是不同的,不会是相同的。下面是一个比较/对比:
| File timestamp | Image header timestamp | |
| What is it? | This is tracked by the file system, and includes several metrics such as when the file was created, when it was last modified, and when it was last accessed. | Emitted by the compiler and stored in the image header. Thus, it's in the contents of the file and separate from the meta-information tracked by the filesystem. |
| Who normally sets it? | The file system. | The compiler (which then generally creates a file to persists the results to, thus the file and image timestamps are usually very close) |
| Underlying storage | 64-bit FileTime structure | 32-bit time_t structure. |
| Win32 exposure | kernel32!GetFileTime | IMAGE_FILE_HEADER, exposed via the ImageHelp library.Matt Pietrek has an excellent article about cracking the PE file to get information like this. (The PE file format is publicly specced). |
| .NET exposure | In .NET, these are accessible as System.DateTime objects via File.GetCreationTime, File.GetLastAccessTime, File.GetLastWriteTime. | I don't think there are any .Net APIs to get these. (does anybody want them?). The Pdb2Xml writer in MDbg sample alludes to this a little.BradA tells how to convert time_t to a System.DateTime. |
映像时间戳是您在调试器下看到的。例如,windbg的“lmv”命令将时间戳显示为原始32位值,并将其转换为有用的值:
Image name: notepad.exe
Timestamp: Tue Aug 03 23:05:55 2004 (41107CC3)
CheckSum: 00014F7F可以从资源管理器查看文件时间戳。右键单击该文件并显示属性。为了进行比较,来自同一文件的时间戳通过文件系统:
创建时间:2004年8月9日星期一上午11:11:33
修改日期:2004年8月4日星期三上午4:00:00
访问时间:今天,2007年1月18日,晚上7:22:56
映像时间戳(和其他相关数据)也是转储文件中捕获的内容(请参阅MINIDUMP_MODULE)。因此,当调试器希望将小型转储中的模块与磁盘上的实际模块关联时,它可以使用映像头中的时间戳和校验和。这与PDB匹配的工作原理类似。