这两天在编写一个读取系统事件日志的程序,其中结构变量EVENTLOGRECORD中成员TimeGenerated和TimeWritten的值为:
The time at which this entry was submitted. This time is measured in the number of seconds elapsed since 00:00:00 January 1, 1970, Universal Coordinated Time.
即从格林尼治时间1970年1月1日夜里12:00开始的秒数。
Windows系统好像没有直接提供将其转换为对应的年月日、时分秒的API函数。
Google了一下,在
http://www.asmcommunity.net/board/index.php?topic=18369.0找到了donkey网友提供的方法,整理如下:
BaseTimeLow equ 0D53E8000h BaseTimeHigh equ 19DB1DEh StampToLocalDateTime proc dwStamp: dword, lpstLocalTime: dword local stUtcFileTime: FILETIME local stLocalFileTime: FILETIME mov eax, dwStamp mov edx,10000000 mul edx add eax, BaseTimeLow adc edx, BaseTimeHigh mov stUtcFileTime.dwLowDateTime, eax mov stUtcFileTime.dwHighDateTime, edx invoke FileTimeToLocalFileTime, addr stUtcFileTime, addr stLocalFileTime invoke FileTimeToSystemTime, addr stLocalFileTime, lpstLocalTime ret StampToLocalDateTime endp LOCALE_SYSTEM_DEFAULT equ 0 g_szFmtDate db "yyyy-M-d", 0 printDate proc lpstDate: dword local buf[12]: byte invoke GetDateFormat, LOCALE_SYSTEM_DEFAULT, NULL, lpstDate, offset g_szFmtDate, addr buf, sizeof buf m_InsTxt addr buf ret printDate endp ;LOCALE_SYSTEM_DEFAULT equ 0 g_szFmtTime db "H:m:ss", 0 printTime proc lpstTime: dword local buf[9]: byte invoke GetTimeFormat, LOCALE_SYSTEM_DEFAULT, NULL, lpstTime, offset g_szFmtTime, addr buf, sizeof buf m_InsTxt addr buf ret printTime endp g_szFmtDateTime db "%d-%d-%d %d:%d:%d", 0 printDateTime proc lpstDateTime: DWORD local buf[30]: byte pusha mov edi, lpstDateTime movzx eax, (SYSTEMTIME ptr [edi]).wYear movzx ebx, (SYSTEMTIME ptr [edi]).wMonth movzx ecx, (SYSTEMTIME ptr [edi]).wDay movzx edx, (SYSTEMTIME ptr [edi]).wHour movzx esi, (SYSTEMTIME ptr [edi]).wMinute movzx edi, (SYSTEMTIME ptr [edi]).wSecond invoke wsprintf, addr buf, addr g_szFmtDateTime, eax, ebx, ecx,edx, esi, edi popa ret printDateTime endp
