这两天在编写一个读取系统事件日志的程序,其中结构变量EVENTLOGRECORD中成员TimeGenerated和TimeWritten的值为:
The time at which this entry was submitted. This time is measured in the number of seconds elapsed since 00:00:00 January 1, 1970, Universal Coordinated Time.
即从格林尼治时间1970年1月1日夜里12:00开始的秒数。
Windows系统好像没有直接提供将其转换为对应的年月日、时分秒的API函数。
Google了一下,在
http://www.asmcommunity.net/board/index.php?topic=18369.0
找到了donkey网友提供的方法,整理如下:
BaseTimeLow equ 0D53E8000h
BaseTimeHigh equ 19DB1DEh
StampToLocalDateTime proc dwStamp: dword, lpstLocalTime: dword
local stUtcFileTime: FILETIME
local stLocalFileTime: FILETIME
mov eax, dwStamp
mov edx,10000000
mul edx
add eax, BaseTimeLow
adc edx, BaseTimeHigh
mov stUtcFileTime.dwLowDateTime, eax
mov stUtcFileTime.dwHighDateTime, edx
invoke FileTimeToLocalFileTime, addr stUtcFileTime, addr stLocalFileTime
invoke FileTimeToSystemTime, addr stLocalFileTime, lpstLocalTime
ret
StampToLocalDateTime endp
LOCALE_SYSTEM_DEFAULT equ 0
g_szFmtDate db "yyyy-M-d", 0
printDate proc lpstDate: dword
local buf[12]: byte
invoke GetDateFormat, LOCALE_SYSTEM_DEFAULT, NULL, lpstDate, offset g_szFmtDate, addr buf, sizeof buf
m_InsTxt addr buf
ret
printDate endp
;LOCALE_SYSTEM_DEFAULT equ 0
g_szFmtTime db "H:m:ss", 0
printTime proc lpstTime: dword
local buf[9]: byte
invoke GetTimeFormat, LOCALE_SYSTEM_DEFAULT, NULL, lpstTime, offset g_szFmtTime, addr buf, sizeof buf
m_InsTxt addr buf
ret
printTime endp
g_szFmtDateTime db "%d-%d-%d %d:%d:%d", 0
printDateTime proc lpstDateTime: DWORD
local buf[30]: byte
pusha
mov edi, lpstDateTime
movzx eax, (SYSTEMTIME ptr [edi]).wYear
movzx ebx, (SYSTEMTIME ptr [edi]).wMonth
movzx ecx, (SYSTEMTIME ptr [edi]).wDay
movzx edx, (SYSTEMTIME ptr [edi]).wHour
movzx esi, (SYSTEMTIME ptr [edi]).wMinute
movzx edi, (SYSTEMTIME ptr [edi]).wSecond
invoke wsprintf, addr buf, addr g_szFmtDateTime, eax, ebx, ecx,edx, esi, edi
popa
ret
printDateTime endp