MarkBaggett / srum-dump

A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet.
GNU General Public License v3.0
595 stars 96 forks source link

UnboundLocalError: local variable 'sid_str' referenced before assignment #7

Closed giomke closed 6 years ago

giomke commented 6 years ago
Traceback (most recent call last):
  File "<string>", line 274, in <module>
  File "<string>", line 130, in load_lookups
  File "<string>", line 64, in BinarySIDtoStringSID
UnboundLocalError: local variable 'sid_str' referenced before assignment
MarkBaggett commented 6 years ago

Thanks for reporting that. I need a little more information to fix it / reproduce the problem. That particular block of code is actually from Google's Rapid Response framework.

https://github.com/google/grr/blob/master/grr/parsers/wmi_parser.py

So I'm guessing the error is occurring because I'm not validating you pulled valid user SID's from SRUM. This could be because your copy of the SRUM database was corrupt or a few other possibilities. I assume you are passing a -o SOFTWARE registry key. Does it work when you don't?

grayfold3d commented 6 years ago

I get the same error. I did pass it the SOFTWARE hive but get the same error without it. I am able to open the SRUM DB in ESEDatabaseview. I extracted it off a live system using robocopy /B. I was attempting to use FGET.exe originally but was seeing some weird issues where it wasn't successfully grabbing the entire file.

MarkBaggett commented 6 years ago

What if you try it without the software option?

Mark

On May 19, 2018, at 3:55 PM, Mike Cary notifications@github.com wrote:

I get the same error. I did pass it the SOFTWARE hive but get the same error without it. I am able to open the SRUM DB in ESEDatabaseview. I extracted it off a live system using robocopy /B. I was attempting to use FGET.exe originally but was seeing some weird issues where it wasn't successfully grabbing the entire file.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

grayfold3d commented 6 years ago

Yep I get the same error without the software option.

On May 19, 2018, at 7:13 PM, MarkBaggett notifications@github.com<mailto:notifications@github.com> wrote:

What if you try it without the software option?

Mark

On May 19, 2018, at 3:55 PM, Mike Cary notifications@github.com<mailto:notifications@github.com> wrote:

I get the same error. I did pass it the SOFTWARE hive but get the same error without it. I am able to open the SRUM DB in ESEDatabaseview. I extracted it off a live system using robocopy /B. I was attempting to use FGET.exe originally but was seeing some weird issues where it wasn't successfully grabbing the entire file.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/MarkBaggett/srum-dump/issues/7#issuecomment-390438824, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AR18uklZSuLJg7TERQts4e-HCc_8WLYbks5t0Kb-gaJpZM4Twn_n.

MarkBaggett commented 6 years ago

Any chance that you can share a copy of your srum file with me?

Mark

On May 19, 2018, at 7:29 PM, Mike Cary notifications@github.com wrote:

Yep I get the same error without the software option.

On May 19, 2018, at 7:13 PM, MarkBaggett notifications@github.com<mailto:notifications@github.com> wrote:

What if you try it without the software option?

Mark

On May 19, 2018, at 3:55 PM, Mike Cary notifications@github.com<mailto:notifications@github.com> wrote:

I get the same error. I did pass it the SOFTWARE hive but get the same error without it. I am able to open the SRUM DB in ESEDatabaseview. I extracted it off a live system using robocopy /B. I was attempting to use FGET.exe originally but was seeing some weird issues where it wasn't successfully grabbing the entire file.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/MarkBaggett/srum-dump/issues/7#issuecomment-390438824, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AR18uklZSuLJg7TERQts4e-HCc_8WLYbks5t0Kb-gaJpZM4Twn_n. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

grayfold3d commented 6 years ago

Sure where should I send it?

MarkBaggett commented 6 years ago

Lo127001 at gmail dot com please

Mark

On May 20, 2018, at 7:40 PM, Mike Cary notifications@github.com wrote:

Sure where should I send it?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

MarkBaggett commented 6 years ago

Thanks. That is extremely helpful. The issue is that sometimes SRUM records a SID of all 0's

(Pdb) p rec_entry OrderedDict([('IdType', 3), ('IdIndex', 38127), ('IdBlob', '0000000000000000')])

When I pass that data off to the Google Rapid Response function it raises that error. I'm putting the call to the GRR function in a try: except: block. That will prevent the error although I am not sure why SRUM is recording SID's of all 0's.

Here is the new code to fix it. beginning on line 130. I'll post an update shortly. elif rec_entry['IdType']==3: try: user_blob = BinarySIDtoStrSID(rec_entry['IdBlob'].decode("hex")) except: user_blob = 'None'

user_blob = 'None' if not rec_entry['IdBlob'] else BinarySIDtoStringSID(rec_entry['IdBlob'].decode("hex"))

        id_lookup[rec_entry['IdIndex']] = user_blob
grayfold3d commented 6 years ago

Great news. Thanks Mark!

MarkBaggett commented 6 years ago

I think the update I just pushed this morning will resolve this issue. Thank you for reporting it and sending me the files needed to troubleshoot it.

Mark Baggett

pricklypete-dfir commented 5 years ago

Posting here just to say thank you - this was extremely helpful and good timing to prompt an update of the srum-dump on the Windows SIFT workstation being used in the Sans.org class I'm taking right now online.

Was attempting to validate some of these steps against some of our known good enterprise system images and was getting this error.

After update:

"User SID not found : OrderedDict([(b'IdType', 3), (b'IdIndex', 670), (b'IdBlob', b'0000000000000000')]) local variable 'sid_str' referenced before assignment"

Informational message, did not stop the program from completing successfully - Thanks again!