search

omerbenamram / evtx

A Fast (and safe) parser for the Windows XML Event Log (EVTX) format
Apache License 2.0
687 stars 64 forks source link

is_a_non_negative_number error #36

Closed forensicmatt closed 5 years ago

forensicmatt commented 5 years ago

Getting an error on this file.

Here is the link: https://www.dropbox.com/s/1tugvc0gy0icv59/VSS1_Windows_system32_winevt_logs_HardwareEvents.evtx?dl=0

D:\Tools\evtx_dump>evtx_dump.exe D:\Images\CTF_DEFCON_2018\Image3-Desktop\Extracts\EVTX\VSS1_Windows_system32_winevt_logs_HardwareEvents.evtx
thread 'main' panicked at 'Failed to load evtx file located at D:\Images\CTF_DEFCON_2018\Image3-Desktop\Extracts\EVTX\VSS1_Windows_system32_winevt_logs_HardwareEvents.evtx', src\bin\evtx_dump.rs:201:29
stack backtrace:
   0: std::sys::windows::backtrace::set_frames
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\sys\windows\backtrace\mod.rs:94
   1: std::sys::windows::backtrace::unwind_backtrace
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\sys\windows\backtrace\mod.rs:81
   2: std::sys_common::backtrace::_print
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\sys_common\backtrace.rs:70
   3: std::sys_common::backtrace::print
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\sys_common\backtrace.rs:58
   4: std::panicking::default_hook::{{closure}}
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\panicking.rs:200
   5: std::panicking::default_hook
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\panicking.rs:215
   6: std::panicking::rust_panic_with_hook
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\panicking.rs:478
   7: std::panicking::continue_panic_fmt
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\panicking.rs:385
   8: std::panicking::begin_panic_fmt
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\panicking.rs:340
   9: evtx_dump::is_a_non_negative_number
  10: <evtx::xml_output::XmlOutput<W> as evtx::xml_output::BinXmlOutput<W>>::visit_open_start_element
  11: std::rt::lang_start_internal::{{closure}}
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\rt.rs:49
  12: std::panicking::try::do_call<closure,i32>
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\panicking.rs:297
  13: panic_unwind::__rust_maybe_catch_panic
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libpanic_unwind\lib.rs:87
  14: std::panicking::try
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\panicking.rs:276
  15: std::panic::catch_unwind
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\panic.rs:388
  16: std::rt::lang_start_internal
             at /rustc/fc50f328b0353b285421b8ff5d4100966387a997\/src\libstd\rt.rs:48
  17: main
  18: invoke_main
             at d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
  19: __scrt_common_main_seh
             at d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
  20: BaseThreadInitThunk
  21: RtlUserThreadStart
omerbenamram commented 5 years ago

It seems this file is just zeroes. Am I missing something?

image

It's a little strange that is_a_non_negative_number shows up in the stacktrace, since it only validates parameters. I think it's a quirk with stack unwinding.

omerbenamram commented 5 years ago

btw i should ensure to throw a nicer error on files like this.

forensicmatt commented 5 years ago

ah, sorry about that. I was trying to do the directory thing and it was throwing the error so I just threw the file in here prematurely without checking it. My bad.

omerbenamram commented 5 years ago

@forensicmatt I think the error message was bad anyways, it's nicer now! :)