Autoruns problems with Volatility 2.5

[jared703]

Hi Tom,

I'm having a problem with autoruns (your latest build) and a Win7SP1x86 memory image. The error I'm getting is:

Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
  File "vol1.py", line 192, in <module>
    main()
  File "vol1.py", line 183, in main
    command.execute()
  File "/home//Desktop/vol-2.5_clean/volatility/commands.py", line 119, in execute
    data = self.calculate()
  File "/home/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 527, in calculate
    self.tasks = self.get_tasks()
  File "/home/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 446, in get_tasks
    parsed = self.parse_task_xml(task_xml)
  File "/home/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 462, in parse_task_xml
    xml = xml.decode('utf-16')
  File "/usr/lib/python2.7/encodings/utf_16.py", line 16, in decode
    return codecs.utf_16_decode(input, errors, True)
UnicodeDecodeError: 'utf16' codec can't decode byte 0x00 in position 0: truncated data

[tomchop]

Damn Unicode! I haven't tried the plugin with volatility 2.5 yet. Can you check what the content of the xml variable is?

File "/home/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 462, in parse_task_xml
xml = xml.decode('utf-16')

[jared703]

Tom-

I threw in a: print(task_xml) at line 445 and a: print(xml) at line 462, but that didn't seem to catch the variable. Any ideas on how to best catch it?

Traceback (most recent call last): File "vol1.py", line 192, in main() File "vol1.py", line 183, in main command.execute() File "/home/dfir-greenhill/Desktop/vol-2.5_clean/volatility/commands.py", line 119, in execute data = self.calculate() File "/home/dfir-greenhill/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 528, in calculate self.tasks = self.get_tasks() File "/home/dfir-greenhill/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 446, in get_tasks parsed = self.parse_task_xml(task_xml) File "/home/dfir-greenhill/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 463, in parse_task_xml xml = xml.decode('utf-16') File "/usr/lib/python2.7/encodings/utf_16.py", line 16, in decode return codecs.utf_16_decode(input, errors, True) UnicodeDecodeError: 'utf16' codec can't decode byte 0x00 in position 0: truncated data

[tomchop]

Try print "XML:", repr(xml), see if that displays at least the "XML: " part.

[jared703]

Tom, I think my syntax might be off. is the syntax: print "XML:", repr(xml) correct? If so, what line are you thinking I should test it on?

Also, I threw print statements here:

def parse_task_xml(self, xml):
    print (type(xml))
xml = re.sub('\x00\x00+', '', xml) + '\x00'
print (type(xml))

and got: <type 'str'> <type 'str'>

Not sure if that helps any.

[jared703]

I switched up my print statements: print (type(xml)) xml = xml.decode('utf-16') print (type(xml))

and got: File "/home/dfir-greenhill/Desktop/vol-2.5_clean/volatility/commands.py", line 119, in execute data = self.calculate() File "/home/dfir-greenhill/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 529, in calculate self.tasks = self.get_tasks() File "/home/dfir-greenhill/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 446, in get_tasks parsed = self.parse_task_xml(task_xml) File "/home/dfir-greenhill/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 463, in parse_task_xml xml = xml.decode('utf-16') File "/usr/lib/python2.7/encodings/utf_16.py", line 16, in decode return codecs.utf_16_decode(input, errors, True)

[jared703]

Tom - please let me know if I can provide any other details that might help.

[tomchop]

Hi Jared, sorry for the delay. Can you try using repr() when printing? This will print empty strings with surrounding quotes:

>>> print repr('')
''
>>> print ''

>>>

Besides, which version of python are you using?

[jared703]

Tom, I've done some more testing today and can't seem to replicate the issue. I am having the issue in a memory image I created from a hiberfil.sys file but feel that is a bit out of bounds. I can close this ticket.