search

williballenthin / python-evtx

Pure Python parser for Windows Event Log files (.evtx)
Apache License 2.0
722 stars 165 forks source link

OverflowError: Python int too large to convert to C long #26

Open MrChris001 opened 7 years ago

MrChris001 commented 7 years ago

Thanks for the hard work in this project. It's really helpful.

I just have one problem to report, when I try and parse the Windows EVTX file 'CAPI2' I get the error below. Is there a workaround please? I am actually using the library to parse every EVTX file in a certain directory and this EVTX is the only one that throws up a problem! 

  File "g:\Python Code\Events\Evtx2Time.py", line 121, in <module>
    main()
  File "g:\Python Code\Events\Evtx2Time.py", line 71, in main
    for xml, record in evtx_file_xml_view(fh):
  File "C:\Python27\lib\Evtx\Views.py", line 221, in evtx_file_xml_view
    record_str = _build_record_xml(record, cache=cache)
  File "C:\Python27\lib\Evtx\Views.py", line 172, in _build_record_xml
    xml = rec(record.root())
  File "C:\Python27\lib\Evtx\Views.py", line 163, in rec
    subs_strs.append(rec(sub))
  File "C:\Python27\lib\Evtx\Views.py", line 154, in rec
    f = _make_template_xml_view(root_node, cache=cache)
  File "C:\Python27\lib\Evtx\Views.py", line 120, in _make_template_xml_view
    template_instance = root_node.fast_template_instance()
  File "C:\Python27\lib\Evtx\Nodes.py", line 909, in fast_template_instance
    return TemplateInstanceNode(self._buf, ofs, self._chunk, self)
  File "C:\Python27\lib\Evtx\Nodes.py", line 716, in __init__
    self._data_length += new_template.length()
  File "C:\Python27\lib\Evtx\Nodes.py", line 211, in length
    return self.tag_length() + self.data_length()
  File "C:\Python27\lib\Evtx\BinaryParser.py", line 205, in no_length_handler
    return f(offset)
  File "C:\Python27\lib\Evtx\BinaryParser.py", line 356, in unpack_dword
    return struct.unpack_from("<I", self._buf, o)[0]
OverflowError: Python int too large to convert to C long
williballenthin commented 7 years ago

huh, i'm not sure whats happening here. the stack trace is useful, but i can't see why the overflow error would be thrown on struct.unpack_from.

is there any chance you can share the evtx file? i dont think i have a similar one on my system, and haven't been able to reproduce this error.

williballenthin commented 7 years ago

a workaround might be to use 64-bit python, if that's feasible.

the reported issue is still a bug, however.

williballenthin commented 7 years ago

would you email this to me directly at willi.ballenthin@gmail.com? when you respond to a github notification email, github doesn't know what to do with attachments, so i didn't get it.

thanks!