search

williballenthin / python-evtx

Pure Python parser for Windows Event Log files (.evtx)
Apache License 2.0
732 stars 166 forks source link

struct.error: bad char in struct format #39

Closed patatetom closed 7 years ago

patatetom commented 7 years ago

hi,

this error occurs when the script evtx_dump.py is used on the events file Microsoft-Windows-LiveId%Operational.evtx that comes from Windows 10. it is at your disposal if you need it...

thanks for really good job, regards, lacsaP.

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 532, in unpack_systemtime
    parts = struct.unpack_from("<WWWWWWWW", self._buf, o)
struct.error: bad char in struct format

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/evtx_dump.py", line 42, in <module>
    main()
  File "/usr/bin/evtx_dump.py", line 37, in main
    print(record.xml())
  File "/usr/lib/python3.6/site-packages/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 166, in rec
    sub = render_root_node(sub.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 159, in rec
    sub = escape_value(sub.string())
  File "/usr/lib/python3.6/site-packages/Evtx/Nodes.py", line 1420, in string
    return self.systemtime().isoformat(' ')
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 205, in no_length_handler
    return f(offset)
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 534, in unpack_systemtime
    raise OverrunBufferException(o, len(self._buf))
Evtx.BinaryParser.OverrunBufferException: Tried to parse beyond the end of the file (read: 0x17440, buffer length: 0x101000)
williballenthin commented 7 years ago

whoa, i wonder how this ever worked. W is not a valid item specifier for unpack, and I have no idea where it came from. i suppose it was undocumented in python2, and python3 has removed it.

are you able to share the source evtx file that causes this issue? if it can be shared publicly then we'll make it into a regression/unit test (best case); otherwise, i'll look at it privately and try to reproduce.

thanks for the bug report!

williballenthin commented 7 years ago

correct specifier is H.

patatetom commented 7 years ago

I just change specifier W for H :

--- /usr/lib/python3.6/site-packages/Evtx/BinaryParser.py.bak   2017-07-10 07:40:39.510000000 +0000
+++ /usr/lib/python3.6/site-packages/Evtx/BinaryParser.py   2017-07-10 07:27:50.790000000 +0000
@@ -529,7 +529,7 @@
         """
         o = self._offset + offset
         try:
-            parts = struct.unpack_from("<WWWWWWWW", self._buf, o)
+            parts = struct.unpack_from("<HHHHHHHH", self._buf, o)
         except struct.error:
             raise OverrunBufferException(o, len(self._buf))
         return datetime.datetime(parts[0], parts[1],

and a different error occurs :

Traceback (most recent call last):
  File "/usr/bin/evtx_dump.py", line 42, in <module>
    main()
  File "/usr/bin/evtx_dump.py", line 37, in main
    print(record.xml())
  File "/usr/lib/python3.6/site-packages/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 166, in rec
    sub = render_root_node(sub.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 159, in rec
    sub = escape_value(sub.string())
  File "/usr/lib/python3.6/site-packages/Evtx/Nodes.py", line 1420, in string
    return self.systemtime().isoformat(' ')
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 205, in no_length_handler
    return f(offset)
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 535, in unpack_systemtime
    return datetime.datetime(parts[0], parts[1],
AttributeError: type object 'datetime.datetime' has no attribute 'datetime'

I just mail you the evtx file, regards, lacsaP.

williballenthin commented 7 years ago

thanks @patatetom!

I've added unit tests that exercise the issue, then triaged and fixed the underlying bug. the parser now correctly handles SYSTEMTIME timestamps.

closed in c9eaef0.