search

williballenthin / python-evtx

Pure Python parser for Windows Event Log files (.evtx)
Apache License 2.0
732 stars 166 forks source link

evtx_dump.py OSError: [Errno 22] Invalid argument #44

Closed d474b3r9 closed 6 years ago

d474b3r9 commented 6 years ago

Hello,

i am on windows 10 64 bits and i can't workaround this issue. This code works for another EVT file so i don't understand the problem and i am not enough skilled in python to debug it. If you want i can provide you the file involved to test by yourself.

python .\python-evtx-master\scripts\evtx_dump.py System.evtx > hoho.xml Traceback (most recent call last): File ".\python-evtx-master\scripts\evtx_dump.py", line 42, in main() File ".\python-evtx-master\scripts\evtx_dump.py", line 37, in main print(record.xml()) File "C:\Python35\lib\site-packages\Evtx\Evtx.py", line 481, in xml return e_views.evtx_record_xml_view(self) File "C:\Python35\lib\site-packages\Evtx\Views.py", line 204, in evtx_record_xml_view return render_root_node(record.root()) File "C:\Python35\lib\site-packages\Evtx\Views.py", line 191, in render_root_node return render_root_node_with_subs(root_node, subs) File "C:\Python35\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs rec(c, acc) File "C:\Python35\lib\site-packages\Evtx\Views.py", line 126, in rec rec(child, acc) File "C:\Python35\lib\site-packages\Evtx\Views.py", line 166, in rec sub = render_root_node(sub.root()) File "C:\Python35\lib\site-packages\Evtx\Views.py", line 191, in render_root_node return render_root_node_with_subs(root_node, subs) File "C:\Python35\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs rec(c, acc) File "C:\Python35\lib\site-packages\Evtx\Views.py", line 126, in rec rec(child, acc) File "C:\Python35\lib\site-packages\Evtx\Views.py", line 126, in rec rec(child, acc) File "C:\Python35\lib\site-packages\Evtx\Views.py", line 159, in rec sub = escape_value(sub.string()) File "C:\Python35\lib\site-packages\Evtx\Nodes.py", line 1401, in string return self.filetime().isoformat(' ') File "C:\Python35\lib\site-packages\Evtx\BinaryParser.py", line 205, in no_length_handler return f(offset) File "C:\Python35\lib\site-packages\Evtx\BinaryParser.py", line 518, in unpack_filetime return parse_filetime(self.unpack_qword(offset)) File "C:\Python35\lib\site-packages\Evtx\BinaryParser.py", line 109, in parse_filetime return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600) OSError: [Errno 22] Invalid argument

Regards, Jonathan.

john-corcoran commented 6 years ago

Hi, just to echo that I'm encountering the same issue with Python 3.5.2 on Windows 10 and Python 3.6.3 on Windows 7. Python 2.7 doesn't raise the issue and processing completes successfully.

Edit: just did some further testing and the issue doesn't occur on Ubuntu 16.04 with Python 3.5.2.

I can send a sample EVTX by email if it helps with diagnosis?

williballenthin commented 6 years ago

hey @john-corcoran thanks for the additional info. this will be very helpful.

can you confirm all your interpreters are 64-bit?

john-corcoran commented 6 years ago

Hi @williballenthin, just tested both 64-bit and 32-bit instances of Python 3.6.4 on Windows 7, and both gave the same exception at the same point as listed in the OP.

I'll email through a sample EVTX that is exhibiting the issue. Thanks for looking into it!

williballenthin commented 6 years ago

for the evtx file provided by @john-corcoran, the problematic record is number 21:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Diagnosis-DPS" Guid="{6bba3851-2c7e-4dea-8f54-31e5afd029e3}"></Provider>
<EventID Qualifiers="">115</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>15</Opcode>
<Keywords>0x4000000800000000</Keywords>
<TimeCreated SystemTime="2017-07-31 15:44:22.804375"></TimeCreated>
<EventRecordID>21</EventRecordID>
<Correlation ActivityID="{9a6fb385-875e-46dd-a5c0-4c81ae940516}" RelatedActivityID=""></Correlation>
<Execution ProcessID="1144" ThreadID="2424"></Execution>
<Channel>Microsoft-Windows-Diagnosis-DPS/Operational</Channel>
<Computer>exploited</Computer>
<Security UserID="S-1-5-19"></Security>
</System>
<EventData><Data Name="ScenarioId">{180b3a99-8c39-4f12-b631-2031998efe45}</Data>
<Data Name="InstanceId">{9a6fb385-875e-46dd-a5c0-4c81ae940516}</Data>
<Data Name="OriginalActivityId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="DiagnosticModuleImageName">%windir%\system32\radardt.dll</Data>
<Data Name="ResolutionId">{5ee64afb-398d-4edb-af71-3b830219abf7}</Data>
<Data Name="ResolutionSID">S-1-5-21-1478063154-1558866469-3193402370-1000</Data>
<Data Name="ResolutionSessionId">1</Data>
<Data Name="ResolutionExpirationDate">0001-01-01 00:00:00</Data>
<Data Name="DiagnosticModuleId">{45de1ea9-10bc-4f96-9b21-4b6b83dbf476}</Data>
</EventData>
</Event>

notably, the ResolutionExpirationDate is empty. according to the py3 documentation, dates less than 1970 will raise an OSError, which is what we see here. ref: https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp

williballenthin commented 6 years ago

this behavior changed in python 3.3, where OSError is now raised instead of ValueError. there's a handler for ValueError here that needs to be updated.

williballenthin commented 6 years ago

issue addressed in 5fb7662506d2c39aee5a9a143a9cc47d3bdc461d

thanks to @SeekWellServer for reporting the issue, and @john-corcoran for providing a test binary!