-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
struct.error: bad char in struct format #39
Comments
whoa, i wonder how this ever worked. are you able to share the source evtx file that causes this issue? if it can be shared publicly then we'll make it into a regression/unit test (best case); otherwise, i'll look at it privately and try to reproduce. thanks for the bug report! |
correct specifier is |
I just change specifier W for H : --- /usr/lib/python3.6/site-packages/Evtx/BinaryParser.py.bak 2017-07-10 07:40:39.510000000 +0000
+++ /usr/lib/python3.6/site-packages/Evtx/BinaryParser.py 2017-07-10 07:27:50.790000000 +0000
@@ -529,7 +529,7 @@
"""
o = self._offset + offset
try:
- parts = struct.unpack_from("<WWWWWWWW", self._buf, o)
+ parts = struct.unpack_from("<HHHHHHHH", self._buf, o)
except struct.error:
raise OverrunBufferException(o, len(self._buf))
return datetime.datetime(parts[0], parts[1], and a different error occurs : Traceback (most recent call last):
File "/usr/bin/evtx_dump.py", line 42, in <module>
main()
File "/usr/bin/evtx_dump.py", line 37, in main
print(record.xml())
File "/usr/lib/python3.6/site-packages/Evtx/Evtx.py", line 481, in xml
return e_views.evtx_record_xml_view(self)
File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
return render_root_node(record.root())
File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
rec(child, acc)
File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 166, in rec
sub = render_root_node(sub.root())
File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
rec(child, acc)
File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
rec(child, acc)
File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 159, in rec
sub = escape_value(sub.string())
File "/usr/lib/python3.6/site-packages/Evtx/Nodes.py", line 1420, in string
return self.systemtime().isoformat(' ')
File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 205, in no_length_handler
return f(offset)
File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 535, in unpack_systemtime
return datetime.datetime(parts[0], parts[1],
AttributeError: type object 'datetime.datetime' has no attribute 'datetime' I just mail you the evtx file, regards, lacsaP. |
thanks @patatetom! I've added unit tests that exercise the issue, then triaged and fixed the underlying bug. the parser now correctly handles SYSTEMTIME timestamps. closed in c9eaef0. |
hi,
this error occurs when the script evtx_dump.py is used on the events file Microsoft-Windows-LiveId%Operational.evtx that comes from Windows 10. it is at your disposal if you need it...
thanks for really good job, regards, lacsaP.
The text was updated successfully, but these errors were encountered: