Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

struct.error: bad char in struct format #39

Closed
patatetom opened this issue Jul 7, 2017 · 4 comments
Closed

struct.error: bad char in struct format #39

patatetom opened this issue Jul 7, 2017 · 4 comments

Comments

@patatetom
Copy link

hi,

this error occurs when the script evtx_dump.py is used on the events file Microsoft-Windows-LiveId%Operational.evtx that comes from Windows 10. it is at your disposal if you need it...

thanks for really good job, regards, lacsaP.

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 532, in unpack_systemtime
    parts = struct.unpack_from("<WWWWWWWW", self._buf, o)
struct.error: bad char in struct format

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/evtx_dump.py", line 42, in <module>
    main()
  File "/usr/bin/evtx_dump.py", line 37, in main
    print(record.xml())
  File "/usr/lib/python3.6/site-packages/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 166, in rec
    sub = render_root_node(sub.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 159, in rec
    sub = escape_value(sub.string())
  File "/usr/lib/python3.6/site-packages/Evtx/Nodes.py", line 1420, in string
    return self.systemtime().isoformat(' ')
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 205, in no_length_handler
    return f(offset)
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 534, in unpack_systemtime
    raise OverrunBufferException(o, len(self._buf))
Evtx.BinaryParser.OverrunBufferException: Tried to parse beyond the end of the file (read: 0x17440, buffer length: 0x101000)
@williballenthin
Copy link
Owner

whoa, i wonder how this ever worked. W is not a valid item specifier for unpack, and I have no idea where it came from. i suppose it was undocumented in python2, and python3 has removed it.

are you able to share the source evtx file that causes this issue? if it can be shared publicly then we'll make it into a regression/unit test (best case); otherwise, i'll look at it privately and try to reproduce.

thanks for the bug report!

@williballenthin
Copy link
Owner

correct specifier is H.

@patatetom
Copy link
Author

I just change specifier W for H :

--- /usr/lib/python3.6/site-packages/Evtx/BinaryParser.py.bak	2017-07-10 07:40:39.510000000 +0000
+++ /usr/lib/python3.6/site-packages/Evtx/BinaryParser.py	2017-07-10 07:27:50.790000000 +0000
@@ -529,7 +529,7 @@
         """
         o = self._offset + offset
         try:
-            parts = struct.unpack_from("<WWWWWWWW", self._buf, o)
+            parts = struct.unpack_from("<HHHHHHHH", self._buf, o)
         except struct.error:
             raise OverrunBufferException(o, len(self._buf))
         return datetime.datetime(parts[0], parts[1],

and a different error occurs :

Traceback (most recent call last):
  File "/usr/bin/evtx_dump.py", line 42, in <module>
    main()
  File "/usr/bin/evtx_dump.py", line 37, in main
    print(record.xml())
  File "/usr/lib/python3.6/site-packages/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 166, in rec
    sub = render_root_node(sub.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 159, in rec
    sub = escape_value(sub.string())
  File "/usr/lib/python3.6/site-packages/Evtx/Nodes.py", line 1420, in string
    return self.systemtime().isoformat(' ')
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 205, in no_length_handler
    return f(offset)
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 535, in unpack_systemtime
    return datetime.datetime(parts[0], parts[1],
AttributeError: type object 'datetime.datetime' has no attribute 'datetime'

I just mail you the evtx file, regards, lacsaP.

@williballenthin
Copy link
Owner

thanks @patatetom!

I've added unit tests that exercise the issue, then triaged and fixed the underlying bug. the parser now correctly handles SYSTEMTIME timestamps.

closed in c9eaef0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants