evtx_dump.py OSError: [Errno 22] Invalid argument

Question

evtx_dump.py OSError: [Errno 22] Invalid argument

d474b3r9 opened this issue 7 years ago · 6 comments

Hello,

i am on windows 10 64 bits and i can't workaround this issue.
This code works for another EVT file so i don't understand the problem and i am not enough skilled in python to debug it. If you want i can provide you the file involved to test by yourself.

python .\python-evtx-master\scripts\evtx_dump.py System.evtx > hoho.xml
Traceback (most recent call last):
File ".\python-evtx-master\scripts\evtx_dump.py", line 42, in
main()
File ".\python-evtx-master\scripts\evtx_dump.py", line 37, in main
print(record.xml())
File "C:\Python35\lib\site-packages\Evtx\Evtx.py", line 481, in xml
return e_views.evtx_record_xml_view(self)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 204, in evtx_record_xml_view
return render_root_node(record.root())
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 166, in rec
sub = render_root_node(sub.root())
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 159, in rec
sub = escape_value(sub.string())
File "C:\Python35\lib\site-packages\Evtx\Nodes.py", line 1401, in string
return self.filetime().isoformat(' ')
File "C:\Python35\lib\site-packages\Evtx\BinaryParser.py", line 205, in no_length_handler
return f(offset)
File "C:\Python35\lib\site-packages\Evtx\BinaryParser.py", line 518, in unpack_filetime
return parse_filetime(self.unpack_qword(offset))
File "C:\Python35\lib\site-packages\Evtx\BinaryParser.py", line 109, in parse_filetime
return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600)
OSError: [Errno 22] Invalid argument

Regards,
Jonathan.

Answer 1 · 2018-01-11T13:51:41.000Z

Hi, just to echo that I'm encountering the same issue with Python 3.5.2 on Windows 10 and Python 3.6.3 on Windows 7. Python 2.7 doesn't raise the issue and processing completes successfully.

Edit: just did some further testing and the issue doesn't occur on Ubuntu 16.04 with Python 3.5.2.

I can send a sample EVTX by email if it helps with diagnosis?

Answer 2 · 2018-01-12T21:14:52.000Z

hey @john-corcoran thanks for the additional info. this will be very helpful.

can you confirm all your interpreters are 64-bit?

Answer 3 · 2018-01-15T15:16:22.000Z

Hi @williballenthin, just tested both 64-bit and 32-bit instances of Python 3.6.4 on Windows 7, and both gave the same exception at the same point as listed in the OP.

I'll email through a sample EVTX that is exhibiting the issue. Thanks for looking into it!

Answer 4 · 2018-01-17T23:04:46.000Z

for the evtx file provided by @john-corcoran, the problematic record is number 21:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Diagnosis-DPS" Guid="{6bba3851-2c7e-4dea-8f54-31e5afd029e3}"></Provider>
<EventID Qualifiers="">115</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>15</Opcode>
<Keywords>0x4000000800000000</Keywords>
<TimeCreated SystemTime="2017-07-31 15:44:22.804375"></TimeCreated>
<EventRecordID>21</EventRecordID>
<Correlation ActivityID="{9a6fb385-875e-46dd-a5c0-4c81ae940516}" RelatedActivityID=""></Correlation>
<Execution ProcessID="1144" ThreadID="2424"></Execution>
<Channel>Microsoft-Windows-Diagnosis-DPS/Operational</Channel>
<Computer>exploited</Computer>
<Security UserID="S-1-5-19"></Security>
</System>
<EventData><Data Name="ScenarioId">{180b3a99-8c39-4f12-b631-2031998efe45}</Data>
<Data Name="InstanceId">{9a6fb385-875e-46dd-a5c0-4c81ae940516}</Data>
<Data Name="OriginalActivityId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="DiagnosticModuleImageName">%windir%\system32\radardt.dll</Data>
<Data Name="ResolutionId">{5ee64afb-398d-4edb-af71-3b830219abf7}</Data>
<Data Name="ResolutionSID">S-1-5-21-1478063154-1558866469-3193402370-1000</Data>
<Data Name="ResolutionSessionId">1</Data>
<Data Name="ResolutionExpirationDate">0001-01-01 00:00:00</Data>
<Data Name="DiagnosticModuleId">{45de1ea9-10bc-4f96-9b21-4b6b83dbf476}</Data>
</EventData>
</Event>

notably, the ResolutionExpirationDate is empty. according to the py3 documentation, dates less than 1970 will raise an OSError, which is what we see here. ref: https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp

Answer 5 · 2018-01-17T23:09:28.000Z

this behavior changed in python 3.3, where OSError is now raised instead of ValueError. there's a handler for ValueError here that needs to be updated.

Answer 6 · 2018-01-17T23:12:46.000Z

issue addressed in 5fb7662

thanks to @SeekWellServer for reporting the issue, and @john-corcoran for providing a test binary!