Getting a Unicode error on this image; stack trace below. Results in no output given.

It seems it's having a hard time reading the task XML. Can you do a <code class="notra

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

UnicodeDecodeError due to truncated data when running autoruns about volatility-autoruns HOT 7 CLOSED

tomchop commented on September 26, 2024

UnicodeDecodeError due to truncated data when running autoruns

from volatility-autoruns.

Comments (7)

tomchop commented on September 26, 2024

It seems it's having a hard time reading the task XML. Can you do a print repr(xml) just before xml = xml.decode('utf-16') (line 466) and tell me what the results are?

from volatility-autoruns.

JesseBowling commented on September 26, 2024

Comes back as empty...

Here's what I did (which does allow it to complete otherwise unaffected it would seem):

def parse_task_xml(self, xml):
    raw = xml
    xml = re.sub('\x00\x00+', '', xml) + '\x00'
    try:
        xml = xml.decode('utf-16')
        xml = re.sub(r"<Task(.*?)>", "<Task>", xml)
        xml = xml.encode('utf-16')

        root = ET.fromstring(xml)
        d = {}

        for e in root.findall("./RegistrationInfo/Date"):
            d['Date'] = e.text
        for e in root.findall("./RegistrationInfo/Description"):
            d['Description'] = e.text
        for e in root.findall("./Actions"):
            d['Actions'] = self.visit_all_children(e)
        for e in root.findall("./Settings/Enabled"):
            d['Enabled'] = e.text
        for e in root.findall("./Settings/Hidden"):
            d['Hidden'] = e.text
        for t in root.findall("./Triggers/*"):
            d['Triggers'] = self.visit_all_children(t)

        if not d.get("Actions", {}).get('Exec', {}).get("Command", False):
            return None

        return d
    except UnicodeDecodeError as e:
        sys.stderr.write('UnicodeDecodeError for: {}\n'.format(repr(raw)))

from volatility-autoruns.

jared703 commented on September 26, 2024

Tom,

The GrrCon2012 challenge is giving me what appears to be some unicode errors. I've put a copy of it up here if you want to download and try it on your end.

https://drive.google.com/file/d/0B_OPOV8sZBaYMjYwUTNRaGZYY1k/view?usp=sharing

from volatility-autoruns.

tomchop commented on September 26, 2024

@jared703: thanks for the heads-up, I'll look into it.

from volatility-autoruns.

tomchop commented on September 26, 2024

Hm, so I'm not getting unicode errors. Just seeing the service below which has two non-ASCII characters at the end of the name:

Services =========================================

Service: DcomLaunch (ntstobject.dll.123.Manifestp) - Share_Process, Auto Start
    Image path: Adobe\Reader\9.3\ARM\AdbeRdr950_en_US.exeȞఎ (Last modified: 2012-04-28 01:56:26 UTC+0000)
    PIDs: -

That said, there were some keys that were not properly parsed (missing values), so I fixed that. Care to give it another try and letting me know if you still get an error?

from volatility-autoruns.

jared703 commented on September 26, 2024

Sorry meant to write back - it has been working wonderfully across memory samples with this same issue. Thanks again for the awesome work.

from volatility-autoruns.

tomchop commented on September 26, 2024

Happy to help. Thanks for testing it so thoroughly ;)

from volatility-autoruns.

UnicodeDecodeError due to truncated data when running autoruns about volatility-autoruns HOT 7 CLOSED

Comments (7)

Related Issues (19)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent