williballenthin / python-evtx Goto Github PK

View Code? Open in Web Editor NEW

678.0 42.0 163.0 3.2 MB

Pure Python parser for Windows Event Log files (.evtx)

License: Apache License 2.0

Python 100.00%

event-log evtx forensics

python-evtx's Introduction

python-evtx

Introduction

python-evtx is a pure Python parser for recent Windows Event Log files (those with the file extension ".evtx"). The module provides programmatic access to the File and Chunk headers, record templates, and event entries. For example, you can use python-evtx to review the event logs of Windows 7 systems from a Mac or Linux workstation. The structure definitions and parsing strategies were heavily inspired by the work of Andreas Schuster and his Perl implementation "Parse-Evtx".

Background

With the release of Windows Vista, Microsoft introduced an updated event log file format. The format used in Windows XP was a circular buffer of record structures that each contained a list of strings. A viewer resolved templates hosted in system library files and inserted the strings into appropriate positions. The newer event log format is proprietary binary XML. Unpacking chunks from an event log file from Windows 7 results in a complete XML document with a variable schema. The changes helped Microsoft tune the file format to real-world uses of event logs, such as long running logs with hundreds of megabytes of data, and system independent template resolution.

Related Work

Andreas Schuster released the first public description of the .evtx file format in 2007. He is the author of the thorough document "Introducing the Microsoft Vista event log file format" that describes the motivation and details of the format. Mr. Schuster also maintains the Perl implementation of a parser called "Parse-Evtx". I referred to the source code of this library extensively during the development of python-evtx.

Joachim Metz also released a cross-platform, LGPL licensed C++ based parser in 2011. His document "Windows XML Event Log (EVTX): Analysis of EVTX" provides a detailed description of the structures and context of newer event log files.

Dependencies

python-evtx works on both the 2.7 and 3.x versions of the Python programming language. As it is purely Python, the module works equally well across platforms. The code does not depend on any modules that require separate compilation; however, if you have lxml installed, its even nicer.

python-evtx operates on event log files from Windows operating systems newer than Windows Vista. These files typically have the file extension .evtx. Version 5.09 of the file utility identifies such a file as "MS Vista Windows Event Log". To manual confirm the file type, look for the ASCII string "ElfFile" in the first seven bytes:

willi/evtx  » xxd -l 32 Security.evtx 
0000000: 456c 6646 696c 6500 0000 0000 0000 0000  ElfFile.........
0000010: d300 0000 0000 0000 375e 0000 0000 0000  ........7^......

Examples

Provided with the parsing module Evtx are four scripts that mimic the tools distributed with Parse-Evtx. evtx_info.py prints metadata about the event log and verifies the checksums of each chunk. evtx_templates.py builds and prints the templates used throughout the event log. evtx_dump.py parses the event log and transforms the binary XML into a human readable ASCII XML format. Finally, evtx_dump_json.py parses event logs, similar to evtx_dump.py and transforms the binary XML into JSON with the added capability to output the JSON array to a file.

Note the length of the evtx_dump.py script: its only 20 lines. Now, review the contents and notice the complete implementation of the logic:

print(e_views.XML_HEADER)
print('<Events>')
for record in log.records:
    print(record.xml())
print('</Events>')

Working with python-evtx is really easy!

Installation

Updates to python-evtx are pushed to PyPi, so you can install the module using either easy_install or pip. For example, you can use pip like so:

pip install python-evtx

The source code for python-evtx is hosted at Github, and you may download, fork, and review it from this repository (http://www.github.com/williballenthin/python-evtx). Please report issues or feature requests through Github's bug tracker associated with the project.

License

python-evtx is licensed under the Apache License, Version 2.0. This means it is freely available for use and modification in a personal and professional capacity.

python-evtx's People

Contributors

Stargazers

Watchers

Forkers

playerjamesbattleground tankbusta 0xf2edca5a kieley gavinlxh raggnar tehgringe bdan batidiane chosen1 cnh jk1ng eric-guanwy ohio813 danielsole joshreyn michaelcoyote thejollyroger1 shaybix ameily cephurs ecore2018 thomasrousseau yoshi325 jasonshih payet-s chubbymaggie elafonizi pombredanne scshin910310 wight3 awesome-security awesome-python kvamsi jipegit scherma forestjiang zpriddy bluebear171 abartlet nicky-he securityresearchstaff linedash vamosyoussef ndolle stoveg conscioushacker minkione mari0d tuksik ykankaya davedittrich beyondcy gitlabsyncint wangxin01 xsilvertom smithjat test137 therockstardba rdsece bpelaia belalmohsen futurewrg setindustry unforensicate crav3r jfi247 5up3rc wardtec cuddycomindustries eugene-gao fatfishcc6789 mcutools raypugh machmotionopensource snair02 dirkwilken modulexcite watsonbrown keloysiusmak alarian arryboom chaowu2009 happysharegithub zmdprogrom h02l blue-infosec radawson clovercipher beleyj cyhook michkoll sqpusher onlyone0001 defensahacker ntusing irvinhatwork rudy-t ezaspy dj3ntg0d

python-evtx's Issues

json output

How would you go about getting json output? Just looking to dump the events to json for easy ingest into logstash

TypeError when running evtx_eid_record_numbers.py script

Hi Willi,

I'm getting the following error when running the evtx_eid_record_numbers.py script:
TypeError: 'method' object is not iterable

I've debugged the script and worked out that line 23 should be:
for record in log.records():
instead of:
for record in log.records:

Regards,
Peter

UnicodeDecodeError: 'utf-16-le' codec can't decode bytes in position 0-1: illegal UTF-16 surrogate

i don't know why,i need your help

AttributeError: 'TemplateNode' object has no attribute 'fast_template_instance'

I was following the example on a test file and the evtxinfo.py and evtxdump.py worked.
An error in evtxtemplates.py was found. Here is the output from the three scripts:

~/Downloads/python-evtx/scripts(master) $python evtxinfo.py ~/Desktop/webpub/system_event_log.evtx
Information from file header:
Format version  : 3.1
Flags           : 0x00000000
File is         : clean
Log is full     : no
Current chunk   : 0 of 1
Oldest chunk    : 1
Next record#    : 106
Check sum       : pass

Information from chunks:
  Chunk file (first/last)     log (first/last)      Header Data
- ----- --------------------- --------------------- ------ ------
*     1          1       105           1       105   pass   pass






~/Downloads/python-evtx/scripts(master) $python evtxtemplates.py ~/Desktop/webpub/system_event_log.evtx
Template {002acd1a-3b0d-62e5-b04f-65ee3cecc038} at chunk 0, offset 0x2486
Traceback (most recent call last):
  File "evtxtemplates.py", line 42, in <module>
    main()
  File "evtxtemplates.py", line 39, in main
    print evtx_template_readable_view(template)
  File "/Library/Python/2.7/site-packages/Evtx/Views.py", line 266, in evtx_template_readable_view
    template_instance = root_node.fast_template_instance()
AttributeError: 'TemplateNode' object has no attribute 'fast_template_instance'





~/Downloads/python-evtx/scripts(master) $python evtxdump.py ~/Desktop/webpub/system_event_log.evtx
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="EventLog"></Provider>
<EventID Qualifiers="32768">6008</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x0080000000000000</Keywords>
<TimeCreated SystemTime="2014-03-09 09:05:11"></TimeCreated>
<EventRecordID>81252</EventRecordID>
<Channel>System</Channel>

AttributeError: 'str' object has no attribute 'fomrat'

I am trying to parse some windows logs in "evt" format.
It does a pretty good job of parsing until this point:

Traceback (most recent call last):
  File "evtxdump.py", line 49, in <module>
    main()
  File "evtxdump.py", line 44, in main
    for xml, record in evtx_file_xml_view(fh):
  File "build/bdist.macosx-10.11-intel/egg/Evtx/Views.py", line 204, in evtx_file_xml_view
  File "build/bdist.macosx-10.11-intel/egg/Evtx/Views.py", line 155, in _build_record_xml
  File "build/bdist.macosx-10.11-intel/egg/Evtx/Views.py", line 149, in rec
  File "build/bdist.macosx-10.11-intel/egg/Evtx/Views.py", line 145, in rec
  File "build/bdist.macosx-10.11-intel/egg/Evtx/BinaryParser.py", line 112, in __call__
  File "build/bdist.macosx-10.11-intel/egg/Evtx/Nodes.py", line 1016, in fast_substitutions
AttributeError: 'str' object has no attribute 'fomrat'

bash-3.2# python --version
Python 2.7.10

evt
v0.3.2

Parsing BinXML format

Hi,

I'm using python to pull event logs from remote machine using ms-even6 interface (https://msdn.microsoft.com/en-us/library/cc231282.aspx).
I used EvtRpcRegisterLogQuery and EvtRpcQueryNext functions which produce a byte array that contains the BinXml data of the event. While having some issues with the parsing, I came through your project. From my understanding, Evtx also contains the event as BinXml format, however, my code does not produce any chunk nor record, but only the actual BinXml format, I can't seem to understand how exactly to use your code in order to parse it correctly.
So my questions are:

Are these two binxml structures are indentical? (my guess is yes)
How can I use your code in order to parse BinXml byte array into the actual xml?

Thanks!

Exception 'NoneType' object not callable, Nodes.py line 124

Got an issue with the Sysmon event log I'm trying to parse:

Traceback (most recent call last):
  File "/usr/local/bin/evtx_dump", line 4, in <module>
    __import__('pkg_resources').run_script('python-evtx==0.5.3', 'evtx_dump')
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 738, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1506, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.5.3-py2.7.egg/EGG-INFO/scripts/evtx_dump", line 53, in <module>

  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.5.3-py2.7.egg/EGG-INFO/scripts/evtx_dump", line 48, in main

  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 218, in evtx_file_xml_view
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 169, in _build_record_xml
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 160, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 154, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 129, in _make_template_xml_view
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 139, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 124, in _children
TypeError: 'NoneType' object is not callable

I can try playing around with the source when I get home tonight to see if I can persuade it to give me the exact bytes it's failing on; I can also provide you with the event data - it works fine in EventViewer - but would prefer to send that privately rather than posting it here. Let me know!

Module errors, parts of app missing

SYSTEM:
I was seeing errors as below on Windows 10 embedded Ubuntu/Debian (ver: stretch/sid) also referenced as WLS.

PROBLEM DESCRIPTION
I thought that both possible installation methods, apt-get and pip, should be equal. Which appeared as wrong assumption.
I did installed first via apt-get and app was not able to perform anything, complained about missing modules and parts. Examples of errors bellow.

SOLUTION:
Remove app and reinstall via pip.
apt-get remove python-evtx
pip install python-evtx
... voila it will start to work as expected now .. evtx_dump.py winsec-log.evtx > winsec-log-decomposed.xml

ERROR SAMPLES

.Traceback (most recent call last):
  File "./evtx_dump.py", line 20, in <module>
    import Evtx.Evtx as evtx
  File "./Evtx.py", line 29, in <module>
    import Evtx.Views as e_views
ImportError: No module named Views

Traceback (most recent call last):
  File "./evtx_dump.py", line 42, in <module>
    main()
  File "./evtx_dump.py", line 34, in main
    print(e_views.XML_HEADER)
AttributeError: 'module' object has no attribute 'XML_HEADER'

evtx_dump.py OSError: [Errno 22] Invalid argument

Hello,

i am on windows 10 64 bits and i can't workaround this issue.
This code works for another EVT file so i don't understand the problem and i am not enough skilled in python to debug it. If you want i can provide you the file involved to test by yourself.

python .\python-evtx-master\scripts\evtx_dump.py System.evtx > hoho.xml
Traceback (most recent call last):
File ".\python-evtx-master\scripts\evtx_dump.py", line 42, in
main()
File ".\python-evtx-master\scripts\evtx_dump.py", line 37, in main
print(record.xml())
File "C:\Python35\lib\site-packages\Evtx\Evtx.py", line 481, in xml
return e_views.evtx_record_xml_view(self)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 204, in evtx_record_xml_view
return render_root_node(record.root())
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 166, in rec
sub = render_root_node(sub.root())
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 159, in rec
sub = escape_value(sub.string())
File "C:\Python35\lib\site-packages\Evtx\Nodes.py", line 1401, in string
return self.filetime().isoformat(' ')
File "C:\Python35\lib\site-packages\Evtx\BinaryParser.py", line 205, in no_length_handler
return f(offset)
File "C:\Python35\lib\site-packages\Evtx\BinaryParser.py", line 518, in unpack_filetime
return parse_filetime(self.unpack_qword(offset))
File "C:\Python35\lib\site-packages\Evtx\BinaryParser.py", line 109, in parse_filetime
return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600)
OSError: [Errno 22] Invalid argument

Regards,
Jonathan.

UnicodeEncodeError when stdout is redirected

hi Willi,

I'm using the lasted python-evtx.
if I keep stdout in console and redirect stderr in a file, all is ok with no error :

# evtxdump /sdb2/Windows/System32/winevt/Logs/System.evtx 2>/tmp/evtxdump.error
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<Events>
...
</Events>
# cat /tmp/evtxdump.error

but if I redirect stdout to a file, I've got an encode error

# evtxdump /sdb2/Windows/System32/winevt/Logs/System.evtx >/tmp/evtxdump.dump
Traceback (most recent call last):
  File "/usr/local/bin/evtxdump", line 49, in <module>
    main()
  File "/usr/local/bin/evtxdump", line 45, in main
    print xml
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in position 1253: ordinal not in range(128)

regards

r.root() error

In evtx_record_template.py
Runtime error:

print(e_views.evtx_template_readable_view(r.root()))
AttributeError: 'NoneType' object has no attribute 'root'

How do I solve this?

TypeError: ord() expected string of length 1, but int found

Code:

evtx_filename = r"c:\tmp\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx"
for node, err in xml_records(evtx_filename):
    if err is not None:
        continue
    sys = get_child(node, "System")
    if args.eid == int(get_child(sys, "EventID").text):
        print(etree.tostring(node, pretty_print=True))

Error:

File "C:\Users\hanans\AppData\Local\Continuum\Anaconda3\lib\site-packages\Evtx\Views.py", line 205, in evtx_file_xml_view
    record_str = _build_record_xml(record, cache=cache)
  File "C:\Users\hanans\AppData\Local\Continuum\Anaconda3\lib\site-packages\Evtx\Views.py", line 155, in _build_record_xml
    xml = rec(record.root())
  File "C:\Users\hanans\AppData\Local\Continuum\Anaconda3\lib\site-packages\Evtx\Views.py", line 145, in rec
    for sub in root_node.fast_substitutions():
  File "C:\Users\hanans\AppData\Local\Continuum\Anaconda3\lib\site-packages\Evtx\BinaryParser.py", line 145, in __call__
    res = cache[key] = self.func(*args, **kw)
  File "C:\Users\hanans\AppData\Local\Continuum\Anaconda3\lib\site-packages\Evtx\Nodes.py", line 1015, in fast_substitutions
    value += "%02x" % ord(c)
TypeError: ord() expected string of length 1, but int found

code cleanup: remove `fast_template_instance`

Parsing is slow

Title says it all. This is just a slow library. On reasonable hardware, it may take 5 seconds per 1MB or worse. Considering we'd like people to actually use this library in the real-world, we'll have to do better.

The issues probably stem from the fact that the library is designed to be easy to read and experiment with, rather than blazing fast. In specific, everything descends from the BinaryParser.Block object. When you have hundreds of thousands of these things created, and each one dynamically creates functions and attaches them to instances (no really, go look it up), you're gonna have a bad time.

This issue can be used as the dumping ground of ideas and plans for improving the performance of the library.

Bug in BinaryParser.py?

In BinaryParser.py, function def align(offset, alignment), line 77: two return statements on same level, so the "if" has no effect.

Evtx.BinaryParser.OverrunBufferException in file from memory

Got this backtrace on a file pulled from memory during an investigation. Let me know if you need/want anymore information. It parses a couple XML records before backtracing.

Traceback (most recent call last):
  File "/usr/local/bin/evtx_dump.py", line 4, in <module>
    __import__('pkg_resources').run_script('python-evtx==0.6.1', 'evtx_dump.py')
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 739, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1501, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.1-py2.7.egg/EGG-INFO/scripts/evtx_dump.py", line 42, in <module>
    
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.1-py2.7.egg/EGG-INFO/scripts/evtx_dump.py", line 37, in main
    
  File "build/bdist.linux-x86_64/egg/Evtx/Evtx.py", line 498, in xml
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 204, in evtx_record_xml_view
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 191, in render_root_node
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 176, in render_root_node_with_subs
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 126, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 166, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 191, in render_root_node
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 175, in render_root_node_with_subs
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 168, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 159, in _children
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 177, in length
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 334, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 153, in _children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 778, in __init__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 240, in length
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 208, in no_length_handler
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 361, in unpack_dword
Evtx.BinaryParser.OverrunBufferException: Tried to parse beyond the end of the file (read: 0x7653b114, buffer length: 0x140000)

Short event log files are not processed

An event log file short enough to have only one chunk will fail in the class FileHeader function chunks(). Changing the line:
while ofs + 0x10000 < len(self._buf):
to:
while ofs + 0x10000 <= len(self._buf):

will fix the issue

Reorganize directory structure and prepare for DEB packaging

Some pointers from Erik Kristensen:

Here is a PPA quick start guide — http://blog.launchpad.net/ppa/personal-package-archives-for-everyone

If you install the python-stdeb package, you’ll be able to do this very simply on a ubuntu system.

python setup.py —command-packages=stdeb.command sdist_dsc
cd deb_dist/package_name
Edit the debian/control file, make sure section is set to something other then unknown.
Edit the debian/changelog file, make sure your name and email address is in there, and that unstable is precise or any other ubuntu distro you want to support.
debuild -S
cd ..
dput ppa:yourusername/yourppa your_package-version_source.changes

code cleanup: remove `fast_substitutions`

OverflowError: Python int too large to convert to C long

Thanks for the hard work in this project. It's really helpful.

I just have one problem to report, when I try and parse the Windows EVTX file 'CAPI2' I get the error below. Is there a workaround please? I am actually using the library to parse every EVTX file in a certain directory and this EVTX is the only one that throws up a problem!

  File "g:\Python Code\Events\Evtx2Time.py", line 121, in <module>
    main()
  File "g:\Python Code\Events\Evtx2Time.py", line 71, in main
    for xml, record in evtx_file_xml_view(fh):
  File "C:\Python27\lib\Evtx\Views.py", line 221, in evtx_file_xml_view
    record_str = _build_record_xml(record, cache=cache)
  File "C:\Python27\lib\Evtx\Views.py", line 172, in _build_record_xml
    xml = rec(record.root())
  File "C:\Python27\lib\Evtx\Views.py", line 163, in rec
    subs_strs.append(rec(sub))
  File "C:\Python27\lib\Evtx\Views.py", line 154, in rec
    f = _make_template_xml_view(root_node, cache=cache)
  File "C:\Python27\lib\Evtx\Views.py", line 120, in _make_template_xml_view
    template_instance = root_node.fast_template_instance()
  File "C:\Python27\lib\Evtx\Nodes.py", line 909, in fast_template_instance
    return TemplateInstanceNode(self._buf, ofs, self._chunk, self)
  File "C:\Python27\lib\Evtx\Nodes.py", line 716, in __init__
    self._data_length += new_template.length()
  File "C:\Python27\lib\Evtx\Nodes.py", line 211, in length
    return self.tag_length() + self.data_length()
  File "C:\Python27\lib\Evtx\BinaryParser.py", line 205, in no_length_handler
    return f(offset)
  File "C:\Python27\lib\Evtx\BinaryParser.py", line 356, in unpack_dword
    return struct.unpack_from("<I", self._buf, o)[0]
OverflowError: Python int too large to convert to C long

UnicodeEncodeError in evtx_structure.py

UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in position 128: ordinal not in range(128)

Traceback (most recent call last):
File "Downloads/evt/python-evtx/scripts/evtx_structure.py", line 197, in
main()
File "Downloads/evt/python-evtx/scripts/evtx_structure.py", line 193, in main
print(line)

Evtx.BinaryParser.ParseException raised unexpectedly

Hi,

I'm seeing exception Evtx.BinaryParser.ParseException raised unexpectedly when parsing event log "Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (extracted from a Windows Server 2012 testing instance) using evtx_dump.py.

Same behaviour seen when parsing on Windows with Python 2.7, and Ubuntu with Python 2.7 / 3.5.

Traceback from Windows with Python 2.7 as follows:

Traceback (most recent call last):
  File "evtx_dump.py", line 42, in <module>
    main()
  File "evtx_dump.py", line 37, in main
    print(record.xml())
  File "C:\Python27\lib\site-packages\Evtx\Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "C:\Python27\lib\site-packages\Evtx\Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "C:\Python27\lib\site-packages\Evtx\Views.py", line 182, in render_root_node
    for sub in root_node.substitutions():
  File "C:\Python27\lib\site-packages\Evtx\BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "C:\Python27\lib\site-packages\Evtx\Nodes.py", line 1019, in substitutions
    raise ParseException("Invalid substitution value size")
Evtx.BinaryParser.ParseException: Parse Exception(Invalid substitution value size)

I can forward the EVTX file in question if that assists?

Evtx.py - Python 3: sys.maxint constant was removed, use sys.maxsize instead

https://github.com/williballenthin/python-evtx/blob/master/Evtx/Evtx.py#L232

https://docs.python.org/3.1/whatsnew/3.0.html#integers

The sys.maxint constant was removed, since there is no longer a limit to the value of integers. However, sys.maxsize can be used as an integer larger than any practical list or string index. It conforms to the implementation’s “natural” integer size and is typically the same as sys.maxint in previous releases on the same platform (assuming the same build options).

Thank you! Best regards!

Truncated SubStatus/Status for 4625 events

Hello Will,

In a clean virtualenv with master's python-evtx (b0bc270), some fields appears to be truncated. I have isolated the bug to a single EVTX file that I will send to your gmail address right away.

$ virtualenv/bin/python scripts/evtx_dump.py  min.evtx
<?xml version="1.1" encoding="utf-8" standalone="yes" ?>

<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
<EventID Qualifiers="">4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x80100000000000</Keywords>
<TimeCreated SystemTime="2017-03-03 07:43:34.287577"></TimeCreated>
<EventRecordID>12176434</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="1068" ThreadID="1140"></Execution>
<Channel>Security</Channel>
<Computer>xxx</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">xxxx</Data>
<Data Name="SubjectDomainName">xxxx</Data>
<Data Name="SubjectLogonId">0x00000000000003</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">xxx</Data>
<Data Name="TargetDomainName">xxx</Data>
<Data Name="Status">0xc00000</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc00000</Data>
<Data Name="LogonType">10</Data>
<Data Name="LogonProcessName">User32 </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">xxxx</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0000000000002a</Data>
<Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
<Data Name="IpAddress">1.2.3.4</Data>
<Data Name="IpPort">1100</Data>
</EventData>
</Event>
</Events>

If you compare that output to the following eventviewer's screenshot, you see that SubStatus and Status are truncated in the process.

Am I missing something?

My minimal script to investigate is the following:

$ cat test_status.py
import Evtx.Evtx as evtx
import logging
from lxml import etree
import sys

logging.basicConfig(level=1, format="%(asctime)s %(name)8s %(levelname)5s: %(message)s")

ns = {'event': 'http://schemas.microsoft.com/win/2004/08/events/event'}
with evtx.Evtx('min.evtx') as log:
  for record in log.records():
     r = record.lxml()
     eid = int(r.xpath('/event:Event/event:System/event:EventID', namespaces=ns)[0].text)
     if eid != 4625:
         continue
     print r.xpath("/event:Event/event:EventData/event:Data[@Name='SubStatus']", namespaces=ns)[0].text
$ virtualenv/bin/python test_status.py
2017-06-19 19:34:12,876 Evtx.Evtx DEBUG: FILE HEADER at 0x0.
2017-06-19 19:34:12,876 Evtx.Evtx DEBUG: CHUNK HEADER at 0x1000.
2017-06-19 19:34:12,876 Evtx.Evtx DEBUG: Record at 0x1200.
2017-06-19 19:34:12,888 Evtx.Evtx DEBUG: Record at 0x1e50.
0xc00000

HTMLEntities instead utf8 characters in fields value

Hello! All national symbols are encoded to HTMLEntities

Windows 10 (1803) issue

Hi Willi,
I'm getting the following OSerror when running a script on any Windows 10 PC. The script runs without any issues on MacOS and Windows 8.1. The script occurs when trying to convert a System.evtx. I can provide the event log if needed. Thank you, Raf.

converting problem\Win10_System.evtx please wait...
Traceback (most recent call last):
  File "C:\Python\USB\Win10usb47.py", line 4347, in <module>
    main()
  File "C:\Python\USB\Win10usb47.py", line 398, in main
    evtx_counter, eventlogs_xml, pnp_eventlogs_xml, WinPart_eventlogs_xml = evtx2xml(eventlogs)
  File "C:\Python\USB\Win10usb47.py", line 3281, in evtx2xml
    print(record.xml(), file=dest_xml)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 126, in rec
    rec(child, acc)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 166, in rec
    sub = render_root_node(sub.root())
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 126, in rec
    rec(child, acc)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 126, in rec
    rec(child, acc)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Views.py", line 159, in rec
    sub = escape_value(sub.string())
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\Nodes.py", line 1401, in string
    return self.filetime().isoformat(' ')
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\BinaryParser.py", line 205, in no_length_handler
    return f(offset)
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\BinaryParser.py", line 518, in unpack_filetime
    return parse_filetime(self.unpack_qword(offset))
  File "C:\Users\UserXY\AppData\Local\Programs\Python\Python36\lib\site-packages\Evtx\BinaryParser.py", line 109, in parse_filetime
    return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600)
OSError: [Errno 22] Invalid argument

unexpected keyword argument 'include_inactive'

I was receiving an error running evtx_info.py on every evtx file I tested.

Traceback (most recent call last): File "python-evtx/scripts/evtx_info.py", line 114, in <module> main() File "python-evtx/scripts/evtx_info.py", line 75, in main for (i, chunk) in enumerate(fh.chunks(include_inactive=True), 1): TypeError: chunks() got an unexpected keyword argument 'include_inactive'
Upon further investigation and testing I updated line 75 from this:
for (i, chunk) in enumerate(fh.chunks(include_inactive=True), 1):
to this:
for (i, chunk) in enumerate(fh.chunks(), 1):

That seems to have resolved the issue, and it matches evtx_info.py from the fix/issue-37 branch. I'm not sure if this change has been inadvertently excluded from the Master branch, or if some other problem exists.

It is also possible, I am misunderstanding the error entirely. Either way, removing 'include_inactive=True' from line 75 seems to to have fixed the problem for me anyway.

AttributeError: 'NullTypeNode' object has no attribute 'find_end_of_stream'

Hi,

When attempting to parse an evtx file as gathered by a collector on a Win server 2012 R2 box ; I get the following errors:

 ./evtx_dump.py Archive-ForwardedEvents-2017-07-19-09-54-122.evtx

<?xml version="1.1" encoding="utf-8" standalone="yes" ?>

<Events>
Traceback (most recent call last):
  File "./evtx_dump.py", line 46, in <module>
    main()
  File "./evtx_dump.py", line 41, in main
    print(record.xml())
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/Views.py", line 182, in render_root_node
    for sub in root_node.substitutions():
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/Nodes.py", line 1001, in substitutions
    ofs = self.tag_and_children_length()
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/Nodes.py", line 962, in tag_and_children_length
    for child in self.children():
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/Nodes.py", line 952, in children
    return self._children(end_tokens=[SYSTEM_TOKENS.EndOfStreamToken])
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/Nodes.py", line 159, in _children
    ofs += child.length()
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/Nodes.py", line 177, in length
    for child in self.children():
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/Nodes.py", line 334, in children
    SYSTEM_TOKENS.CloseEmptyElementToken])
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/Nodes.py", line 162, in _children
    if child.find_end_of_stream():
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.0-py2.7.egg/Evtx/Nodes.py", line 186, in find_end_of_stream
    ret = child.find_end_of_stream()
AttributeError: 'NullTypeNode' object has no attribute 'find_end_of_stream'

running Python 2.7.9 on Debian 8. I installed the current version of python-evtx using the setup.py utility from the github download. Please let me know if you need any more details.

code cleanup: remove Views

simply give record, chunk, file header .xml() methods that render to xml, since its the only useful format.

KeyError: 138

hi Willy,

I've this issue with evtx_dump.py on Microsoft-Windows-Ntfs%4Operational.evtx file (from Windows 10) :

Traceback (most recent call last):
  File "/usr/bin/evtx_dump.py", line 42, in <module>
    main()
  File "/usr/bin/evtx_dump.py", line 37, in main
    print(record.xml())
  File "/usr/lib/python3.6/site-packages/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 166, in rec
    sub = render_root_node(sub.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 182, in render_root_node
    for sub in root_node.substitutions():
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/usr/lib/python3.6/site-packages/Evtx/Nodes.py", line 1011, in substitutions
    self._chunk, self, type_, length=size)
  File "/usr/lib/python3.6/site-packages/Evtx/Nodes.py", line 468, in get_variant_value
    TypeClass = types[type_]
KeyError: 138

the evtx file Microsoft-Windows-Ntfs%4Operational.evtx seems to be ok because it is correctly exported from Windows : I send you the exported and the original evtx file...

regards, lacsaP.

evtxdump.py: error: too few arguments

Hi there, trying to run the program using:
python evtxdump.py
from /c/python27/python-evtx/scripts (master)
still getting the error message above and when i add the path to the security.evtx it is not working
python evtxdump.py c:*_.security.evtx is giving me
IOError: [Errno 2] No such file or directory: 'c:*_.security.evtx'

Can you assist me thanks

Exception

Invalid exception in "Nodes.py"(raise "string" -> raise BaseException("string")). For example:
987 raise "Unexpected size for SizeTypeNode: %s" % hex(size)
1040 raise "Unexpected type encountered: %s" % hex(type_)
...

Does not encode XML entities obtained from EVTX data

Hi!

It seems that this library does not encode XML entities that are obtained from EVTX data.

I've created a fix for this, but I wanted to create an issue id for it as well.

You can test this out by having an event generated where the custom event data includes XML special characters.

Thanks!

Unicode characters not handled correctly during XML generation

Version

Tag v0.2.2

Stack trace

C__WINDOWS_SYSTEM32_WINEVT_Logs_Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
1.1M    C__WINDOWS_SYSTEM32_WINEVT_Logs_Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
Traceback (most recent call last):
  File "/home/willi/vm-share/Git/python-evtx/scripts/evtxdump.py", line 42, in <module>
    main()
  File "/home/willi/vm-share/Git/python-evtx/scripts/evtxdump.py", line 38, in main
    print record.root().xml([]).encode("utf-8")
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 1112, in xml
    cxml += child.xml(substitutions or self.substitutions())
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 922, in xml
    return template.xml(substitutions)
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 266, in xml
    ret += child.xml(substitutions)
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 401, in xml
    cxml = "".join(c.xml(substitutions) for c in self.children())
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 401, in <genexpr>
    cxml = "".join(c.xml(substitutions) for c in self.children())
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 1022, in xml
    return substitutions[self.index()].xml()
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 1818, in xml
    return self._root.xml([])
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 1112, in xml
    cxml += child.xml(substitutions or self.substitutions())
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 922, in xml
    return template.xml(substitutions)
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 266, in xml
    ret += child.xml(substitutions)
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 401, in xml
    cxml = "".join(c.xml(substitutions) for c in self.children())
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 401, in <genexpr>
    cxml = "".join(c.xml(substitutions) for c in self.children())
  File "/usr/local/lib/python2.7/dist-packages/Evtx/Nodes.py", line 401, in xml
    cxml = "".join(c.xml(substitutions) for c in self.children())
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 9: ordinal not in range(128)

Test case:

04877b2270ff35d0d6d1146fd1a09c12 C__WINDOWS_SYSTEM32_WINEVT_Logs_Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

KeyError in get_variant_value

Got this backtrace on a file pulled from memory during an investigation. Let me know if you need/want anymore information:

Traceback (most recent call last):
  File "/usr/local/bin/evtx_dump.py", line 4, in <module>
    __import__('pkg_resources').run_script('python-evtx==0.6.1', 'evtx_dump.py')
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 739, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1501, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.1-py2.7.egg/EGG-INFO/scripts/evtx_dump.py", line 42, in <module>
    
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.1-py2.7.egg/EGG-INFO/scripts/evtx_dump.py", line 37, in main
    
  File "build/bdist.linux-x86_64/egg/Evtx/Evtx.py", line 498, in xml
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 204, in evtx_record_xml_view
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 191, in render_root_node
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 176, in render_root_node_with_subs
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 126, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 166, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 182, in render_root_node
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 1001, in substitutions
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 962, in tag_and_children_length
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 952, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 162, in _children
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 808, in find_end_of_stream
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 183, in find_end_of_stream
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 168, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 159, in _children
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 177, in length
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 334, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 159, in _children
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 177, in length
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 334, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 159, in _children
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 177, in length
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 506, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 468, in get_variant_value
KeyError: 108

struct.error: bad char in struct format

hi,

this error occurs when the script evtx_dump.py is used on the events file Microsoft-Windows-LiveId%Operational.evtx that comes from Windows 10. it is at your disposal if you need it...

thanks for really good job, regards, lacsaP.

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 532, in unpack_systemtime
    parts = struct.unpack_from("<WWWWWWWW", self._buf, o)
struct.error: bad char in struct format

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/evtx_dump.py", line 42, in <module>
    main()
  File "/usr/bin/evtx_dump.py", line 37, in main
    print(record.xml())
  File "/usr/lib/python3.6/site-packages/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 166, in rec
    sub = render_root_node(sub.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 159, in rec
    sub = escape_value(sub.string())
  File "/usr/lib/python3.6/site-packages/Evtx/Nodes.py", line 1420, in string
    return self.systemtime().isoformat(' ')
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 205, in no_length_handler
    return f(offset)
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 534, in unpack_systemtime
    raise OverrunBufferException(o, len(self._buf))
Evtx.BinaryParser.OverrunBufferException: Tried to parse beyond the end of the file (read: 0x17440, buffer length: 0x101000)

TypeError: 'str' object is not callable on print record.root().xml([])

When I try running the sample evtx_dump, I always get errors:

<?xml version="1.0" encoding="utf-8" standalone="yes" ?> <Events> Traceback (most recent call last): File "/Users/userabc/Python/Deposit/FullDebug/EventLogs/evtxdumper.py", line 20, in <module> main() File "/Users/userabc/Python/Deposit/FullDebug/EventLogs/evtxdumper.py", line 16, in main print record.root().xml([]) File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 1110, in xml File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 920, in xml File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 266, in xml File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 399, in xml File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 399, in <genexpr> File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 1020, in xml File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 1816, in xml File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 1110, in xml File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 920, in xml File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 266, in xml File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 399, in xml File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 399, in <genexpr> File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 399, in xml File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 399, in <genexpr> File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 1020, in xml File "build/bdist.macosx-10.8-intel/egg/Evtx/Nodes.py", line 1863, in xml TypeError: 'str' object is not callable

I've removed the .encode from the end of this xml([]) statement to see where it breaks. It can run without the .xml and display the chunk offsets, but the xml portion breaks for me.

I'm on a pretty vanilla python 2.7.2 with OS 10.8.

Any ideas or something I'm missing?

Thanks!

Novice help

I don't understand how to use this package withing python as an API.
I did from Evtx.Evtx import Evtx now I did with Evtx(filename) as evtx: e=evtx.records() how do I read e's content?

evtx_dump UnicodeDecodeError with MS DNS log

Hi Will,

Have updated libraries using pip update and have cloned latest source.

This is the same issue I was having a while back with a MS DNS log file that was generated by my college network admins. This may be a problem with how MS is generating the log file. I have extracted an example of the offending entry (using MS event file viewer) and have attached it here so you can test against it. NOTE: this does not seem to be an isolated entry in a log file and I have a number of DNS logs that were generated and have the same issues with unicode decoding

The fix for this might be very simple so please excuse my ignorance, maybe there is a nice.

way to handle the UnicodeDecodeError and move on to the next log entry? I'm using evtx_dump in order to generate the plain text XML and extract the DNS query name entries in the log file so I'm not that concerned if I miss a few due to encoding issues.

Thanks for your time

Regards
Stephen
dns_log_malformed.evtx.zip

Getting a "mmap closed or invalid"

Target file : System.evtx (see the attached zip archive) on a free Win7 VM system (https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/windows/)

Original code :

from Evtx.Evtx import Evtx

filename = ...
with Evtx(filename) as evtx_file:
    header = evtx_file.get_file_header()
header.check_magic()

Error traceback :

Traceback (most recent call last):
  File "test.py", line 7, in <module>
    header.check_magic()
  File "/home/panda/python-evtx/Evtx/Evtx.py", line 157, in check_magic
    return self.magic() == "ElfFile\x00"
  File "/home/panda/python-evtx/Evtx/BinaryParser.py", line 264, in explicit_length_handler
    return f(offset, length)
  File "/home/panda/python-evtx/Evtx/BinaryParser.py", line 528, in unpack_string
    return self.unpack_binary(offset, length)
  File "/home/panda/python-evtx/Evtx/BinaryParser.py", line 515, in unpack_binary
    return struct.unpack_from("<%ds" % (length), self._buf, o)[0]
ValueError: mmap closed or invalid

System.zip

What am I missing ?

Errors while running

The following errors occur for the program when I run it. Previously it was running perfectly fine but now it doesn't get corrected.
Does anyone have any ideas on how to correct these?

Traceback (most recent call last):
  File "C:\Users\Admin\Desktop\HTC\python-evtx\scripts\evtx_filter_records.py", line 65, in <module>
    main()
  File "C:\Users\Admin\Desktop\HTC\python-evtx\scripts\evtx_filter_records.py", line 56, in main
    for node, err in xml_records(args.evtx):
  File "C:\Users\Admin\Desktop\HTC\python-evtx\scripts\evtx_filter_records.py", line 30, in xml_records
    yield to_lxml(xml), None
  File "C:\Users\Admin\Desktop\HTC\python-evtx\scripts\evtx_filter_records.py", line 15, in to_lxml
    record_xml)
  File "src\lxml\etree.pyx", line 3211, in lxml.etree.fromstring
  File "src\lxml\parser.pxi", line 1872, in lxml.etree._parseMemoryDocument
ValueError: Unicode strings with encoding declaration are not supported. Please use bytes input or XML fragments without declaration.

add tests for #45 and #46

via @john-corcoran

Apologies for the delayed response - I've checked the original files I sent you and think they're all fine to publish.

just need to add private tests to git and push.

CRLF line terminators

hi Willi,
on my Linux system, the CRLF line terminators are problematics : when I try to run your evtx_dump script, I've this error : /usr/bin/env: 'python\r': Permission denied
regards, lacsaP.

Evtx.BinaryParser.OverrunBufferException raised unexpectedly

Hi,

I'm seeing exception Evtx.BinaryParser.OverrunBufferException raised unexpectedly when parsing event logs "Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", "Microsoft-Windows-WindowsUpdateClient%4Operational.evtx", and "Microsoft-Windows-CAPI2%4Operational.evtx" (all extracted from a Windows 7 testing instance) using evtx_dump.py.

For Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx, the same behaviour is seen across Windows with Python 2.7 and Ubuntu with Python 2.7 / 3.5. Traceback from Ubuntu with Python 3.5 as follows:

Traceback (most recent call last):
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/BinaryParser.py", line 273, in unpack_byte
    return struct.unpack_from("<B", self._buf, o)[0]
struct.error: unpack_from requires a buffer of at least 1 bytes

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/.local/bin/evtx_dump.py", line 42, in <module>
    main()
  File "/home/user/.local/bin/evtx_dump.py", line 37, in main
    print(record.xml())
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Views.py", line 182, in render_root_node
    for sub in root_node.substitutions():
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Nodes.py", line 1001, in substitutions
    ofs = self.tag_and_children_length()
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Nodes.py", line 962, in tag_and_children_length
    for child in self.children():
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Nodes.py", line 952, in children
    return self._children(end_tokens=[SYSTEM_TOKENS.EndOfStreamToken])
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Nodes.py", line 153, in _children
    self._chunk, self)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Nodes.py", line 777, in __init__
    parent=self)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Evtx.py", line 398, in add_template
    self._load_templates()
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Evtx.py", line 380, in _load_templates
    token = self.unpack_byte(ofs - 10)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/BinaryParser.py", line 275, in unpack_byte
    raise OverrunBufferException(o, len(self._buf))
Evtx.BinaryParser.OverrunBufferException: Tried to parse beyond the end of the file (read: 0x240f0ff7, buffer length: 0x101000)

For Microsoft-Windows-WindowsUpdateClient%4Operational.evtx, Python 3.5 on Ubuntu gives Evtx.BinaryParser.OverrunBufferException, while Python 2.7 on Windows / Ubuntu gives a MemoryError. Python 3.5 traceback as follows:

Traceback (most recent call last):
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/BinaryParser.py", line 273, in unpack_byte
    return struct.unpack_from("<B", self._buf, o)[0]
struct.error: unpack_from requires a buffer of at least 1 bytes

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/.local/bin/evtx_dump.py", line 42, in <module>
    main()
  File "/home/user/.local/bin/evtx_dump.py", line 37, in main
    print(record.xml())
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Views.py", line 182, in render_root_node
    for sub in root_node.substitutions():
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Nodes.py", line 1006, in substitutions
    type_ = self.unpack_byte(ofs + 0x2)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/BinaryParser.py", line 275, in unpack_byte
    raise OverrunBufferException(o, len(self._buf))
Evtx.BinaryParser.OverrunBufferException: Tried to parse beyond the end of the file (read: 0x101000, buffer length: 0x101000)

Python 2.7 traceback (from Ubuntu) as follows:

Traceback (most recent call last):
  File "/home/user/.local/bin/evtx_dump.py", line 42, in <module>
    main()
  File "/home/user/.local/bin/evtx_dump.py", line 37, in main
    print(record.xml())
  File "/home/user/.local/lib/python2.7/site-packages/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/home/user/.local/lib/python2.7/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/home/user/.local/lib/python2.7/site-packages/Evtx/Views.py", line 182, in render_root_node
    for sub in root_node.substitutions():
  File "/home/user/.local/lib/python2.7/site-packages/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/home/user/.local/lib/python2.7/site-packages/Evtx/Nodes.py", line 1004, in substitutions
    for _ in range(sub_count):
MemoryError

And similarly for Microsoft-Windows-CAPI2%4Operational.evtx, Python 3.5 on Ubuntu gives Evtx.BinaryParser.OverrunBufferException, while Python 2.7 on Windows / Ubuntu BSODs / has process 'Killed'. Traceback for Python 3.5 on Ubuntu as follows:

Traceback (most recent call last):
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/BinaryParser.py", line 302, in unpack_word
    return struct.unpack_from("<H", self._buf, o)[0]
struct.error: unpack_from requires a buffer of at least 2 bytes

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/.local/bin/evtx_dump.py", line 42, in <module>
    main()
  File "/home/user/.local/bin/evtx_dump.py", line 37, in main
    print(record.xml())
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Views.py", line 166, in rec
    sub = render_root_node(sub.root())
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Views.py", line 182, in render_root_node
    for sub in root_node.substitutions():
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/Nodes.py", line 1005, in substitutions
    size = self.unpack_word(ofs)
  File "/home/user/.local/lib/python3.5/site-packages/Evtx/BinaryParser.py", line 304, in unpack_word
    raise OverrunBufferException(o, len(self._buf))
Evtx.BinaryParser.OverrunBufferException: Tried to parse beyond the end of the file (read: 0x101000, buffer length: 0x101000)

I can forward the EVTX files in question if that assists?

IndexError in Views.py

Got this backtrace on a file pulled from memory during an investigation. Let me know if you need/want anymore information:

  File "/usr/local/bin/evtx_dump.py", line 4, in <module>
    __import__('pkg_resources').run_script('python-evtx==0.6.1', 'evtx_dump.py')
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 739, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1501, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.1-py2.7.egg/EGG-INFO/scripts/evtx_dump.py", line 42, in <module>
    
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.1-py2.7.egg/EGG-INFO/scripts/evtx_dump.py", line 37, in main
    
  File "build/bdist.linux-x86_64/egg/Evtx/Evtx.py", line 498, in xml
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 204, in evtx_record_xml_view
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 191, in render_root_node
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 176, in render_root_node_with_subs
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 126, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 166, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 191, in render_root_node
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 176, in render_root_node_with_subs
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 154, in rec
IndexError: list index out of range

KeyError in template function

  File "/usr/local/bin/evtx_dump.py", line 4, in <module>
    __import__('pkg_resources').run_script('python-evtx==0.6.1', 'evtx_dump.py')
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 739, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1501, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.1-py2.7.egg/EGG-INFO/scripts/evtx_dump.py", line 42, in <module>
    
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.1-py2.7.egg/EGG-INFO/scripts/evtx_dump.py", line 37, in main
    
  File "build/bdist.linux-x86_64/egg/Evtx/Evtx.py", line 498, in xml
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 204, in evtx_record_xml_view
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 191, in render_root_node
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 176, in render_root_node_with_subs
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 126, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 166, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 182, in render_root_node
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 1001, in substitutions
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 962, in tag_and_children_length
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 952, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 162, in _children
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 808, in find_end_of_stream
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 801, in template
KeyError: 0

AttributeError: 'module' object has no attribute 'XML_HEADER'

Hi Will,

Using the latest release and running evtxdump against an evtx file that parsed previously in version V0.3.2, I am getting the following error.

evtx file has ElFile sig in first 7 bytes and was generated from Microsoft DNS Server.

$ python ./evtx_dump.py ../data/ITBDNS04-AnalyticalLog-9Nov2016-1.evtx 
Traceback (most recent call last):
  File "./evtx_dump.py", line 42, in <module>
    main()
  File "./evtx_dump.py", line 34, in main
    print(e_views.XML_HEADER)
AttributeError: 'module' object has no attribute 'XML_HEADER'

SID converts not correctly

Nodes.py

[19] = parse_sid_type_node, -- SIDTypeNode, 0x13

...
id_high = self.unpack_dword_be(ofs)
id_low = self.unpack_word_be(ofs)

            id_high = self.unpack_dword_be(ofs+2)
            id_low = self.unpack_word_be(ofs+6)

evtxdump UniDecodeError with MS DNS Server log file

Firstly, thanks for writing this library. I'm having an issue with converting binary evtx files that are generated using Windows DNS server. I'm assuming that the error is being caused by a field containing maybe a DNS request that has characters that cannot be decoded to ascii. This would be pretty normal when dealing with DNS queries. See output below....

Traceback (most recent call last):
  File "evtxdump.py", line 53, in <module>
    main()
  File "evtxdump.py", line 48, in main
    for xml, record in evtx_file_xml_view(fh):
  File "build/bdist.macosx-10.12-intel/egg/Evtx/Views.py", line 221, in evtx_file_xml_view
  File "build/bdist.macosx-10.12-intel/egg/Evtx/Views.py", line 172, in _build_record_xml
  File "build/bdist.macosx-10.12-intel/egg/Evtx/Views.py", line 163, in rec
  File "build/bdist.macosx-10.12-intel/egg/Evtx/Views.py", line 156, in rec
  File "build/bdist.macosx-10.12-intel/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.macosx-10.12-intel/egg/Evtx/Nodes.py", line 945, in fast_substitutions
  File "build/bdist.macosx-10.12-intel/egg/Evtx/BinaryParser.py", line 475, in unpack_string
UnicodeDecodeError: 'ascii' codec can't decode byte 0x96 in position 16: ordinal not in range(128)

Add contributors and release notes section of readme

Contributors:
@sc07kvm for #5, bug parsing SID types

williballenthin / python-evtx Goto Github PK

python-evtx's Introduction

python-evtx

Introduction

Background

Related Work

Dependencies

Examples

Installation

License

python-evtx's People

Contributors

Stargazers

Watchers

Forkers

python-evtx's Issues

Version

Stack trace

Test case:

[19] = parse_sid_type_node, -- SIDTypeNode, 0x13

Recommend Projects

Recommend Topics

Recommend Org