python-evtx icon indicating copy to clipboard operation
python-evtx copied to clipboard
verified publisher icon williballenthin

KeyError: 138

Open patatetom opened this issue 8 years ago • 7 comments

hi Willy,

I've this issue with evtx_dump.py on Microsoft-Windows-Ntfs%4Operational.evtx file (from Windows 10) :

Traceback (most recent call last):
  File "/usr/bin/evtx_dump.py", line 42, in <module>
    main()
  File "/usr/bin/evtx_dump.py", line 37, in main
    print(record.xml())
  File "/usr/lib/python3.6/site-packages/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 166, in rec
    sub = render_root_node(sub.root())
  File "/usr/lib/python3.6/site-packages/Evtx/Views.py", line 182, in render_root_node
    for sub in root_node.substitutions():
  File "/usr/lib/python3.6/site-packages/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/usr/lib/python3.6/site-packages/Evtx/Nodes.py", line 1011, in substitutions
    self._chunk, self, type_, length=size)
  File "/usr/lib/python3.6/site-packages/Evtx/Nodes.py", line 468, in get_variant_value
    TypeClass = types[type_]
KeyError: 138

the evtx file Microsoft-Windows-Ntfs%4Operational.evtx seems to be ok because it is correctly exported from Windows : I send you the exported and the original evtx file...

regards, lacsaP.

patatetom avatar Jul 21 '17 13:07 patatetom

i can reproduce this issue using the provided .evtx file, though unfortunately, my local system doesn't exhibit this unexpected node type. i'll continue to search for public evtx files that demonstrate the issue.

williballenthin avatar Jul 22 '17 19:07 williballenthin

note:

hex(138) == 0x8A

this is possibly array (0x80) of QWORD (0x0A)

0x80 | 0x0A == 0x8A

williballenthin avatar Jul 22 '17 20:07 williballenthin

this has been tricky to track down. still working on it.

williballenthin avatar Jul 23 '17 00:07 williballenthin

In its opening momentum, Microsoft has not documented its file format ?

patatetom avatar Jul 24 '17 07:07 patatetom

Hi Willy I have exactly the same issue (can send Microsoft-Windows-Ntfs%4Operational.evtx).

Traceback (most recent call last):
  File "./evtx_dump.py", line 42, in <module>
    main()
  File "./evtx_dump.py", line 37, in main
    print(record.xml())
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/Evtx/Evtx.py", line 481, in xml
    return e_views.evtx_record_xml_view(self)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/Evtx/Views.py", line 204, in evtx_record_xml_view
    return render_root_node(record.root())
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/Evtx/Views.py", line 191, in render_root_node
    return render_root_node_with_subs(root_node, subs)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/Evtx/Views.py", line 176, in render_root_node_with_subs
    rec(c, acc)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/Evtx/Views.py", line 126, in rec
    rec(child, acc)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/Evtx/Views.py", line 166, in rec
    sub = render_root_node(sub.root())
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/Evtx/Views.py", line 182, in render_root_node
    for sub in root_node.substitutions():
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/Evtx/BinaryParser.py", line 64, in __call__
    cache[key] = self.func(*args, **kw)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/Evtx/Nodes.py", line 1011, in substitutions
    self._chunk, self, type_, length=size)
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/Evtx/Nodes.py", line 468, in get_variant_value
    TypeClass = types[type_]
KeyError: 138

Thank you.

limonidisicilia avatar Sep 02 '18 09:09 limonidisicilia

thanks also to @limonidisicilia for providing a sample .evtx file.

i'm able to reproduce this issue, but haven't yet figured out how the data is supposed to be parsed.

the immediate "solution" is to register an exception handler, log the raw data, and skip the record. long term, I might be able to figure out the binary format (and/or will happily accept patches!).

williballenthin avatar Oct 01 '18 17:10 williballenthin

python-evtx seems to struggle with many WindowsX evtx files, to name a few: -Microsoft-Windows-Kernel-PnP%4Configuration.evtx -Microsoft-Windows-Storage-ClassPnP%4Operational.evtx -Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx' -Microsoft-Windows-AppModel-Runtime%4Admin.evtx

as a workaround I'm using Powershell: Get-WinEvent -path .$item | foreach {$_.ToXml()} > "$item.xml"

limonidisicilia avatar Oct 10 '18 18:10 limonidisicilia