Evtx.BinaryParser.OverrunBufferException in file from memory

[atcuno]

Got this backtrace on a file pulled from memory during an investigation. Let me know if you need/want anymore information. It parses a couple XML records before backtracing.

Traceback (most recent call last):
  File "/usr/local/bin/evtx_dump.py", line 4, in <module>
    __import__('pkg_resources').run_script('python-evtx==0.6.1', 'evtx_dump.py')
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 739, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1501, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.1-py2.7.egg/EGG-INFO/scripts/evtx_dump.py", line 42, in <module>
    
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.1-py2.7.egg/EGG-INFO/scripts/evtx_dump.py", line 37, in main
    
  File "build/bdist.linux-x86_64/egg/Evtx/Evtx.py", line 498, in xml
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 204, in evtx_record_xml_view
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 191, in render_root_node
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 176, in render_root_node_with_subs
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 126, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 166, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 191, in render_root_node
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 175, in render_root_node_with_subs
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 168, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 159, in _children
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 177, in length
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 334, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 153, in _children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 778, in __init__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 240, in length
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 208, in no_length_handler
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 361, in unpack_dword
Evtx.BinaryParser.OverrunBufferException: Tried to parse beyond the end of the file (read: 0x7653b114, buffer length: 0x140000)

[atcuno]

Had a similar error in unpack_word on a different file:

Traceback (most recent call last):
  File "/usr/local/bin/evtx_dump.py", line 4, in <module>
    __import__('pkg_resources').run_script('python-evtx==0.6.1', 'evtx_dump.py')
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 739, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1501, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.1-py2.7.egg/EGG-INFO/scripts/evtx_dump.py", line 42, in <module>
    
  File "/usr/local/lib/python2.7/dist-packages/python_evtx-0.6.1-py2.7.egg/EGG-INFO/scripts/evtx_dump.py", line 37, in main
    
  File "build/bdist.linux-x86_64/egg/Evtx/Evtx.py", line 498, in xml
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 204, in evtx_record_xml_view
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 191, in render_root_node
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 176, in render_root_node_with_subs
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 126, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 166, in rec
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 191, in render_root_node
  File "build/bdist.linux-x86_64/egg/Evtx/Views.py", line 175, in render_root_node_with_subs
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 168, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 159, in _children
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 177, in length
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 64, in __call__
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 334, in children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 153, in _children
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 528, in __init__
  File "build/bdist.linux-x86_64/egg/Evtx/Evtx.py", line 382, in add_string
  File "build/bdist.linux-x86_64/egg/Evtx/Nodes.py", line 198, in __init__
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 208, in no_length_handler
  File "build/bdist.linux-x86_64/egg/Evtx/BinaryParser.py", line 307, in unpack_word

[rareguy]

I had the same problem when trying to parse partially recovered EVTX. Turns out this behavior only occurs when you tried to parse a wrongly defined size of EVTX. For example the defined chunk count is 10 but when iterating, turns out that there are only 4 recovered chunks, that it tried to read 10 chunks.

AFAIK from the Evtx class, there is no method to ignore unrecovered chunks and just dump the available chunks. Perhaps this should be an enhancement or at least make the workaround in scripts folder.

Like for instance we can try to define chunk_count by iterating the chunks in the file rather than using the header metadata (word chunk_count), so that it won't try to iterate more than it needs to.