상황
윈도우10 pro / python 3.8.5 / 사용 라이브러리 : python-evtx
윈도우 이벤트 로그를 분석하다가 아래와 같은 에러가 나타났다.
Traceback (most recent call last):
File "D:/Pycharm/Project/evtx/test.py", line 15, in <module>
soup = BeautifulSoup(record.xml(), "lxml")
File "D:\Project\lib\site-packages\Evtx\Evtx.py", line 481, in xml
return e_views.evtx_record_xml_view(self)
File "D:\Project\lib\site-packages\Evtx\Views.py", line 204, in evtx_record_xml_view
return render_root_node(record.root())
File "D:\Project\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "D:\Project\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "D:\Project\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "D:\Project\lib\site-packages\Evtx\Views.py", line 166, in rec
sub = render_root_node(sub.root())
File "D:\Project\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "D:\Project\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "D:\Project\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "D:\Project\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "D:\Project\lib\site-packages\Evtx\Views.py", line 159, in rec
sub = escape_value(sub.string())
File "D:\Project\lib\site-packages\Evtx\Nodes.py", line 1401, in string
return self.filetime().isoformat(' ')
File "D:\Project\lib\site-packages\Evtx\BinaryParser.py", line 205, in no_length_handler
return f(offset)
File "D:\Project\lib\site-packages\Evtx\BinaryParser.py", line 518, in unpack_filetime
return parse_filetime(self.unpack_qword(offset))
File "D:\Project\lib\site-packages\Evtx\BinaryParser.py", line 109, in parse_filetime
return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600)
OSError: [Errno 22] Invalid argument
Process finished with exit code 1Traceback (most recent call last):
File ".\python-evtx-master\scripts\evtx_dump.py", line 42, in
main()
File ".\python-evtx-master\scripts\evtx_dump.py", line 37, in main
print(record.xml())
File "C:\Python35\lib\site-packages\Evtx\Evtx.py", line 481, in xml
return e_views.evtx_record_xml_view(self)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 204, in evtx_record_xml_view
return render_root_node(record.root())
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 166, in rec
sub = render_root_node(sub.root())
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 191, in render_root_node
return render_root_node_with_subs(root_node, subs)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 176, in render_root_node_with_subs
rec(c, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 126, in rec
rec(child, acc)
File "C:\Python35\lib\site-packages\Evtx\Views.py", line 159, in rec
sub = escape_value(sub.string())
File "C:\Python35\lib\site-packages\Evtx\Nodes.py", line 1401, in string
return self.filetime().isoformat(' ')
File "C:\Python35\lib\site-packages\Evtx\BinaryParser.py", line 205, in no_length_handler
return f(offset)
File "C:\Python35\lib\site-packages\Evtx\BinaryParser.py", line 518, in unpack_filetime
return parse_filetime(self.unpack_qword(offset))
File "C:\Python35\lib\site-packages\Evtx\BinaryParser.py", line 109, in parse_filetime
return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600)
OSError: [Errno 22] Invalid argument
python datetime은 표시할 수 있는 시간이 제한되어있다고 한다.
상세 에러 설명(https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp)
Return the UTC datetime corresponding to the POSIX timestamp, with tzinfo None. (The resulting object is naive.)
This may raise OverflowError, if the timestamp is out of the range of values supported by the platform C gmtime() function, and OSError on gmtime() failure. It’s common for this to be restricted to years in 1970 through 2038.
핵심만 번역하면 아래와 같습니다. 파파고도 잘되어 있으니 파파고 이용하셔도 좋은 것 같습니다 :)
--> UTC datetime은 POSIX 타임스탬프와 연동된다고 합니다. 만약에 타임스탬프가 범위를 벗어난다면 에러를 나타냅니다. 1970~2038이 범위라고 합니다.
때문에 라이브러리 중 BinaryParser.py
def parse_filetime(qword):
# see http://integriography.wordpress.com/2010/01/16/using-phython-to-parse-and-present-windows-64-bit-timestamps/
try:
return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600)
except (ValueError, OSError):
return datetime.minexcept ValueError 를 위와같이 고쳐주면 해결된다.
혹은 다른 코드여도 try, except 구문으로 처리해주시면 됩니다 :)
'[ ★ ]Study > Programming' 카테고리의 다른 글
| [Python] 방화벽 로그 DB삽입 (0) | 2020.12.08 |
|---|---|
| 파이썬 cp949 에러 : python UnicodeEncodeError (0) | 2020.09.24 |
| Python TypeError : 파이썬 타입에러 (0) | 2020.09.18 |
| 파이썬 mysql 로그 삽입 (0) | 2020.08.25 |
| 파이썬 웹 크롤링(Web Crawler) (0) | 2020.08.01 |
댓글