binary parser: correctly parse systemtime

also add tests thanks to @patatetom
williballenthin · Jul 17, 2017 · c9eaef0 · c9eaef0
1 parent 94970af
commit c9eaef0
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 7 deletions.
diff --git a/Evtx/BinaryParser.py b/Evtx/BinaryParser.py
@@ -98,9 +98,9 @@ def dosdate(dosdate, dostime):
         minute  = (t & 0b0000011111100000) >> 5
         hour    = (t & 0b1111100000000000) >> 11
 
-        return datetime.datetime(year, month, day, hour, minute, sec)
+        return datetime(year, month, day, hour, minute, sec)
     except:
-        return datetime.datetime.min
+        return datetime.min
 
 
 def parse_filetime(qword):
@@ -529,13 +529,13 @@ def unpack_systemtime(self, offset):
         """
         o = self._offset + offset
         try:
-            parts = struct.unpack_from("<WWWWWWWW", self._buf, o)
+            parts = struct.unpack_from("<HHHHHHHH", self._buf, o)
         except struct.error:
             raise OverrunBufferException(o, len(self._buf))
-        return datetime.datetime(parts[0], parts[1],
-                                 parts[3],  # skip part 2 (day of week)
-                                 parts[4], parts[5],
-                                 parts[6], parts[7])
+        return datetime(parts[0], parts[1],
+                        parts[3],  # skip part 2 (day of week)
+                        parts[4], parts[5],
+                        parts[6], parts[7])
 
     def unpack_guid(self, offset):
         """

diff --git a/tests/data/issue_39.evtx b/tests/data/issue_39.evtx
diff --git a/tests/test_issue_39.py b/tests/test_issue_39.py
@@ -0,0 +1,48 @@
+import os
+import pytest
+
+import Evtx.Evtx as evtx
+
+from fixtures import *
+
+
+
+def one(iterable):
+    '''
+    fetch a single element from the given iterable.
+
+    Args:
+      iterable (iterable): a sequence of things.
+
+    Returns:
+      object: the first thing in the sequence.
+    '''
+    for i in iterable:
+        return i
+
+
+def get_child(node, tag, ns="{http://schemas.microsoft.com/win/2004/08/events/event}"):
+    return node.find("%s%s" % (ns, tag))
+
+
+def get_children(node, tags, ns="{http://schemas.microsoft.com/win/2004/08/events/event}"):
+    for tag in tags:
+        node = get_child(node, tag, ns=ns)
+    return node
+
+
+def test_systemtime(data_path):
+    '''
+    regression test demonstrating issue 39.
+
+    Args:
+      data_path (str): the file system path of the test directory.
+    '''
+    with evtx.Evtx(os.path.join(data_path, 'issue_39.evtx')) as log:
+        for record in log.records():
+            if record.record_num() != 129:
+                continue
+
+            time_created = get_children(record.lxml(), ['System', 'TimeCreated'])
+            assert time_created.get('SystemTime') == '2017-04-21 07:41:17.003393'
+