Stack Trace error in evtxanalyze pstree function #53

Bitbee0 · 2024-07-16T11:28:20Z

$ RUST_BACKTRACE=full evtxanalyze pstree C/Windows/system32/winevt/logs/Security.evtx
thread 'main' panicked at /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/dfir-toolkit-0.11.1/src/bin/evtxanalyze/pstree/mod.rs:113:32:
not implemented
stack backtrace:
   0:     0x651a98f6a595 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h1e1a1972118942ad
   1:     0x651a98f8ffeb - core::fmt::write::hc090a2ffd6b28c4a
   2:     0x651a98f6817f - std::io::Write::write_fmt::h8898bac6ff039a23
   3:     0x651a98f6a36e - std::sys_common::backtrace::print::ha96650907276675e
   4:     0x651a98f6b7d9 - std::panicking::default_hook::{{closure}}::h215c2a0a8346e0e0
   5:     0x651a98f6b51d - std::panicking::default_hook::h207342be97478370
   6:     0x651a98f6bc73 - std::panicking::rust_panic_with_hook::hac8bdceee1e4fe2c
   7:     0x651a98f6bb1b - std::panicking::begin_panic_handler::{{closure}}::h00d785e82757ce3c
   8:     0x651a98f6aa59 - std::sys_common::backtrace::__rust_end_short_backtrace::h1628d957bcd06996
   9:     0x651a98f6b887 - rust_begin_unwind
  10:     0x651a98d54af3 - core::panicking::panic_fmt::hdc63834ffaaefae5
  11:     0x651a98d54b9c - core::panicking::panic::h75b3c9209f97d725
  12:     0x651a98d924b4 - evtxanalyze::pstree::display_pstree::h44ac47616d5fba87
  13:     0x651a98d76369 - evtxanalyze::main::h60fb41a6bd6acf7e
  14:     0x651a98d8adf3 - std::sys_common::backtrace::__rust_begin_short_backtrace::hf8e3739b3bc5913a
  15:     0x651a98d950dd - std::rt::lang_start::{{closure}}::hd23f5b2f2ef9b843
  16:     0x651a98f609a0 - std::rt::lang_start_internal::h3ed4fe7b2f419135
  17:     0x651a98d76bc5 - main
  18:     0x721869e29d90 - __libc_start_call_main
                               at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
  19:     0x721869e29e40 - __libc_start_main_impl
                               at ./csu/../csu/libc-start.c:392:3
  20:     0x651a98d551a5 - _start
  21:                0x0 - <unknown>

Logs.zip

$ RUST_BACKTRACE=full evtxanalyze pstree C/Windows/system32/winevt/logs/Microsoft-Windows-Sysmon%4Operational.evtx 
thread 'main' panicked at /home/user/.cargo/registry/src/index.crates.io-6f17d22bba15001f/dfir-toolkit-0.11.1/src/bin/evtxanalyze/pstree/mod.rs:42:28:
error reading event: DeserializationError(InvalidEvtxRecordHeaderMagic { magic: [0, 0, 0, 0] })
stack backtrace:
   0:     0x5cd34c1cb595 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h1e1a1972118942ad
   1:     0x5cd34c1f0feb - core::fmt::write::hc090a2ffd6b28c4a
   2:     0x5cd34c1c917f - std::io::Write::write_fmt::h8898bac6ff039a23
   3:     0x5cd34c1cb36e - std::sys_common::backtrace::print::ha96650907276675e
   4:     0x5cd34c1cc7d9 - std::panicking::default_hook::{{closure}}::h215c2a0a8346e0e0
   5:     0x5cd34c1cc51d - std::panicking::default_hook::h207342be97478370
   6:     0x5cd34c1ccc73 - std::panicking::rust_panic_with_hook::hac8bdceee1e4fe2c
   7:     0x5cd34c1ccb54 - std::panicking::begin_panic_handler::{{closure}}::h00d785e82757ce3c
   8:     0x5cd34c1cba59 - std::sys_common::backtrace::__rust_end_short_backtrace::h1628d957bcd06996
   9:     0x5cd34c1cc887 - rust_begin_unwind
  10:     0x5cd34bfb5af3 - core::panicking::panic_fmt::hdc63834ffaaefae5
  11:     0x5cd34bfb5f86 - core::result::unwrap_failed::h82b551e0ff2b2176
  12:     0x5cd34c003de5 - <core::iter::adapters::flatten::FlattenCompat<I,U> as core::iter::traits::iterator::Iterator>::fold::flatten::{{closure}}::h28ec9dcb80200a46
  13:     0x5cd34c003f91 - <core::iter::adapters::flatten::FlattenCompat<I,U> as core::iter::traits::iterator::Iterator>::fold::flatten::{{closure}}::hfc5f7070817d2d0f
  14:     0x5cd34c0028be - <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::fold::hbce22964fedb764b
  15:     0x5cd34bff22c0 - evtxanalyze::pstree::display_pstree::h44ac47616d5fba87
  16:     0x5cd34bfd7369 - evtxanalyze::main::h60fb41a6bd6acf7e
  17:     0x5cd34bfebdf3 - std::sys_common::backtrace::__rust_begin_short_backtrace::hf8e3739b3bc5913a
  18:     0x5cd34bff60dd - std::rt::lang_start::{{closure}}::hd23f5b2f2ef9b843
  19:     0x5cd34c1c19a0 - std::rt::lang_start_internal::h3ed4fe7b2f419135
  20:     0x5cd34bfd7bc5 - main
  21:     0x723fc4629d90 - __libc_start_call_main
                               at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
  22:     0x723fc4629e40 - __libc_start_main_impl
                               at ./csu/../csu/libc-start.c:392:3
  23:     0x5cd34bfb61a5 - _start
  24:                0x0 - <unknown>

The text was updated successfully, but these errors were encountered:

Bitbee0 added the bug Something isn't working label Jul 16, 2024

Bitbee0 assigned janstarke Jul 16, 2024

janstarke linked a pull request Jul 23, 2024 that will close this issue

53 stack trace error in evtxanalyze pstree function #56

Merged

janstarke mentioned this issue Jul 23, 2024

53 stack trace error in evtxanalyze pstree function #56

Merged

janstarke closed this as completed in #56 Jul 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stack Trace error in evtxanalyze pstree function #53

Stack Trace error in evtxanalyze pstree function #53

Bitbee0 commented Jul 16, 2024

Stack Trace error in evtxanalyze pstree function #53

Stack Trace error in evtxanalyze pstree function #53

Comments

Bitbee0 commented Jul 16, 2024