Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RuntimeError: Unknown AttributeType: 0100 #2

Open
CR-OmerYampel opened this issue Feb 6, 2020 · 8 comments
Open

RuntimeError: Unknown AttributeType: 0100 #2

CR-OmerYampel opened this issue Feb 6, 2020 · 8 comments

Comments

@CR-OmerYampel
Copy link

Getting this on an MFT file from a windows 10 host

        for entry in parser.entries():
            if isinstance(entry, RuntimeError):
                continue

            data = {"mft_id": entry.entry_id}
            i = 0
            for attribute in entry.attributes():
                  ...
@omerbenamram
Copy link
Owner

@CR-OmerYampel Are you using the latest version?
I've fixed some similar issues in the 0.5.0 version.
If you are using it - is there any chance you could provide a sample in some way?

@CR-OmerYampel
Copy link
Author

CR-OmerYampel commented Feb 6, 2020
edited
Loading

I cannot provide a sample, but i am using the right version (mft==0.5.0)

For what its worth, this is happening on MFT entry ID 5, which seems to be the root MFT entry in my table:

The screenshot shows the MFT table processed by another tool:

image

See how MFT ID 5 (first column is mft ID) has mostly blank values, and is the parent to a bunch of NTFS files ($...)

@CR-OmerYampel
Copy link
Author

CR-OmerYampel commented Feb 6, 2020
edited
Loading

Another piece of feedback, there's no way to skip a specific "failed" attribute (for example in this case, i would like to get as much information out of the entry as possible, but since .attributes() is a function call, i cannot try/catch the specific failing attribute and move on to the next one.

@omerbenamram
Copy link
Owner

@CR-OmerYampel

  1. MFT ID 5 is always the root.
  2. It might be something with the sample that is not supported, since there is no 0x0100 attribute type AFAIK. Are other samples working for you?
  3. Regarding skipping attributes - I'll try to see what I can do.

@CR-OmerYampel
Copy link
Author

I tried this on another Win10 MFT, same error

@omerbenamram
Copy link
Owner

@CR-OmerYampel I've found a sample where this happens.

There are two seperate issues:

  1. This seems to be related to bitlocker AFAIK (http://www.c-jump.com/bcc/t256t/Week04NtfsReview/W01_0240_mft_attribute_types.htm) - 0x0100 is
    0x100 256..$LOGGED_UTILITY_STREAM --- Keys and other information about encrypted attributes (NTFS 3.0+; Windows 2000+)
  2. The python binding raising too eagerly.

I'll try to see if I can fix the binding to be more relaxed.

@omerbenamram
Copy link
Owner

@CR-OmerYampel I've just pushed 0.5.1 fixing both this issues to CI. Should be available in PyPi in about 20 minutes or so.

Please try it and let me know if it solves the issues :)

@omerbenamram
Copy link
Owner

@CR-OmerYampel ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@omerbenamram @CR-OmerYampel