Skip to content

CLI QuickTextRender output utf-8 #1804

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

CLI QuickTextRender output utf-8 #1804

wants to merge 1 commit into from

Conversation

cam0200
Copy link

@cam0200 cam0200 commented May 10, 2025
edited
Loading

Volatility would running into an error when pipping Unicode output in Powershell (whether writing to file or terminal)

POC command:
python .\vol.py -f C:\<path>\memdump.dmp windows.filescan.FileScan | Select-String -Pattern '\.\w{2}\b'

Volatility 3 Framework 2.26.2
Traceback (most recent call last):
  File "C:\tools\volatility3\vol.py", line 11, in <module>
    volatility3.cli.main()
    ~~~~~~~~~~~~~~~~~~~~^^
  File "C:\tools\volatility3\volatility3\cli\__init__.py", line 927, in main
    CommandLine().run()
    ~~~~~~~~~~~~~~~~~^^
  File "C:\tools\volatility3\volatility3\cli\__init__.py", line 515, in run
    renderer.render(grid)
    ~~~~~~~~~~~~~~~^^^^^^
  File "C:\tools\volatility3\volatility3\cli\text_renderer.py", line 330, in render
    grid.populate(visitor, outfd)
    ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
  File "C:\tools\volatility3\volatility3\framework\renderers\__init__.py", line 323, in populate
    accumulator = function(treenode, accumulator)
  File "C:\tools\volatility3\volatility3\cli\text_renderer.py", line 325, in visitor
    accumulator.write("{}".format("\t".join(line)))
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Python313\Lib\encodings\cp1252.py", line 19, in encode
    return codecs.charmap_encode(input,self.errors,encoding_table)[0]
           ~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
UnicodeEncodeError: 'charmap' codec can't encode characters in position 15-22: character maps to <undefined>

The change that is implemented will force output text to be utf-8 encoded.

@cam0200
Copy link
Author

cam0200 commented May 10, 2025

Looks like similar issue was reported here: #1754

@ikelos
Copy link
Member

ikelos commented May 10, 2025

This appears to be python/windows outputting in codepage 1252 for some reason (I don't know if that's the default for python on windows, or information passed by the terminal, etc):

File "C:\Python313\Lib\encodings\cp1252.py", line 19, in encode

I believe volatility already outputs at utf-8, so I'd prefer to get more clarity as to exactly what's going wrong (is it volatility outputting a bad character, or is it python misrepresenting the output stream to the terminal, etc)... Otherwise my concern is that the errors='replace' may affect information that's relied on for forensic purposes.

A good test would be to pipe the output to a file and verify whether the file is all valid utf-8 or not. If it is, then there's some other issue somewhere is the connection between the terminal and python, if not we can take a look at which character is invalid and see if we can figure out how it's happening...

@cam0200
Copy link
Author

cam0200 commented May 11, 2025

This is an example of attempting to output to a file, which results in the same issue

(venv) PS C:\tools\volatility3> python .\vol.py -f C:\<path>\memdump.dmp windows.filescan.FileScan >> C:\<path>\test-out.tsv
Traceback (most recent call last):B scanning finished
  File "C:\tools\volatility3\vol.py", line 11, in <module>
    volatility3.cli.main()
    ~~~~~~~~~~~~~~~~~~~~^^
  File "C:\tools\volatility3\volatility3\cli\__init__.py", line 927, in main
    CommandLine().run()
    ~~~~~~~~~~~~~~~~~^^
  File "C:\tools\volatility3\volatility3\cli\__init__.py", line 515, in run
    renderer.render(grid)
    ~~~~~~~~~~~~~~~^^^^^^
  File "C:\tools\volatility3\volatility3\cli\text_renderer.py", line 330, in render
    grid.populate(visitor, outfd)
    ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
  File "C:\tools\volatility3\volatility3\framework\renderers\__init__.py", line 323, in populate
    accumulator = function(treenode, accumulator)
  File "C:\tools\volatility3\volatility3\cli\text_renderer.py", line 325, in visitor
    accumulator.write("{}".format("\t".join(line)))
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Python313\Lib\encodings\cp1252.py", line 19, in encode
    return codecs.charmap_encode(input,self.errors,encoding_table)[0]
           ~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
UnicodeEncodeError: 'charmap' codec can't encode characters in position 15-22: character maps to <undefined>

The point that it breaks at appears to be this output from windows.filescan.FileScan plugin
쮭蔌�쮭蔌�

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cam0200 @ikelos