7-zip compressor issue ?

[DoNck]

Hi,

I encounter issues opening dfir-orc crafted 7z archives using py7z python library.
According to @miurahr from py7z, something is wrong on the dfir-orc side, see: issue 359 at py7zr.
Could you please have a look a the problem ? Test cases are attached to the issue.

Best regards

[sc-anssi]

Hi,
Just to let you know that we are still investigating the issue.
In the mean time, a workaround can be to use libraries which rely on the 7z binary (like patool) or to write the wrapping code yourself.
We'll come back to you when we have more news about the matter.
Regards

[fabienfl-orc]

Hello, this is fixed with the fresh 10.0.22 release. It will be also working with upcoming 10.1.0-rc8.

FYI the issue with 7z library is that it expects NULL stream for empty files but we processed empty files like the others.

[amaulave]

Hello @fabienfl-orc @sc-anssi

I downloaded 10.0.22 release and unfortunately I still have an error when I tried to extract the 7z archive with py7zr:

$ py7zr x Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System.7z out
Traceback (most recent call last):
  File "/usr/local/bin/py7zr", line 8, in <module>
    sys.exit(main())
  File "/home/user/.local/lib/python3.8/site-packages/py7zr/__main__.py", line 25, in main
    return cli.Cli().run()
  File "/home/user/.local/lib/python3.8/site-packages/py7zr/cli.py", line 99, in run
    return args.func(args)
  File "/home/user/.local/lib/python3.8/site-packages/py7zr/cli.py", line 356, in run_extract
    a.extractall(path=args.odir, callback=cb)
  File "/home/user/.local/lib/python3.8/site-packages/py7zr/py7zr.py", line 948, in extractall
    self._extract(path=path, return_dict=False, callback=callback)
  File "/home/user/.local/lib/python3.8/site-packages/py7zr/py7zr.py", line 604, in _extract
    self.worker.extract(
  File "/home/user/.local/lib/python3.8/site-packages/py7zr/py7zr.py", line 1198, in extract
    if not any([self.target_filepath.get(f.id, None) for f in folders[i].files]):
TypeError: 'NoneType' object is not iterable


$ py7zr t Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System.7z
Testing archive: Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System.7z
--
Path = Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System.7z
Type = 7z
Phisical Size = 173442461
Headers Size = 1108
Method = LZMA2
Solid = +
Blocks = 44

Bad 7zip file

If I uncompress then recompress the archive using 7-Zip tool without modification to files, the new archive can be proceed without issues:

$ py7zr t Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System_repaired.7z
Testing archive: Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System_repaired.7z
--
Path = Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System_repaired.7z
Type = 7z
Phisical Size = 173337431
Headers Size = 1004
Method = LZMA2
Solid = +
Blocks = 1

Everything is Ok


$ py7zr x Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System_repaired.7z out2
$ echo $?
0

[sc-anssi]

Hi @amaulave,
Your error seems to be a different problem: please open a new issue with all the info we need to reproduce it (including the sample archive triggering the bug and DFIR-ORC's configuration)

Regards