-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PowerShell 5.1 UTF-16LE output not recognized by rdump as a valid input for RecordStreamReader #138
Comments
I've tested this a bit on Windows 10 (PowerShell 5.1), and it looks that the output is UTF-16-LE, but still mangled for some bytes. So decoding it using UTF-16-LE will not get back the original raw bytes. Examples dumped using the I'm using
HexDumps:
The
You can see there are some We can add some basic detection and raise a warning. |
Whilst I understand most of us don't use PowerShell when executing (advanced) Dissect commands in correspondence with rdump, it is currently not (by default) possible to use any records originating from a PowerShell 5.1 process (stdin or as a file) as an input for rdump.
Unfortunately, PowerShell (version 5.1, by default installed on all Windows machines) outputs data in UTF-16LE. This is not visible in the command prompt but provides issues when piping records to rdump or using records you just stored as a file. The UTF-16LE data as an input is not recognized and dealt with accordingly by the RecordStreamReader class.
Just a side note and if your experiencing the same issue, cmd.exe and PowerShell version 6 and 7 by default do output data in UTF-8 and therefore do not experience this issue.
The text was updated successfully, but these errors were encountered: