Author: OlegasSubject: BUG: RamMap version 1.32 creates invalid RMP file
Posted: 27 May 2015 at 10:55pm
BUG: RamMap version 1.32 creates invalid XML RMP file which leads to the file is not accessible or is not a valid XML file error.
The bug presents itself when RAMMAP is executed on a system which accessed a file with alternative stream and alternative stream name contains certain characters. RamMap is able to display special characters correctly, but it doesn’t correctly encode them into resulting RMP XML file.
I noticed this problem while trying to load a production RMP file from Windows 2008 R2. Several files contain alternate stream that begins with 0x5
For example:
<File Key="-8108308282432" Path="C:\windows\system32\tasks\microsoft\windows\pla\new data collector set:|0v1ieca3feahez0jawxjjk5urh"/>
00000000h: 3C 46 69 6C 65 20 4B 65 79 3D 22 2D 38 31 30 38 33 30 38 32 38 32 34 33 32 22 20 50 61 74 68 3D ; <File Key="-8108308282432" Path=
00000020h: 22 43 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 74 61 73 6B 73 5C 6D 69 63 72 6F ; "C:\windows\system32\tasks\micro
00000040h: 73 6F 66 74 5C 77 69 6E 64 6F 77 73 5C 70 6C 61 5C 6E 65 77 20 64 61 74 61 20 63 6F 6C 6C 65 63 ; soft\windows\pla\new data collec
00000060h: 74 6F 72 20 73 65 74 3A 05 30 76 31 69 65 63 61 33 66 65 61 68 65 7A 30 6A 61 77 78 6A 6A 6B 35 ; tor set:.0v1ieca3feahez0jawxjjk5
00000080h: 75 72 68 22 2F 3E 0D 0A ; urh"/>..
It isn’t clear which component creates such alternate stream (TrendMicro, etc), but the problem is reproducible on demand via the steps below:
1. Compile the code snippet below in VS 2005 with Unicode character set
<CODE>
CString csFileName, csAltStreamName;
csFileName = "c:\\temp\\FileWithAltStream.txt";
csAltStreamName = "c:\\temp\\FileWithAltStream.txt:";
csAltStreamName += wchar_t(0x05); //you can change this to other values between 0x01 and 0x31
csAltStreamName += "AltStream";
hFile = CreateFile( csFileName,
if( hFile == INVALID_HANDLE_VALUE )
printf( "Cannot open file\n" );
WriteFile( hFile, "0123456789", 10, &dwRet, NULL );
hStream = CreateFile( csAltStreamName,
if( hStream == INVALID_HANDLE_VALUE )
printf( "Cannot open alternate stream!\n" );
WriteFile(hStream, "9876543210", 10, &dwRet, NULL);
</CODE>
2. Execute the newly compiled utility
3. Confirm that the file and the alternate stream were created via the Streams utility
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\temp\FileWithAltStream.txt:
4. Launch RamMap, switch to the File Summary tab.
5. Sort by Path and scroll down to C:\temp\. You should see the file and its alternate stream listed
6. Click File |Save to export output in XML
7. Close RamMap
8. Launch new RamMap instance and attempt to open the newly created RMP file
Expected results:
If I understand
Windows file naming convention correctly, it allows for 0x1 through 0x31 being included within alternate stream name.
RamMap should either replace or correctly encode those while saving output into XML RMP.
Actual results:
RamMap creates incorrectly encoded XML RMP file, which leads to "the file is not accessible or is not a valid XML file" error while loading previously created file.
Thank you,
Olegas
allforinternet2 wrote: