Open simonstegard opened 1 week ago
Could you send us a screenshot of the directory structure inside of that ZIP file? The binary is probably just inside of a sub folder instead of the root folder.
HI! Here is a screenshot of the zip file
The structure looks okay.
As you can see the problem is that it doesn't find the executable after the extraction
{"client_time":1731337543,"level":"DEFAULT","message":"Adding global destructor for C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\n"}
{"client_time":1731337543,"level":"WARN","message":"Materialize of LET Unzip: Expand larger than 1000 rows, VQL will switch to tempfile backing on C:\\Program Files\\Velociraptor\\Tools\\VQL_Unzip_.jsonl1648725754 which will be much slower.\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"execve: Running external command [[C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\\thor64-lite.exe --json -e C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095] []]\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"execve: exec: \"[C:\\\\Program Files\\\\Velociraptor\\\\Tools\\\\tmp3319932095\\\\thor64-lite.exe --json -e C:\\\\Program Files\\\\Velociraptor\\\\Tools\\\\tmp3319932095]\": executable file not found in %PATH%\n"}
It could be caused by:
Hi!
Thanks, I checked and there's nothing blocked by EDR, when we run ThorLite by itself it works. I have 17GB hard drive space left The zip file is downloaded correctly to C:\Program Files\Velociraptor\Tools, also seems like the hash is correct:
{"client_time":1731337542,"level":"DEFAULT","message":"downloaded hash of C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp: c1a306af9e9162d14d52374e188a8dc20005752e6c5b580e8316f2323ce7591c, expected c1a306af9e9162d14d52374e188a8dc20005752e6c5b580e8316f2323ce7591c\n"}
Do you have an idea what this message means?
{"client_time":1731337543,"level":"WARN","message":"Materialize of LET Unzip: Expand larger than 1000 rows, VQL will switch to tempfile backing on C:\\Program Files\\Velociraptor\\Tools\\VQL_Unzip_.jsonl1648725754 which will be much slower.\n"}
when we run ThorLite by itself it works.
It means something but not everything, because an EDR could behave differently when something runs in the SYSTEM context and in different folders.
Could you verify the SHA256 hash of the ZIP file before you upload it to the Azure storage?
I'm trying to run Generic.Scanner.ThorZIP but it's not working. I have uploaded the zip using ThorZIP tool, I tried both zip with included license and unmodified zip downloaded directly from website, but same problem.