ThorZIP: executable file not found in %PATH%

[simonstegard]

I'm trying to run Generic.Scanner.ThorZIP but it's not working. I have uploaded the zip using ThorZIP tool, I tried both zip with included license and unmodified zip downloaded directly from website, but same problem.

{"client_time":1731337531,"level":"INFO","message":"Starting query execution for Generic.Scanner.ThorZIP/ThorExec.\n"}
{"client_time":1731337531,"level":"DEFAULT","message":"tempfile: removing tempfile C:\\Program Files\\Velociraptor\\Tools\\tmp391399109\n"}
{"client_time":1731337531,"level":"DEFAULT","message":"tempfile: removed tempfile C:\\Program Files\\Velociraptor\\Tools\\tmp391399109\n"}
{"client_time":1731337532,"level":"DEFAULT","message":"Sleeping 7 Seconds\n"}
{"client_time":1731337539,"level":"DEFAULT","message":"URL for thor10.7lite-win-pack_nolic.zip is at https://xxx.azurewebsites.net/file/thor10.7lite-win-pack_nolic.zip and has hash of c1a306af9e9162d14d52374e188a8dc20005752e6c5b580e8316f2323ce7591c\n"}
{"client_time":1731337539,"level":"DEFAULT","message":"Fetching https://xxx.azurewebsites.net/file/thor10.7lite-win-pack_nolic.zip\n"}
{"client_time":1731337539,"level":"DEFAULT","message":"http_client: Downloading https://xxx.azurewebsites.net/file/thor10.7lite-win-pack_nolic.zip into C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp\n"}
{"client_time":1731337542,"level":"DEFAULT","message":"downloaded hash of C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp: c1a306af9e9162d14d52374e188a8dc20005752e6c5b580e8316f2323ce7591c, expected c1a306af9e9162d14d52374e188a8dc20005752e6c5b580e8316f2323ce7591c\n"}
{"client_time":1731337542,"level":"DEFAULT","message":"copy: Copying file from C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp into C:\\Program Files\\Velociraptor\\Tools\\thor10.7lite-win-pack_nolic.zip\n"}
{"client_time":1731337543,"level":"DEFAULT","message":"tempfile: removing tempfile C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp\n"}
{"client_time":1731337543,"level":"DEFAULT","message":"tempfile: removed tempfile C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp\n"}
{"client_time":1731337543,"level":"DEFAULT","message":"Adding global destructor for C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\n"}
{"client_time":1731337543,"level":"WARN","message":"Materialize of LET Unzip: Expand larger than 1000 rows, VQL will switch to tempfile backing on C:\\Program Files\\Velociraptor\\Tools\\VQL_Unzip_.jsonl1648725754 which will be much slower.\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"execve: Running external command [[C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\\thor64-lite.exe --json -e C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095] []]\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"execve: exec: \"[C:\\\\Program Files\\\\Velociraptor\\\\Tools\\\\tmp3319932095\\\\thor64-lite.exe --json -e C:\\\\Program Files\\\\Velociraptor\\\\Tools\\\\tmp3319932095]\": executable file not found in %PATH%\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"Generic.Scanner.ThorZIP/ThorExec: Time 0: Generic.Scanner.ThorZIP/ThorExec: Sending response part 0 3 B (1 rows)."}
{"client_time":1731337544,"level":"DEFAULT","message":"read_file: Field filename Expecting a path arg type, not types.Null\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"Generic.Scanner.ThorZIP/ThorExec: Time 0: Generic.Scanner.ThorZIP/ThorResultsJson: Sending response part 0 12 B (1 rows)."}
{"client_time":1731337544,"level":"INFO","message":"Collection Generic.Scanner.ThorZIP/ThorExec is done after 13.4206963s\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"tempfile: removing tempfile C:\\Program Files\\Velociraptor\\Tools\\VQL_Unzip_.jsonl1648725754\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"tempfile: removed tempfile C:\\Program Files\\Velociraptor\\Tools\\VQL_Unzip_.jsonl1648725754\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"RemoveDirectory: removing tempdir C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\n"}
{"client_time":1731337545,"level":"DEFAULT","message":"RemoveDirectory: removed tempdir C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\n"}
{"client_time":1731337545,"level":"DEBUG","message":"Query Stats: {\"RowsScanned\":3061,\"PluginsCalled\":18,\"FunctionsCalled\":9,\"ProtocolSearch\":459,\"ScopeCopy\":6167}\n"}

[Neo23x0]

Could you send us a screenshot of the directory structure inside of that ZIP file? The binary is probably just inside of a sub folder instead of the root folder.

[simonstegard]

HI! Here is a screenshot of the zip file

[Neo23x0]

The structure looks okay.

As you can see the problem is that it doesn't find the executable after the extraction

{"client_time":1731337543,"level":"DEFAULT","message":"Adding global destructor for C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\n"}
{"client_time":1731337543,"level":"WARN","message":"Materialize of LET Unzip: Expand larger than 1000 rows, VQL will switch to tempfile backing on C:\\Program Files\\Velociraptor\\Tools\\VQL_Unzip_.jsonl1648725754 which will be much slower.\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"execve: Running external command [[C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\\thor64-lite.exe --json -e C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095] []]\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"execve: exec: \"[C:\\\\Program Files\\\\Velociraptor\\\\Tools\\\\tmp3319932095\\\\thor64-lite.exe --json -e C:\\\\Program Files\\\\Velociraptor\\\\Tools\\\\tmp3319932095]\": executable file not found in %PATH%\n"}

It could be caused by:

• AV / EDR
• almost full hard disk
• File gets removed / ZIP modified by web proxy

[simonstegard]

Hi!

Thanks, I checked and there's nothing blocked by EDR, when we run ThorLite by itself it works.
I have 17GB hard drive space left
The zip file is downloaded correctly to C:\Program Files\Velociraptor\Tools, also seems like the hash is correct:

{"client_time":1731337542,"level":"DEFAULT","message":"downloaded hash of C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp: c1a306af9e9162d14d52374e188a8dc20005752e6c5b580e8316f2323ce7591c, expected c1a306af9e9162d14d52374e188a8dc20005752e6c5b580e8316f2323ce7591c\n"}

[Neo23x0]

Do you have an idea what this message means?

{"client_time":1731337543,"level":"WARN","message":"Materialize of LET Unzip: Expand larger than 1000 rows, VQL will switch to tempfile backing on C:\\Program Files\\Velociraptor\\Tools\\VQL_Unzip_.jsonl1648725754 which will be much slower.\n"}

when we run ThorLite by itself it works.

It means something but not everything, because an EDR could behave differently when something runs in the SYSTEM context and in different folders.

[Neo23x0]

Could you verify the SHA256 hash of the ZIP file before you upload it to the Azure storage?

[gibranalvinda]

same issue,

[Neo23x0]

Let me know when you've found the reason.

[gibranalvinda]

I have fixed it by changing it from:

LET Exec <= SELECT * FROM execve(argv=array(
a=[(Executable[0]).F, "--json", "-e", TmpDir],
b=[if(condition= CMDLine = "" OR CMDLine = "." OR CMDLine = " ", then=[], else=(CMDs[0]).C)]
)
)

to

LET Exec <= SELECT * FROM execve(argv=[(Executable[0]).F, "--json", "-e", TmpDir])