Skip to content

Frequently Asked Questions (FAQ)

Mike Cohen edited this page Jan 19, 2021 · 1 revision

FAQ

How to sign the stand alone collector?

If you just try to sign the stand alone collector as produced by Velociraptor this will fail. This is because the produced collector is a PE binary with a zip file on the end of it. When Velociraptor appends the zip file it extends the last section (.rsrs section) to cover it so we can sign the binary safely. If you use the normal collector - it takes the release binary (which is signed) and appends the zip file on the end so then when signtool tries to sign it, the signature is not at the end, it is in the middle of the file. In the past there was a vuln about this MS12-024, so since then it refuses to sign such a thing.

The way to make it work is to package an unsigned binary in the collector then sign it you can get an unsigned binary by using signtool /remove on the release binary or getting one of the CI builds. Then in the tool setup screen you can upload the unsigned binary as the VelociraptorWindows tool. This will make that binary package with the collector since it has no signature at all, the signtool will sign it properly

Clone this wiki locally