Windows Specific Functionality

Many VQL plugins and functions provide access to the Windows APIs. The following are only available when running on Windows.

appcompatcache

Plugin

Parses the appcompatcache.

authenticode

Function

This plugin uses the Windows API to extract authenticode signature details from PE files.

Since we use the windows API this can only work with the “file” accessor.

Arg Description Type
filename The filename to parse. string (required)

certificates

Plugin

Collect certificate from the system trust store.

dns

Plugin

Monitor dns queries.

This plugin opens a raw socket and monitors network traffic for DNS questions and answers.

When Velociraptor attempts to open a raw socket, sometimes Windows Defender treats that as suspicious behavior and quarantines the Velociraptor binary. This can be avoided by signing the binary which signals to Windows Defender that the binary is legitimate.

If you do not intend to build Velociraptor from source, use the official signed Velociraptor binaries which should not trigger alerts from Windows Defender.

handles

Plugin

Enumerate process handles.

Arg Description Type
pid The PID to dump out. int64 (required)

interfaces

Plugin

List all active interfaces.

lookupSID

Function

Get information about the SID.

modules

Plugin

Enumerate Loaded DLLs.

Arg Description Type
pid The PID to dump out. int64 (required)

netstat

Plugin

Collect network information.

partitions

Plugin

List all partititions

Arg Description Type
all If specified list all Partitions bool

proc_dump

Plugin

Dumps process memory.

Dumps a process into a crashdump. The crashdump file can be opened with the windows debugger as normal. The plugin returns the filename of the crash dump which is a temporary file - the file will be removed when the query completes, so if you want to hold on to it, you should use the upload() plugin to upload it to the server or otherwise copy it.

Arg Description Type
pid The PID to dump out. int64 (required)

proc_yara

Plugin

Scan processes using yara rules.

This plugin uses yara’s own engine to scan process memory for the signatures.

Process memory access depends on having the SeDebugPrivilege which depends on how Velociraptor was started. Even when running as System, some processes are not accessible.

Arg Description Type
rules Yara rules in the yara DSL. string (required)
files The list of files to scan. list of string (required)
accessor Accessor (e.g. NTFS) string
context How many bytes to include around each hit int
start The start offset to scan int64
end End scanning at this offset (100mb) int64
number Stop after this many hits (1). int64
blocksize Blocksize for scanning (1mb). int64
key If set use this key to cache the yara rules. string

read_reg_key

Plugin

This is a convenience plugin which applies the globs to the registry accessor to find keys. For each key the plugin then lists all the values within it, and returns a row which has the value names as columns, while the cells contain the value’s stat info (and data content available in the Data field).

This makes it easier to access a bunch of related values at once.

Arg Description Type
globs Glob expressions to apply. list of string (required)
accessor The accessor to use. string

srum_lookup_id

Function

Lookup a SRUM id.

Arg Description Type
file string (required)
accessor The accessor to use. string
id int64 (required)

token

Function

Extract process token.

Arg Description Type
pid The PID to get the token for. int64 (required)

users

Plugin

Display information about workstation local users. This is obtained through the NetUserEnum() API.

vad

Plugin

Enumerate process memory regions.

Arg Description Type
pid The PID to dump out. int64 (required)

winobj

Plugin

Enumerate The Windows Object Manager namespace.

Arg Description Type
path Object namespace path. string

wmi

Plugin

Execute simple WMI queries synchronously.

This plugin issues a WMI query and returns its rows directly. The exact format of the returned row depends on the WMI query issued.

This plugin creates a bridge between WMI and VQL and it is a very commonly used plugin for inspecting the state of windows systems.

Arg Description Type
query The WMI query to issue. string (required)
namespace The WMI namespace to use (ROOT/CIMV2) string