https://github.com/osquery/osquery logo
Powered by
j

Jean M

09/13/2021, 9:11 AM
Hello, (about the same extension) I’m having problems running the extension in Windows I was wondering if the problem had happened before with someone else… if I load the extension manually (1st the osquery --nodisable_extensions then ./extension --socket …) it works fine. However, if I use osquery --extension or the extensions.load file, an error message shows when trying to create extension process, osqueryd seems to be booting… but then it quits in a strange way. I’m using --allow_nosafe option but I don’t think it is related. Any idea?
Copy code
PS C:\Program Files\osquery> .\osqueryd\osqueryd.exe --flagfile osquery.flags --verbose
I0913 01:37:43.778841  4896 init.cpp:342] osquery initialized [version=4.7.0]
I0913 01:37:43.825711  4896 system.cpp:342] Found stale process for osqueryd (10920)
I0913 01:37:43.825711  4896 system.cpp:374] Writing osqueryd pid (5116) to \Program Files\osquery\osqueryd.pidfile
I0913 01:37:43.825711  4896 extensions.cpp:438] Found autoloadable extension: C:\Program Files\osquery\extensions\myosquery.ext
I0913 01:37:43.825711  4896 dispatcher.cpp:78] Adding new service: WatcherRunner (000001AB7BFC9F30) to thread: 13760 (000001AB7DB4FCC0) in process 5116
I0913 01:37:43.841331 13760 watcher.cpp:613] osqueryd watcher (5116) executing worker (10352)
E0913 01:37:43.856961 13760 watcher.cpp:653] Cannot create extension process: C:\Program Files\osquery\extensions\myosquery.ext
I0913 01:37:43.856961  4896 dispatcher.cpp:149] Thread: 4896 requesting a stop
...
I0913 01:37:46.891346 13672 watcher.cpp:667] osqueryd worker (10352) detected killed watcher (5116)
I0913 01:37:46.891346 12320 dispatcher.cpp:149] Thread: 12320 requesting a stop
I0913 01:37:46.891346 12320 dispatcher.cpp:156] Service: 0000021774EF2CB0 has been interrupted
...
Full log at: https://pastebin.com/Ygm7CGX1 (112233). I’ve used 
procmon
and I couldn’t find any attempt to launch the extension process. While doing that, I noticed a werfault.exe was being executed. Looking at Windows Events it seems osquery crashed:
Copy code
Faulting application name: osqueryd.exe, version: 4.7.0.0, time stamp: 0x6050e93f
Faulting module name: osqueryd.exe, version: 4.7.0.0, time stamp: 0x6050e93f
Exception code: 0xc0000005
Fault offset: 0x00000000009da964
Faulting process id: 0x37c0
Faulting application start time: 0x01d7a87be147ff10
Faulting application path: C:\Program Files\osquery\osqueryd\osqueryd.exe
Faulting module path: C:\Program Files\osquery\osqueryd\osqueryd.exe
Report Id: e7704eb3-e66d-439b-aa1f-331f195cb88c
Faulting package full name: 
Faulting package-relative application ID:
It seems that it has to do with the file extension used. Using “.exe” in Windows fixes the problem… I thought it was necessary to use .ext (as exemplified in the documentation).
s

seph

09/13/2021, 7:53 PM
Windows requires executables to be .exe files. The other platforms have no such requirements and the .ext is customary but not required.
Other platforms require the binary to have the executable but set
m

Mike Myers

09/13/2021, 8:42 PM
Good to know that there was a quick workaround, but would you mind filing an issue about this on GitHub? If this crashes 
osqueryd
then there must be something to fix.
6 Views
Powered by