Hello about the same extension I m having problems running t osquery #extensions

Hello, (about the same extension) I’m having probl...

Jean M

09/13/2021, 9:11 AM

Hello, (about the same extension) I’m having problems running the extension in Windows I was wondering if the problem had happened before with someone else… if I load the extension manually (1st the osquery --nodisable_extensions then ./extension --socket …) it works fine. However, if I use osquery --extension or the extensions.load file, an error message shows when trying to create extension process, osqueryd seems to be booting… but then it quits in a strange way. I’m using --allow_nosafe option but I don’t think it is related. Any idea?

Copy code

PS C:\Program Files\osquery> .\osqueryd\osqueryd.exe --flagfile osquery.flags --verbose
I0913 01:37:43.778841  4896 init.cpp:342] osquery initialized [version=4.7.0]
I0913 01:37:43.825711  4896 system.cpp:342] Found stale process for osqueryd (10920)
I0913 01:37:43.825711  4896 system.cpp:374] Writing osqueryd pid (5116) to \Program Files\osquery\osqueryd.pidfile
I0913 01:37:43.825711  4896 extensions.cpp:438] Found autoloadable extension: C:\Program Files\osquery\extensions\myosquery.ext
I0913 01:37:43.825711  4896 dispatcher.cpp:78] Adding new service: WatcherRunner (000001AB7BFC9F30) to thread: 13760 (000001AB7DB4FCC0) in process 5116
I0913 01:37:43.841331 13760 watcher.cpp:613] osqueryd watcher (5116) executing worker (10352)
E0913 01:37:43.856961 13760 watcher.cpp:653] Cannot create extension process: C:\Program Files\osquery\extensions\myosquery.ext
I0913 01:37:43.856961  4896 dispatcher.cpp:149] Thread: 4896 requesting a stop
...
I0913 01:37:46.891346 13672 watcher.cpp:667] osqueryd worker (10352) detected killed watcher (5116)
I0913 01:37:46.891346 12320 dispatcher.cpp:149] Thread: 12320 requesting a stop
I0913 01:37:46.891346 12320 dispatcher.cpp:156] Service: 0000021774EF2CB0 has been interrupted
...

Full log at: https://pastebin.com/Ygm7CGX1 (112233). I’ve used

procmon

and I couldn’t find any attempt to launch the extension process. While doing that, I noticed a werfault.exe was being executed. Looking at Windows Events it seems osquery crashed:

Copy code

Faulting application name: osqueryd.exe, version: 4.7.0.0, time stamp: 0x6050e93f
Faulting module name: osqueryd.exe, version: 4.7.0.0, time stamp: 0x6050e93f
Exception code: 0xc0000005
Fault offset: 0x00000000009da964
Faulting process id: 0x37c0
Faulting application start time: 0x01d7a87be147ff10
Faulting application path: C:\Program Files\osquery\osqueryd\osqueryd.exe
Faulting module path: C:\Program Files\osquery\osqueryd\osqueryd.exe
Report Id: e7704eb3-e66d-439b-aa1f-331f195cb88c
Faulting package full name: 
Faulting package-relative application ID:

Jean M

09/13/2021, 1:31 PM

It seems that it has to do with the file extension used. Using “.exe” in Windows fixes the problem… I thought it was necessary to use .ext (as exemplified in the documentation).

seph

09/13/2021, 7:53 PM

Windows requires executables to be .exe files. The other platforms have no such requirements and the .ext is customary but not required.

seph

09/13/2021, 7:54 PM

Other platforms require the binary to have the executable but set

Mike Myers

09/13/2021, 8:42 PM

Good to know that there was a quick workaround, but would you mind filing an issue about this on GitHub? If this crashes

osqueryd

then there must be something to fix.

6 Views

Open in Slack

Previous Next