I just released a osquery extension I've been working on for a bit, lief-osquery, https://github.com/puffyCid/lief-osquery
Its an extension that lets u parse PE and MACHO file formats (similar to elf tables for the linux version of osquery).
It uses LIEF (Library to Instrument Executable Formats, https://lief.quarkslab.com/) to parse the executable files and displays a variety information (imported/exported functions, basic binary info, libraries used, binary sections, and sig information for PE files)
Its pretty simple right now if anyone has suggestions/feedback on things to change or add let me know!
02/12/2021, 2:06 AM
This is cool! And maybe something we'd like to add to osquery core?
Thank you for sharing.
I see we already provide a lot of the equivalent information in the
02/12/2021, 4:13 AM
I agree it would kind of cool if the LIEF library was included into core
Though I'm not really sure what the process is for adding additional libraries/dependencies to osquery
02/16/2021, 6:24 PM
for sure the PE-parsing table would be new functionality for osquery; it's something our team at Trail of Bits has thought about adding but never got around to it
03/31/2021, 11:21 PM
I just watched the osquery office hours yesterday
Just to follow up on this thread
I think it would be cool include this extension functionality into core by adding LIEF as a dependency
But I'm not sure if osquery has specific requirements for dependencies?
For context on LIEF:
Its primarily maintained by a single person (though a company does sponsor it)
It doesn't really have a set release schedule (ex: over a year between version 10 and 11)
But the library is pretty much stable/complete I think (macho and pe formats r not really going to go through major formatting changes so having a bunch of releases may not make sense?)
If there is still a desire to add this core I can try looking to see how to get it included though I'm not a cmakelist expert
04/01/2021, 5:31 PM
I'm not opposed, although if you ask about this in #core you can get opinions from the guys that manage the build and dependencies