hi everyone👋 I just released a osquery extension I've been working on for a bit, lief-osquery, https://github.com/puffyCid/lief-osquery Its an extension that lets u parse PE and MACHO file formats (similar to elf tables for the linux version of osquery). It uses LIEF (Library to Instrument Executable Formats, https://lief.quarkslab.com/) to parse the executable files and displays a variety information (imported/exported functions, basic binary info, libraries used, binary sections, and sig information for PE files) Its pretty simple right now if anyone has suggestions/feedback on things to change or add let me know! Thanks!

This is cool! And maybe something we'd like to add to osquery core?

I agree it would kind of cool if the LIEF library was included into core Though I'm not really sure what the process is for adding additional libraries/dependencies to osquery

for sure the PE-parsing table would be new functionality for osquery; it's something our team at Trail of Bits has thought about adding but never got around to it

I just watched the osquery office hours yesterday Just to follow up on this thread I think it would be cool include this extension functionality into core by adding LIEF as a dependency But I'm not sure if osquery has specific requirements for dependencies? For context on LIEF: Its primarily maintained by a single person (though a company does sponsor it) It doesn't really have a set release schedule (ex: over a year between version 10 and 11) But the library is pretty much stable/complete I think (macho and pe formats r not really going to go through major formatting changes so having a bunch of releases may not make sense?) If there is still a desire to add this core I can try looking to see how to get it included though I'm not a cmakelist expert

I'm not opposed, although if you ask about this in #core you can get opinions from the guys that manage the build and dependencies