![]() Please mention that you found the job at The next step is to implement a proof-of-concept in osquery itself.Software Engineer (Device Endpoint Team) at Kolide Remote › ?? 100% remote position (in the US) (Posted Apr 12 2022) The proof-of-concept does no filtering by itself - it simply enumerate all HANDLEs across the system, looks up the name associated with the object the HANDLE references, and outputs several interesting fields including the PID, the HANDLE value, the object type number and name (mutex, file, registry key, window station, etc.) and the object name itself (the filename, the mutex name, the registry key name).īy running the proof-of-concept and piping to grep, it is easy to see how the results could be filtered down to just mutexes with a name matching a certain pattern. The proof-of-concept can be found on github at This is done in usermode (no custom kernel module) using a series of reasonably well-known techniques, man of which date back well over a decade. I have created an entirely uninteresting proof-of-concept on HANDLE enumeration across all processes. I put the following comment in the ticket just now: I've commented on the existing ticket to add support for enumerating named mutex objects on Windows. New-Item -Path C:\ProgramData\osquery\osquery.flags -ItemType SymbolicLink -Value C:\ProgramData\osquery\ $flagpath = "c:\ProgramData\osquery\osquery.flags" ::WriteAllLines($default_flagpath, $content) enroll_secret_path=C:\Programdata\osquery\cret $default_flagpath = "C:\ProgramData\osquery\" ![]() ::WriteAllLines($secret_filename, $secret_content) $secret_filename = "c:\ProgramData\osquery\cret" See documentation on how to use Visual C 'Checked Iterators' osquery_logger_pluginsĜ:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\include\xutilityĒ983ĮrrorĜ2220 warning treated as error - no 'object' file generated osquery_aws_utilĜ:\Program Files (x86)\Microsoft Visual Studio here's the script I use to set my flags file (osqueryd looks for an osquery.flags and ) Stop-Service -Name "osqueryd" To disable this warning, use -D_SCL_SECURE_NO_WARNINGS. WarningĜ4996 'std::equal::_Unchecked_iterators::_Deprecate': Call to 'std::equal' with parameters that may be unsafe - this call relies on the caller to check that the passed values are correct. See documentation on how to use Visual C 'Checked Iterators' osquery_eventsĜ:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\include\xutilityĒ372ĮrrorĜ2220 warning treated as error - no 'object' file generated osquery_logger_pluginsĜ:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\include\xutilityĒ983 WarningĜ4996 'std::copy::_Unchecked_iterators::_Deprecate': Call to 'std::copy' with parameters that may be unsafe - this call relies on the caller to check that the passed values are correct. SeverityĜodeĝescription Projectğile Line Suppression StateĮrrorĜ2220 warning treated as error - no 'object' file generated osquery_eventsĜ:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\include\xutilityĒ372 Thought I will share whatever I found so far. Anyways, will continue spending some more time on it. I realize its not so easy as to just comment/add a few lines and get done with it. One option is to make the script smart enough to detect the existing SDK installer, not only in the choco pakage list, but also from the local system. not using choco) installation of SDK, the script won't catch it and end up doing a side-by-side install and we land in mess. The current bat file installs all the dependent packages using choco. Those paths then have to be manually fixed. This causes the SDK paths etc to get messed up as it adds a version number I see the build breaking when there is an existing VS instal and that probably happens because of the side-by-side installation of Windows 10 SDK (that OSQuery script does) along with whatever was already on the system. Disclaimer: I am not an expert on 'choco' and it's package management.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |