Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow querying of kernel and filesystem drivers #8119

Merged
merged 4 commits into from
Sep 22, 2023
Merged

Allow querying of kernel and filesystem drivers #8119

merged 4 commits into from
Sep 22, 2023

Conversation

joshdhart
Copy link
Contributor

@joshdhart joshdhart commented Aug 23, 2023
edited

Fixes #6852

Windows "Services" can be created as drivers too.
Currently osquery has no way to query info about File System Drivers or Kernel Drivers that are registered as "Services".
As the "drivers" table, rightly only includes Device Drivers.

Local testing done:

C:\Source\osquery\build\osquery\RelWithDebInfo>osqueryi.exe "SELECT * FROM services WHERE name LIKE 'wof';"
+------+--------------------+-------------------------------------------+---------+-----+------------+-----------------+-------------------+------+-------------+-------------+--------------+
| name | service_type       | display_name                              | status  | pid | start_type | win32_exit_code | service_exit_code | path | module_path | description | user_account |
+------+--------------------+-------------------------------------------+---------+-----+------------+-----------------+-------------------+------+-------------+-------------+--------------+
| Wof  | FILE_SYSTEM_DRIVER | Windows Overlay File System Filter Driver | RUNNING | 0   | BOOT_START | 0               | 0                 |      |             |             |              |
+------+--------------------+-------------------------------------------+---------+-----+------------+-----------------+-------------------+------+-------------+-------------+--------------+

C:\Source\osquery\build\osquery\RelWithDebInfo>osqueryi.exe "SELECT * FROM services WHERE name LIKE 'ws2ifsl';"
+---------+---------------+-----------------------------------------------------------------+---------+-----+--------------+-----------------+-------------------+------------------------------------------+-------------+--------------------+--------------+
| name    | service_type  | display_name                                                    | status  | pid | start_type   | win32_exit_code | service_exit_code | path                                     | module_path | description        | user_account |
+---------+---------------+-----------------------------------------------------------------+---------+-----+--------------+-----------------+-------------------+------------------------------------------+-------------+--------------------+--------------+
| ws2ifsl | KERNEL_DRIVER | Windows Socket 2.0 Non-IFS Service Provider Support Environment | RUNNING | 0   | SYSTEM_START | 0               | 0                 | \SystemRoot\system32\drivers\ws2ifsl.sys |             | Winsock IFS Driver |              |
+---------+---------------+-----------------------------------------------------------------+---------+-----+--------------+-----------------+-------------------+------------------------------------------+-------------+--------------------+--------------+

C:\Source\osquery\build\osquery\RelWithDebInfo>osqueryi.exe "SELECT count(*) FROM services;"
+----------+
| count(*) |
+----------+
| 619      |
+----------+

C:\Source\osquery\build\osquery\RelWithDebInfo>osqueryi.exe "SELECT count(*) FROM services WHERE service_type LIKE '%PROCESS%';"
+----------+
| count(*) |
+----------+
| 252      |
+----------+

C:\Source\osquery\build\osquery\RelWithDebInfo>osqueryi.exe "SELECT count(*) FROM services WHERE service_type LIKE '%DRIVER%';"
+----------+
| count(*) |
+----------+
| 367      |
+----------+

C:\Source\osquery\build\osquery\RelWithDebInfo>osqueryi.exe "SELECT count(*) FROM services WHERE service_type LIKE 'unknown';"
+----------+
| count(*) |
+----------+
| 0        |
+----------+

@joshdhart joshdhart requested review from a team as code owners August 23, 2023 23:56
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Aug 23, 2023
edited

CLA Signed

The committers listed above are authorized under a signed CLA.

sharvilshah
sharvilshah requested changes Aug 24, 2023
View reviewed changes
Copy link
Member

@sharvilshah sharvilshah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey @joshdhart thanks for the PR! can you please run clang-format on the file? Once that check passes, that will make the CI trigger the other workflows.

@joshdhart
Copy link
Contributor Author

hey @joshdhart thanks for the PR! can you please run clang-format on the file? Once that check passes, that will make the CI trigger the other workflows.

@sharvilshah CI checks are now passing.

@sharvilshah sharvilshah added this to the 5.10.0 milestone Aug 31, 2023
@sharvilshah
Copy link
Member

hey @joshdhart thanks for the PR! can you please run clang-format on the file? Once that check passes, that will make the CI trigger the other workflows.

@sharvilshah CI checks are now passing.

@joshdhart I have added this to the 5.10.0 milestone, and I will try and get this reviewed in a few days.

@joshdhart
Copy link
Contributor Author

hey @joshdhart thanks for the PR! can you please run clang-format on the file? Once that check passes, that will make the CI trigger the other workflows.

@sharvilshah CI checks are now passing.

@joshdhart I have added this to the 5.10.0 milestone, and I will try and get this reviewed in a few days.

Any update on the review?

@Smjert Smjert merged commit f50c2b6 into osquery:master Sep 22, 2023
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sharvilshah sharvilshah sharvilshah approved these changes

Assignees
No one assigned
Labels
virtual tables Windows
Projects
None yet
Milestone
5.10.0
Development

Successfully merging this pull request may close these issues.

Windows "drivers" table is incomplete - only includes device drivers
3 participants
@joshdhart @sharvilshah @Smjert