search

trailofbits / osquery-extensions

osquery extensions by Trail of Bits
https://blog.trailofbits.com/2017/12/14/announcing-the-trail-of-bits-osquery-extension-repository/
Apache License 2.0
262 stars 36 forks source link

Unable to build trailofbits on windows 10 with Visual Studio 16 2019 #68

Closed chouchouzzj closed 3 years ago

chouchouzzj commented 3 years ago

Well , base on https://github.com/trailofbits/osquery-extensions/blob/master/README.md

# Follow https://osquery.readthedocs.io/en/latest/development/building/

# and stop before the configure step

d: git clone --recurse-submodules https://github.com/trailofbits/osquery-extensions.git

cd d:\osquery New-Item -ItemType SymbolicLink -Name external\extension_trailofbits -Target d:\osquery-extensions

cd d:\build # Resume following the osquery build guide cmake ../osquery/ -G "Visual Studio 16 2019" -A x64 cmake --build . --config Release --target package

And here are the errors: Libtsk.lib (db_sqlite. Obj) : Error LNK2038: "RuntimeLibrary" mismatch detected:Value "MT_StaticRelease" mismatch value "MD_DynamicRelease" (in osquery_extension_group_main.obj) [D:\build\External\extension_trailofbits\ trailofbits_osquery_extensions.vcxProj] Libcpmt.lib (xstol. Obj) : Error LNK2038: "RuntimeLibrary" mismatch detected:Value "MT_StaticRelease" mismatch value "MD_DynamicRelease" (in osquery_extension_group_main.obj) [D:\build\External\extension_trailofbits\ trailofbits_osquery_extensions.vcxProj]

Well I set the properties of project trailofbits_osquery_extensions by VS2019 [ "Visual Studio 16 2019" ] Project -> properties -> configuration -> general -> configuration type : change it from application (.exe) to Static libraries (.lib) and , It works!

218>trailofbits_osquery_extensions.vcxproj -> D:\build\external\extension_trailofbits\Debug\trailofbits_osquery_extensions.ext.exe

But, It's too early to laugh..... I installed osquery-4.5.1.msi into path c:\osquery\ and copied trailofbits_osquery_extensions.ext.exe to c:\osquery\ but, while I am running this: .\osqueryi.exe --allow_unsafe --disable_extensions=false --extension .\trailofbits_osquery_extensions.ext.exe

here is the return:

c:\osquery>.\osqueryi.exe --allow_unsafe --disable_extensions=false --extension .\trailofbits_osquery_extensions.ext.exe Using a virtual database. Need help, type '.help' osquery> E1219 15:45:59.234822 19408 watcher.cpp:653] Cannot create extension process: .\trailofbits_osquery_extensions.ext.exe c:\osquery>

Anyway ,thanks for reading.. but, anyone can tell me how to build and run it correctly?????? help me.... T_T

mike-myers-tob commented 3 years ago

Hi @chouchouzzj ! There was a change upstream that recently started to link the C runtime library dynamically instead of statically on Windows. It has been fixed, so I will test now if we can build our extensions against the latest osquery upstream Master branch.

mike-myers-tob commented 3 years ago

Yep! That was it. Check out the latest core osquery and try again, or pull the latest changes into your branch. It should work.

PS C:\Projects\osquery\build> .\osquery\RelWithDebInfo\osqueryi.exe --allow_unsafe --disable_extensions=false --extension .\external\extension_trailofbits\RelWithDebInfo\trailofbits_osquery_extensions.ext.exe
Using a virtual database. Need help, type '.help'
osquery> SELECT * FROM HostBlacklist;
+---------+---------------------------+--------------+----------------+-----------+
| address | domain                    | sinkhole     | firewall_block | dns_block |
+---------+---------------------------+--------------+----------------+-----------+
|         | bitbucket.corp.ncrypt.com | 10.130.21.63 |                | UNMANAGED |
+---------+---------------------------+--------------+----------------+-----------+
osquery> .version
osquery 4.6.0-13-g6e9f8720
using SQLite 3.34.0