0

I want to retrieve some OS information using osquery through a C++ client. i have seen python binding for the same but doesnt see any sample in c++ to use osquery. any idea how this can be done?

i don't want to extend the osquery functionality hence extension will not help. want to just fetch some information.

Baab
  • 179
  • 6
  • [The SDK documentation](https://osquery.readthedocs.io/en/stable/development/osquery-sdk/) have a plugin example. And [the source code](https://github.com/osquery/osquery) is available to red and use for help and reference (including tests). – Some programmer dude Jan 03 '23 at 17:24
  • Other than that, why not invoke [the `osqueryi` command-line tool](https://osquery.readthedocs.io/en/stable/introduction/using-osqueryi/) and parse the output? It seems to be able to output JSON for which there are some nice C++ libraries which can parse it. – Some programmer dude Jan 03 '23 at 17:25
  • In fact, osquery-python is intended to develop extensions. So, as @Someprogrammerdude said, you can call osqueryi https://osquery.readthedocs.io/en/stable/introduction/using-osqueryi/ – BRT Jan 03 '23 at 17:30
  • thank you! as for SDK documentation it appears that Extensions are used for extending the osquery functionality. i don't want to extend the functionality but just query some information. For using osqueryi, is it a good and standard way to query the information? – Baab Jan 03 '23 at 17:36
  • If we look at this page: https://github.com/osquery/osquery-python Under Connect to an existing socket: This example shows to connect to existing osquery Thrift socket. This is a python code. How can I do this in C++ using osquery SDK? Is there any corresponding C++ sample. – Baab Jan 04 '23 at 08:12

1 Answers1

0

osquery has a couple of ways to talk to other things.

The common way, is through the TLS api. This is commonly used to talk to remote servers, but could just as well be a local process over tcp.

But, it sounds like you're asking about the local socket.

osquery's opens a socket, and uses the thrift protocol on it. On posix systems, this is a named pipe, on windows it's over in the pipe system. While this is most commonly used for extensions expanding osquery's functionality, it can also be used for distributed read/write. (eg: you can talk thrift and issue queries and get their responses)

The go and python SDKs are language specific, opinionated, SDKs built on top of the simple thrift API. I don't remember what we distribute for c++, that's normally very tangled in the rest of osquery.

If you want to talk to an osquery process over the socket, I would recommend you use the thrift definition https://github.com/osquery/osquery/blob/master/osquery/extensions/thrift/osquery.thrift to generate classes to talk to it.

seph
  • 813
  • 6
  • 16