[Fix #3268] extensions autoload now correctly spawns extension processes (#3269)

include/osquery/system.h

@@ -143,10 +143,10 @@ class Initializer : private boost::noncopyable {
   static void platformSetup();
 
   /**
-  * @brief Before ending, tear down any platform specific setup
-  *
-  * On windows, we require the COM libraries be initialized just once
-  */
+   * @brief Before ending, tear down any platform specific setup
+   *
+   * On windows, we require the COM libraries be initialized just once
+   */
   static void platformTeardown();
 
  public:
@@ -358,10 +358,10 @@ std::string getAsciiTime();
 Status createPidFile();
 
 /**
-* @brief Getter for determining Admin status
-*
-* @return A bool indicating if the current process is running as admin
-*/
+ * @brief Getter for determining Admin status
+ *
+ * @return A bool indicating if the current process is running as admin
+ */
 bool isUserAdmin();
 
 #ifdef WIN32
@@ -371,4 +371,4 @@ struct tm* gmtime_r(time_t* t, struct tm* result);
 
 struct tm* localtime_r(time_t* t, struct tm* result);
 #endif
-}
+} // namespace osquery

osquery/core/watcher.cpp

@@ -197,7 +197,8 @@ void WatcherRunner::start() {
 
     // Loop over every managed extension and check sanity.
     for (const auto& extension : Watcher::extensions()) {
-      if (!isChildSane(*extension.second)) {
+      auto s = isChildSane(*extension.second);
+      if (!s.ok()) {
         // The extension manager also watches for extension-related failures.
         // The watchdog is more general, but may find failed extensions first.
         createExtension(extension.first);
@@ -361,7 +362,12 @@ Status WatcherRunner::isWatcherHealthy(const PlatformProcess& watcher,
 }
 
 QueryData WatcherRunner::getProcessRow(pid_t pid) const {
-  return SQL::selectAllFrom("processes", "pid", EQUALS, INTEGER(pid));
+  // On Windows, pid_t = DWORD, which is unsigned. However invalidity
+  // of processes is denoted by a pid_t of -1. We check for this
+  // by comparing the max value of DWORD, or ULONG_MAX
+  int p =
+      (isPlatform(PlatformType::TYPE_WINDOWS) && pid == ULONG_MAX) ? -1 : pid;
+  return SQL::selectAllFrom("processes", "pid", EQUALS, INTEGER(p));
 }
 
 Status WatcherRunner::isChildSane(const PlatformProcess& child) const {
@@ -547,4 +553,4 @@ size_t getWorkerLimit(WatchdogLimitType name) {
   }
   return kWatchdogLimits.at(name).normal;
 }
-}
+} // namespace osquery

osquery/core/windows/process.cpp

@@ -71,7 +71,8 @@ bool PlatformProcess::operator!=(const PlatformProcess& process) const {
 }
 
 int PlatformProcess::pid() const {
-  return static_cast<int>(::GetProcessId(id_));
+  auto pid = (id_ == INVALID_HANDLE_VALUE) ? -1 : GetProcessId(id_);
+  return static_cast<int>(pid);
 }
 
 bool PlatformProcess::kill() const {
@@ -338,4 +339,4 @@ std::shared_ptr<PlatformProcess> PlatformProcess::launchPythonScript(
 
   return process;
 }
-}
+} // namespace osquery

osquery/dispatcher/dispatcher.cpp

@@ -155,4 +155,4 @@ void Dispatcher::stopServices() {
     DLOG(INFO) << "Service: " << service.get() << " has been interrupted";
   }
 }
-}
+} // namespace osquery

osquery/extensions/extensions.cpp

@@ -751,4 +751,4 @@ Status startExtensionManager(const std::string& manager_path) {
 
   return Status(0, "OK");
 }
-}
+} // namespace osquery

osquery/extensions/interface.cpp

@@ -229,7 +229,7 @@ bool ExtensionManagerHandler::exists(const std::string& name) {
   }
   return false;
 }
-}
+} // namespace extensions
 
 ExtensionRunnerCore::~ExtensionRunnerCore() {
   remove(path_);
@@ -322,4 +322,4 @@ void ExtensionManagerRunner::start() {
                  << path_ << ") (" << e.what() << ")";
   }
 }
-}
+} // namespace osquery

osquery/filesystem/filesystem.cpp

@@ -502,4 +502,4 @@ Status parseJSONContent(const std::string& content, pt::ptree& tree) {
   }
   return Status(0, "OK");
 }
-}
+} // namespace osquery

osquery/tables/system/windows/processes.cpp

@@ -27,7 +27,6 @@
 #include <osquery/tables.h>
 
 #include "osquery/core/conversions.h"
-#include "osquery/core/utils.h"
 #include "osquery/core/windows/wmi.h"
 
 namespace osquery {
@@ -35,21 +34,6 @@ int getUidFromSid(PSID sid);
 int getGidFromSid(PSID sid);
 namespace tables {
 
-std::set<long> getSelectedPids(const QueryContext& context) {
-  std::set<long> pidlist;
-  if (context.constraints.count("pid") > 0 &&
-      context.constraints.at("pid").exists(EQUALS)) {
-    for (const auto& pid : context.constraints.at("pid").getAll<int>(EQUALS)) {
-      if (pid > 0) {
-        pidlist.insert(pid);
-      }
-    }
-  }
-
-  /// If there are no constraints, pidlist will be an empty set
-  return pidlist;
-}
-
 void genProcess(const WmiResultItem& result, QueryData& results_data) {
   Row r;
   Status s;
@@ -157,7 +141,20 @@ QueryData genProcesses(QueryContext& context) {
 
   std::string query = "SELECT * FROM Win32_Process";
 
-  auto pidlist = getSelectedPids(context);
+  std::set<long> pidlist;
+  if (context.constraints.count("pid") > 0 &&
+      context.constraints.at("pid").exists(EQUALS)) {
+    for (const auto& pid : context.constraints.at("pid").getAll<int>(EQUALS)) {
+      if (pid > 0) {
+        pidlist.insert(pid);
+      }
+    }
+    // None of the constraints returned valid pids, bail out early
+    if (pidlist.size() == 0) {
+      return results;
+    }
+  }
+
   if (pidlist.size() > 0) {
     std::vector<std::string> constraints;
     for (const auto& pid : pidlist) {