trailofbits
diff --git a/‎README.md
+11-8 b/‎README.md
+11-8
diff --git a/‎windows_sync_objects/.platforms
+1 b/‎windows_sync_objects/.platforms
+1
diff --git a/‎windows_sync_objects/CMakeLists.txt
+41 b/‎windows_sync_objects/CMakeLists.txt
+41
diff --git a/‎windows_sync_objects/README.md
+52 b/‎windows_sync_objects/README.md
+52
@@ -4,13 +4,14 @@ This repository includes [osquery](https://osquery.io/) [extensions](https://osq
 
 [Extensions](https://osquery.readthedocs.io/en/stable/deployment/extensions/) are a type of osquery add-on that can be loaded at runtime to provide new virtual tables, with capabilities that go beyond the limitations of mainline osquery. Trail of Bits has developed extensions to provide tables that can _manage_ service configurations as well as _view_ them (currently pending the merge of [PR4094](https://github.com/facebook/osquery/pull/4094)), or that can cross-check information on the host with external third-party services. The extensions interface is commonly used to address individual organizations' needs, or to implement proprietary detection methods. Here we use it to demonstrate some pioneering use cases of osquery. To learn more, view our talk ([slides](https://github.com/trailofbits/presentations/tree/master/Osquery%20Extensions), [video](https://www.youtube.com/watch?v=g46rjoP18EE)) from QueryCon 2018.
 
-| Extension      | Description | Supported Endpoints |
-|    :-:         |    :-:      |         :-:         |
-| efigy          | Integrates osquery with the Duo Labs EFIgy API to determine if the EFI firmware on your Mac fleet is up-to-date. | macOS |
-| santa          | Integrates osquery with the Santa application whiteslisting solution. Check DENY events and manage the whitelist/blacklist rules. | macOS |
-| fwctl          | Provides osquery with the ability to view and manage the OS-native firewall rules and `/etc/hosts` file (port and host blocking). | macOS, Linux, Windows |
-| ntfs_forensics | Provides osquery with NTFS-specific forensic information for incident responders. | Windows |
-| (more to come) | ...  | ...   |
+| Extension            | Description | Supported Endpoints |
+|          :-:         |    :-:      |         :-:         |
+| efigy                | Integrates osquery with the Duo Labs EFIgy API to determine if the EFI firmware on your Mac fleet is up-to-date. | macOS |
+| santa                | Integrates osquery with the Santa application whiteslisting solution. Check DENY events and manage the whitelist/blacklist rules. | macOS |
+| fwctl                | Provides osquery with the ability to view and manage the OS-native firewall rules and `/etc/hosts` file (port and host blocking). | macOS, Linux, Windows |
+| ntfs_forensics       | Provides osquery with NTFS-specific forensic information for incident responders. | Windows |
+| windows_sync_objects | Provides osquery with the ability of listing and locking Windows synchronization objects (mutants, events, semaphores). | Windows |
+| (more to come)       | ...  | ...   |
 
 ## Dependencies
 
@@ -30,7 +31,9 @@ So, for Windows, after cloning the osquery repository and cherry-picking the com
 2. Uninstall the boost-msvc14 package that osquery's scripts just installed: `choco uninstall boost-msvc14`
 3. Build the Boost package from source (at a Powershell prompt): `.\tools\provision\chocolatey\boost-msvc14.ps1`
 4. Enter the folder where the package was created: `cd .\build\chocolatey\boost-msvc14\boost_1_66_0\osquery-choco`
-5. Run `choco install -s . .\boost-msvc14.1.66.0-r1.nupkg` to install the Boost package you just built.
+5. Run `choco install -s . .\boost-msvc14.1.66.0-r2.nupkg` to install the Boost package you just built.
+
+In case you want a binary package, we have uploaded one in the [releases](https://github.com/trailofbits/osquery-extensions/releases) page.
 
 ##### macOS
 
 
@@ -0,0 +1 @@
+WINDOWS
@@ -0,0 +1,41 @@
+# Copyright (c) 2018 Trail of Bits, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+cmake_minimum_required(VERSION 3.10)
+project(windows_sync_objects)
+
+function(main)
+  set(project_common_source_files
+    src/winapi.h
+
+    src/objectmanager.h
+    src/objectmanager.cpp
+
+    src/windowssyncobjects.h
+    src/windowssyncobjects.cpp
+  )
+
+  set(project_include_dirs
+    "${CMAKE_CURRENT_SOURCE_DIR}/src"
+  )
+
+  add_osquery_extension_ex("WindowsSyncObjectsTablePlugin" "table" "windows_sync_objects"
+    SOURCES ${project_common_source_files}
+    INCLUDEDIRS ${project_include_dirs}
+    MAININCLUDES windowssyncobjects.h
+    LIBRARIES
+  )
+endfunction()
+
+main()
@@ -0,0 +1,52 @@
+# windows_sync_objects Extension
+
+This extension provides a list of all mutants, semaphores and events on the system. Additionally, the user is able to create and destroy his own objects using INSERT and DELETE queries.
+
+## Schema
+
+| Column         | Type | Description                                    |
+|----------------|------|------------------------------------------------|
+| type           | TEXT | Either Mutant, Event or Semaphore              |
+| path           | TEXT | The folder path                                |
+| name           | TEXT | The object name                                |
+| field1_name    | TEXT | Name for custom field 1                        |
+| field1_value   | TEXT | Value for custom field 1                       |
+| field2_name    | TEXT | Name for custom field 2                        |
+| field2_value   | TEXT | Value for custom field 2                       |
+| field3_name    | TEXT | Name for custom field 3                        |
+| field3_value   | TEXT | Value for custom field 3                       |
+
+### Event objects
+1. **field1**: Notification or Synchronization.
+2. **field2**: Signaled
+
+### Mutant objects
+1. **field1**: CurrentCount
+2. **field2**: OwnedByCaller
+3. **field3**: AbandonedState
+
+### Semaphore objects
+1. **field1**: CurrentCount
+2. **field2**: MaximumCount
+
+
+## Usage
+
+### Creating a new mutant object
+``` sql
+INSERT INTO windows_sync_objects
+  (type, path, name)
+
+VALUES
+  ('Mutant', '\BaseNamedObjects', 'trailofbits_mutex');
+```
+
+### Removing an object
+
+``` sql
+DELETE FROM windows_sync_objects
+WHERE name = 'trailofbits_mutex';
+```
+
+## License
+The code in this repository is licensed under the [Apache 2.0 license](../LICENSE).