Skip to content

Commit

Permalink
Add process monitor
Browse files Browse the repository at this point in the history
Signed-off-by: Alan Jowett (from Dev Box) <[email protected]>
  • Loading branch information
Alan-Jowett committed Mar 1, 2024
1 parent da4bd0e commit 51d8d9d
Show file tree
Hide file tree
Showing 6 changed files with 459 additions and 51 deletions.
135 changes: 90 additions & 45 deletions ebpf-for-windows.sln
Original file line number Diff line number Diff line change
Expand Up @@ -213,11 +213,11 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "redist-package", "tools\red
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ebpf_stress_tests_km", "tests\stress\km\ebpf_stress_tests_km.vcxproj", "{4F082524-9496-44FA-8CBA-4BC0BDC62568}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ebpf_store_helper_um", "libs\store_helper\user\ebpf_store_helper_um.vcxproj", "{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}"
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ebpf_store_helper", "libs\store_helper\user\ebpf_store_helper_um.vcxproj", "{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "usersim", "external\usersim\src\usersim.vcxproj", "{030A7AC6-14DC-45CF-AF34-891057AB1402}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbtf", "external\ebpf-verifier\build\external\libbtf\libbtf\libbtf.vcxproj", "{89A12D43-9B91-3960-A6BF-E506122C207A}"
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbtf", "external\ebpf-verifier\build\external\libbtf\libbtf\libbtf.vcxproj", "{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "usersim_dll_skeleton", "external\usersim\usersim_dll_skeleton\usersim_dll_skeleton.vcxproj", "{1937DB41-F3EB-4955-A636-6386DCB394F6}"
EndProject
Expand Down Expand Up @@ -249,6 +249,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sample_ebpf_ext", "undocked
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sample_ext_app", "tests\sample\ext\app\sample_ext_app.vcxproj", "{6D365515-DE92-4CEB-AB3D-5608719A8886}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "process_monitor", "tools\process_monitor\process_monitor.vcxproj", "{3DBF8A96-3883-448A-8BD3-B8C913A27F09}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM64 = Debug|ARM64
Expand Down Expand Up @@ -2667,48 +2669,48 @@ Global
{030A7AC6-14DC-45CF-AF34-891057AB1402}.RelWithDebInfo|x64.Build.0 = Release|x64
{030A7AC6-14DC-45CF-AF34-891057AB1402}.RelWithDebInfo|x86.ActiveCfg = Release|Win32
{030A7AC6-14DC-45CF-AF34-891057AB1402}.RelWithDebInfo|x86.Build.0 = Release|Win32
{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|ARM64.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|ARM64.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x64.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x64.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x86.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x86.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|ARM64.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x64.ActiveCfg = FuzzerDebug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x64.Build.0 = FuzzerDebug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x86.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x86.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|ARM64.ActiveCfg = MinSizeRel|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|ARM64.Build.0 = MinSizeRel|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x64.ActiveCfg = MinSizeRel|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x64.Build.0 = MinSizeRel|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x86.ActiveCfg = MinSizeRel|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x86.Build.0 = MinSizeRel|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|ARM64.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|ARM64.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x64.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x64.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x86.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x86.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|ARM64.ActiveCfg = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|ARM64.Build.0 = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x64.ActiveCfg = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x64.Build.0 = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x86.ActiveCfg = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x86.Build.0 = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|ARM64.ActiveCfg = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|ARM64.Build.0 = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x64.ActiveCfg = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x64.Build.0 = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x86.ActiveCfg = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x86.Build.0 = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|ARM64.ActiveCfg = RelWithDebInfo|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|ARM64.Build.0 = RelWithDebInfo|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x64.ActiveCfg = RelWithDebInfo|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x64.Build.0 = RelWithDebInfo|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x86.ActiveCfg = RelWithDebInfo|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x86.Build.0 = RelWithDebInfo|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|ARM64.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|ARM64.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x64.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x64.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x86.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x86.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|ARM64.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x64.ActiveCfg = FuzzerDebug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x64.Build.0 = FuzzerDebug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x86.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x86.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|ARM64.ActiveCfg = MinSizeRel|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|ARM64.Build.0 = MinSizeRel|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x64.ActiveCfg = MinSizeRel|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x64.Build.0 = MinSizeRel|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x86.ActiveCfg = MinSizeRel|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x86.Build.0 = MinSizeRel|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|ARM64.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|ARM64.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x64.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x64.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x86.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x86.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|ARM64.ActiveCfg = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|ARM64.Build.0 = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x64.ActiveCfg = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x64.Build.0 = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x86.ActiveCfg = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x86.Build.0 = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|ARM64.ActiveCfg = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|ARM64.Build.0 = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x64.ActiveCfg = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x64.Build.0 = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x86.ActiveCfg = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x86.Build.0 = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|ARM64.ActiveCfg = RelWithDebInfo|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|ARM64.Build.0 = RelWithDebInfo|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x64.ActiveCfg = RelWithDebInfo|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x64.Build.0 = RelWithDebInfo|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x86.ActiveCfg = RelWithDebInfo|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x86.Build.0 = RelWithDebInfo|x64
{1937DB41-F3EB-4955-A636-6386DCB394F6}.Debug|ARM64.ActiveCfg = Debug|x64
{1937DB41-F3EB-4955-A636-6386DCB394F6}.Debug|ARM64.Build.0 = Debug|x64
{1937DB41-F3EB-4955-A636-6386DCB394F6}.Debug|x64.ActiveCfg = Debug|x64
Expand Down Expand Up @@ -3125,6 +3127,48 @@ Global
{6D365515-DE92-4CEB-AB3D-5608719A8886}.RelWithDebInfo|x64.Build.0 = Release|x64
{6D365515-DE92-4CEB-AB3D-5608719A8886}.RelWithDebInfo|x86.ActiveCfg = Release|x64
{6D365515-DE92-4CEB-AB3D-5608719A8886}.RelWithDebInfo|x86.Build.0 = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|ARM64.ActiveCfg = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|ARM64.Build.0 = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x64.ActiveCfg = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x64.Build.0 = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x86.ActiveCfg = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x86.Build.0 = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|ARM64.Build.0 = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x64.ActiveCfg = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x64.Build.0 = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x86.ActiveCfg = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x86.Build.0 = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|ARM64.ActiveCfg = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|ARM64.Build.0 = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x64.ActiveCfg = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x64.Build.0 = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x86.ActiveCfg = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x86.Build.0 = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|ARM64.ActiveCfg = NativeOnlyDebug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|ARM64.Build.0 = NativeOnlyDebug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x64.ActiveCfg = NativeOnlyDebug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x64.Build.0 = NativeOnlyDebug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x86.ActiveCfg = NativeOnlyDebug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x86.Build.0 = NativeOnlyDebug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|ARM64.ActiveCfg = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|ARM64.Build.0 = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x64.ActiveCfg = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x64.Build.0 = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x86.ActiveCfg = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x86.Build.0 = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|ARM64.ActiveCfg = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|ARM64.Build.0 = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x64.ActiveCfg = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x64.Build.0 = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x86.ActiveCfg = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x86.Build.0 = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|ARM64.ActiveCfg = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|ARM64.Build.0 = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x64.ActiveCfg = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x64.Build.0 = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x86.ActiveCfg = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x86.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
Expand Down Expand Up @@ -3190,7 +3234,7 @@ Global
{4F082524-9496-44FA-8CBA-4BC0BDC62568} = {492C9B22-9237-4996-9E33-CA14D3533616}
{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{030A7AC6-14DC-45CF-AF34-891057AB1402} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{89A12D43-9B91-3960-A6BF-E506122C207A} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{1937DB41-F3EB-4955-A636-6386DCB394F6} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{1FDAD2FD-EBD8-462A-B285-ED5174E55079} = {97D3096A-20FB-4ACB-A038-88E652FE61E3}
{9388DD45-7941-45D7-B4FF-BC00F550AF17} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
Expand All @@ -3202,6 +3246,7 @@ Global
{984080A6-5890-4ADE-BF8C-DC78EBAB0E8B} = {1A0E5E22-3CAD-412A-9268-F561A5462C77}
{C8D46543-5AE5-4E66-B9CE-8B84588B1C9E} = {984080A6-5890-4ADE-BF8C-DC78EBAB0E8B}
{6D365515-DE92-4CEB-AB3D-5608719A8886} = {492C9B22-9237-4996-9E33-CA14D3533616}
{3DBF8A96-3883-448A-8BD3-B8C913A27F09} = {B09749EC-3D14-414B-BA9B-CD20E218DC84}
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {3D5F862D-74C6-4357-9F95-0B152E33B7B8}
Expand Down
35 changes: 29 additions & 6 deletions tests/sample/process_monitor.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,18 @@ typedef struct
uint8_t command_line[256];
} proces_entry_t;

typedef struct
{
uint64_t process_id;
proces_entry_t entry;
} process_create_event_t;

typedef struct
{
uint64_t process_id;
} process_delete_event_t;

// Map for running processes.
struct
{
__uint(type, BPF_MAP_TYPE_HASH);
Expand All @@ -33,6 +45,13 @@ struct
__uint(max_entries, 1024);
} process_map SEC(".maps");

// Ringbuffer for process events.
struct
{
__uint(type, BPF_MAP_TYPE_RINGBUF);
__uint(max_entries, 1024 * 64);
} process_ringbuf SEC(".maps");

// For debug builds, limit the number of iterations in the loop to 16 to prevent the verifier from
// running for too long. For release builds, limit the number of iterations to 256.
#if defined(NDEBUG)
Expand Down Expand Up @@ -67,21 +86,25 @@ int
ProcessMonitor(process_md_t* ctx)
{
if (ctx->operation == PROCESS_OPERATION_CREATE) {
proces_entry_t entry;
__builtin_memset(&entry, 0, sizeof(entry));
entry.parent_process_id = ctx->parent_process_id;
process_create_event_t create_event;
__builtin_memset(&create_event, 0, sizeof(create_event));
create_event.entry.parent_process_id = ctx->parent_process_id;
create_event.process_id = ctx->process_id;
uint64_t process_id = ctx->process_id;

bounded_memcpy(
entry.command_line,
create_event.entry.command_line,
ctx->command_start,
sizeof(entry.command_line),
sizeof(create_event.entry.command_line),
(uint32_t)(ctx->command_end - ctx->command_start));

bpf_map_update_elem(&process_map, &process_id, &entry, BPF_ANY);
bpf_map_update_elem(&process_map, &process_id, &create_event.entry, BPF_ANY);
bpf_ringbuf_output(&process_ringbuf, &create_event, sizeof(create_event), 0);
} else if (ctx->operation == PROCESS_OPERATION_DELETE) {
process_delete_event_t delete_event = {.process_id = ctx->process_id};
uint64_t process_id = ctx->process_id;
bpf_map_delete_elem(&process_map, &process_id);
bpf_ringbuf_output(&process_ringbuf, &delete_event, sizeof(delete_event), 0);
}
return 0;
}
15 changes: 15 additions & 0 deletions tests/sample/sample.vcxproj
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,21 @@
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
<ClangFlags>-g -target bpf -O2 -Werror -I../../include -I../../external/bpftool</ClangFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ClangFlags>$(ClangFlags) -DDEBUG</ClangFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='NativeOnlyDebug|x64'" Label="Configuration">
<ClangFlags>$(ClangFlags) -DDEBUG</ClangFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='FuzzerDebug|x64'" Label="Configuration">
<ClangFlags>$(ClangFlags) -DDEBUG</ClangFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ClangFlags>$(ClangFlags) -DNDEBUG</ClangFlags>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='NativeOnlyRelease|x64'" Label="Configuration">
<ClangFlags>$(ClangFlags) -DNDEBUG</ClangFlags>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
Expand Down
Loading

0 comments on commit 51d8d9d

Please sign in to comment.