diff --git a/ebpf-for-windows.sln b/ebpf-for-windows.sln
index 48d9f6c1a3..e5fdcf0edd 100644
--- a/ebpf-for-windows.sln
+++ b/ebpf-for-windows.sln
@@ -213,11 +213,11 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "redist-package", "tools\red
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ebpf_stress_tests_km", "tests\stress\km\ebpf_stress_tests_km.vcxproj", "{4F082524-9496-44FA-8CBA-4BC0BDC62568}"
EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ebpf_store_helper_um", "libs\store_helper\user\ebpf_store_helper_um.vcxproj", "{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}"
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ebpf_store_helper", "libs\store_helper\user\ebpf_store_helper_um.vcxproj", "{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "usersim", "external\usersim\src\usersim.vcxproj", "{030A7AC6-14DC-45CF-AF34-891057AB1402}"
EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbtf", "external\ebpf-verifier\build\external\libbtf\libbtf\libbtf.vcxproj", "{89A12D43-9B91-3960-A6BF-E506122C207A}"
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbtf", "external\ebpf-verifier\build\external\libbtf\libbtf\libbtf.vcxproj", "{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "usersim_dll_skeleton", "external\usersim\usersim_dll_skeleton\usersim_dll_skeleton.vcxproj", "{1937DB41-F3EB-4955-A636-6386DCB394F6}"
EndProject
@@ -249,6 +249,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sample_ebpf_ext", "undocked
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sample_ext_app", "tests\sample\ext\app\sample_ext_app.vcxproj", "{6D365515-DE92-4CEB-AB3D-5608719A8886}"
EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "process_monitor", "tools\process_monitor\process_monitor.vcxproj", "{3DBF8A96-3883-448A-8BD3-B8C913A27F09}"
+EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM64 = Debug|ARM64
@@ -2667,48 +2669,48 @@ Global
{030A7AC6-14DC-45CF-AF34-891057AB1402}.RelWithDebInfo|x64.Build.0 = Release|x64
{030A7AC6-14DC-45CF-AF34-891057AB1402}.RelWithDebInfo|x86.ActiveCfg = Release|Win32
{030A7AC6-14DC-45CF-AF34-891057AB1402}.RelWithDebInfo|x86.Build.0 = Release|Win32
- {89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|ARM64.ActiveCfg = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|ARM64.Build.0 = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x64.ActiveCfg = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x64.Build.0 = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x86.ActiveCfg = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x86.Build.0 = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|ARM64.Build.0 = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x64.ActiveCfg = FuzzerDebug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x64.Build.0 = FuzzerDebug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x86.ActiveCfg = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x86.Build.0 = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|ARM64.ActiveCfg = MinSizeRel|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|ARM64.Build.0 = MinSizeRel|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x64.ActiveCfg = MinSizeRel|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x64.Build.0 = MinSizeRel|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x86.ActiveCfg = MinSizeRel|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x86.Build.0 = MinSizeRel|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|ARM64.ActiveCfg = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|ARM64.Build.0 = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x64.ActiveCfg = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x64.Build.0 = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x86.ActiveCfg = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x86.Build.0 = Debug|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|ARM64.ActiveCfg = Release|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|ARM64.Build.0 = Release|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x64.ActiveCfg = Release|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x64.Build.0 = Release|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x86.ActiveCfg = Release|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x86.Build.0 = Release|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.Release|ARM64.ActiveCfg = Release|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.Release|ARM64.Build.0 = Release|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x64.ActiveCfg = Release|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x64.Build.0 = Release|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x86.ActiveCfg = Release|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x86.Build.0 = Release|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|ARM64.ActiveCfg = RelWithDebInfo|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|ARM64.Build.0 = RelWithDebInfo|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x64.ActiveCfg = RelWithDebInfo|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x64.Build.0 = RelWithDebInfo|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x86.ActiveCfg = RelWithDebInfo|x64
- {89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x86.Build.0 = RelWithDebInfo|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|ARM64.ActiveCfg = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|ARM64.Build.0 = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x64.ActiveCfg = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x64.Build.0 = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x86.ActiveCfg = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x86.Build.0 = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|ARM64.Build.0 = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x64.ActiveCfg = FuzzerDebug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x64.Build.0 = FuzzerDebug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x86.ActiveCfg = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x86.Build.0 = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|ARM64.ActiveCfg = MinSizeRel|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|ARM64.Build.0 = MinSizeRel|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x64.ActiveCfg = MinSizeRel|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x64.Build.0 = MinSizeRel|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x86.ActiveCfg = MinSizeRel|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x86.Build.0 = MinSizeRel|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|ARM64.ActiveCfg = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|ARM64.Build.0 = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x64.ActiveCfg = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x64.Build.0 = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x86.ActiveCfg = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x86.Build.0 = Debug|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|ARM64.ActiveCfg = Release|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|ARM64.Build.0 = Release|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x64.ActiveCfg = Release|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x64.Build.0 = Release|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x86.ActiveCfg = Release|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x86.Build.0 = Release|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|ARM64.ActiveCfg = Release|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|ARM64.Build.0 = Release|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x64.ActiveCfg = Release|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x64.Build.0 = Release|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x86.ActiveCfg = Release|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x86.Build.0 = Release|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|ARM64.ActiveCfg = RelWithDebInfo|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|ARM64.Build.0 = RelWithDebInfo|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x64.ActiveCfg = RelWithDebInfo|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x64.Build.0 = RelWithDebInfo|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x86.ActiveCfg = RelWithDebInfo|x64
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x86.Build.0 = RelWithDebInfo|x64
{1937DB41-F3EB-4955-A636-6386DCB394F6}.Debug|ARM64.ActiveCfg = Debug|x64
{1937DB41-F3EB-4955-A636-6386DCB394F6}.Debug|ARM64.Build.0 = Debug|x64
{1937DB41-F3EB-4955-A636-6386DCB394F6}.Debug|x64.ActiveCfg = Debug|x64
@@ -3125,6 +3127,48 @@ Global
{6D365515-DE92-4CEB-AB3D-5608719A8886}.RelWithDebInfo|x64.Build.0 = Release|x64
{6D365515-DE92-4CEB-AB3D-5608719A8886}.RelWithDebInfo|x86.ActiveCfg = Release|x64
{6D365515-DE92-4CEB-AB3D-5608719A8886}.RelWithDebInfo|x86.Build.0 = Release|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|ARM64.ActiveCfg = Debug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|ARM64.Build.0 = Debug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x64.ActiveCfg = Debug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x64.Build.0 = Debug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x86.ActiveCfg = Debug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x86.Build.0 = Debug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|ARM64.Build.0 = Debug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x64.ActiveCfg = Debug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x64.Build.0 = Debug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x86.ActiveCfg = Debug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x86.Build.0 = Debug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|ARM64.ActiveCfg = NativeOnlyRelease|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|ARM64.Build.0 = NativeOnlyRelease|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x64.ActiveCfg = NativeOnlyRelease|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x64.Build.0 = NativeOnlyRelease|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x86.ActiveCfg = NativeOnlyRelease|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x86.Build.0 = NativeOnlyRelease|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|ARM64.ActiveCfg = NativeOnlyDebug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|ARM64.Build.0 = NativeOnlyDebug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x64.ActiveCfg = NativeOnlyDebug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x64.Build.0 = NativeOnlyDebug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x86.ActiveCfg = NativeOnlyDebug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x86.Build.0 = NativeOnlyDebug|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|ARM64.ActiveCfg = NativeOnlyRelease|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|ARM64.Build.0 = NativeOnlyRelease|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x64.ActiveCfg = NativeOnlyRelease|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x64.Build.0 = NativeOnlyRelease|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x86.ActiveCfg = NativeOnlyRelease|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x86.Build.0 = NativeOnlyRelease|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|ARM64.ActiveCfg = Release|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|ARM64.Build.0 = Release|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x64.ActiveCfg = Release|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x64.Build.0 = Release|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x86.ActiveCfg = Release|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x86.Build.0 = Release|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|ARM64.ActiveCfg = Release|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|ARM64.Build.0 = Release|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x64.ActiveCfg = Release|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x64.Build.0 = Release|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x86.ActiveCfg = Release|x64
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x86.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
@@ -3190,7 +3234,7 @@ Global
{4F082524-9496-44FA-8CBA-4BC0BDC62568} = {492C9B22-9237-4996-9E33-CA14D3533616}
{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{030A7AC6-14DC-45CF-AF34-891057AB1402} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
- {89A12D43-9B91-3960-A6BF-E506122C207A} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
+ {018D6472-F71C-34B5-BB9B-6BC2A506DB5E} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{1937DB41-F3EB-4955-A636-6386DCB394F6} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{1FDAD2FD-EBD8-462A-B285-ED5174E55079} = {97D3096A-20FB-4ACB-A038-88E652FE61E3}
{9388DD45-7941-45D7-B4FF-BC00F550AF17} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
@@ -3202,6 +3246,7 @@ Global
{984080A6-5890-4ADE-BF8C-DC78EBAB0E8B} = {1A0E5E22-3CAD-412A-9268-F561A5462C77}
{C8D46543-5AE5-4E66-B9CE-8B84588B1C9E} = {984080A6-5890-4ADE-BF8C-DC78EBAB0E8B}
{6D365515-DE92-4CEB-AB3D-5608719A8886} = {492C9B22-9237-4996-9E33-CA14D3533616}
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09} = {B09749EC-3D14-414B-BA9B-CD20E218DC84}
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {3D5F862D-74C6-4357-9F95-0B152E33B7B8}
diff --git a/tests/sample/process_monitor.c b/tests/sample/process_monitor.c
index e65bb42487..c9f64b8452 100644
--- a/tests/sample/process_monitor.c
+++ b/tests/sample/process_monitor.c
@@ -25,6 +25,18 @@ typedef struct
uint8_t command_line[256];
} proces_entry_t;
+typedef struct
+{
+ uint64_t process_id;
+ proces_entry_t entry;
+} process_create_event_t;
+
+typedef struct
+{
+ uint64_t process_id;
+} process_delete_event_t;
+
+// Map for running processes.
struct
{
__uint(type, BPF_MAP_TYPE_HASH);
@@ -33,6 +45,13 @@ struct
__uint(max_entries, 1024);
} process_map SEC(".maps");
+// Ringbuffer for process events.
+struct
+{
+ __uint(type, BPF_MAP_TYPE_RINGBUF);
+ __uint(max_entries, 1024 * 64);
+} process_ringbuf SEC(".maps");
+
// For debug builds, limit the number of iterations in the loop to 16 to prevent the verifier from
// running for too long. For release builds, limit the number of iterations to 256.
#if defined(NDEBUG)
@@ -67,21 +86,25 @@ int
ProcessMonitor(process_md_t* ctx)
{
if (ctx->operation == PROCESS_OPERATION_CREATE) {
- proces_entry_t entry;
- __builtin_memset(&entry, 0, sizeof(entry));
- entry.parent_process_id = ctx->parent_process_id;
+ process_create_event_t create_event;
+ __builtin_memset(&create_event, 0, sizeof(create_event));
+ create_event.entry.parent_process_id = ctx->parent_process_id;
+ create_event.process_id = ctx->process_id;
uint64_t process_id = ctx->process_id;
bounded_memcpy(
- entry.command_line,
+ create_event.entry.command_line,
ctx->command_start,
- sizeof(entry.command_line),
+ sizeof(create_event.entry.command_line),
(uint32_t)(ctx->command_end - ctx->command_start));
- bpf_map_update_elem(&process_map, &process_id, &entry, BPF_ANY);
+ bpf_map_update_elem(&process_map, &process_id, &create_event.entry, BPF_ANY);
+ bpf_ringbuf_output(&process_ringbuf, &create_event, sizeof(create_event), 0);
} else if (ctx->operation == PROCESS_OPERATION_DELETE) {
+ process_delete_event_t delete_event = {.process_id = ctx->process_id};
uint64_t process_id = ctx->process_id;
bpf_map_delete_elem(&process_map, &process_id);
+ bpf_ringbuf_output(&process_ringbuf, &delete_event, sizeof(delete_event), 0);
}
return 0;
}
diff --git a/tests/sample/sample.vcxproj b/tests/sample/sample.vcxproj
index 04735a2edd..3246d0f132 100644
--- a/tests/sample/sample.vcxproj
+++ b/tests/sample/sample.vcxproj
@@ -38,6 +38,21 @@
10.0
-g -target bpf -O2 -Werror -I../../include -I../../external/bpftool
+
+ $(ClangFlags) -DDEBUG
+
+
+ $(ClangFlags) -DDEBUG
+
+
+ $(ClangFlags) -DDEBUG
+
+
+ $(ClangFlags) -DNDEBUG
+
+
+ $(ClangFlags) -DNDEBUG
+
Application
diff --git a/tools/process_monitor/process_monitor.cpp b/tools/process_monitor/process_monitor.cpp
new file mode 100644
index 0000000000..938873fc67
--- /dev/null
+++ b/tools/process_monitor/process_monitor.cpp
@@ -0,0 +1,151 @@
+// Copyright (c) Microsoft Corporation
+// SPDX-License-Identifier: MIT
+
+// Windows.h needs to be the first include to prevent failures in subsequent headers.
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#pragma comment(lib, "ebpfapi.lib")
+
+extern "C"
+{
+ int
+ process_monitor_history_callback(void* ctx, void* data, size_t size);
+}
+
+typedef struct
+{
+ uint64_t parent_process_id;
+ uint8_t command_line[256];
+} proces_entry_t;
+
+typedef struct
+{
+ uint64_t process_id;
+ proces_entry_t entry;
+} process_create_event_t;
+
+typedef struct
+{
+ uint64_t process_id;
+} process_delete_event_t;
+
+int
+process_monitor_history_callback(void* ctx, void* data, size_t size)
+{
+ UNREFERENCED_PARAMETER(ctx);
+
+ switch (size) {
+ case sizeof(process_create_event_t): {
+ process_create_event_t* event = (process_create_event_t*)data;
+ std::wcout << L"Process created: " << event->process_id << L" "
+ << reinterpret_cast(event->entry.command_line) << std::endl;
+ break;
+ }
+ case sizeof(process_delete_event_t): {
+ process_delete_event_t* event = (process_delete_event_t*)data;
+ std::wcout << L"Process deleted: " << event->process_id << std::endl;
+ break;
+ }
+ default:
+ std::wcout << L"Unknown event size: " << size << std::endl;
+ break;
+ }
+
+ return 0;
+}
+
+bool _shutdown = false;
+std::condition_variable _wait_for_shutdown;
+std::mutex _wait_for_shutdown_mutex;
+
+int
+control_handler(unsigned long control_type)
+{
+ if (control_type != CTRL_C_EVENT) {
+ return false;
+ }
+ std::unique_lock lock(_wait_for_shutdown_mutex);
+ _shutdown = true;
+ _wait_for_shutdown.notify_all();
+ return true;
+}
+
+int
+main(int argc, char** argv)
+{
+ UNREFERENCED_PARAMETER(argc);
+ UNREFERENCED_PARAMETER(argv);
+ if (!SetConsoleCtrlHandler(control_handler, true)) {
+ std::cerr << "SetConsoleCtrlHandler: " << GetLastError() << std::endl;
+ return 1;
+ }
+
+ std::cerr << "Press Ctrl-C to shutdown" << std::endl;
+
+ // Load process_monitor.sys BPF program.
+ struct bpf_object* object = bpf_object__open("process_monitor.sys");
+ if (!object) {
+ std::cerr << "bpf_object__open for process_monitor.sys failed: " << errno << std::endl;
+ return 1;
+ }
+
+ if (bpf_object__load(object) < 0) {
+ std::cerr << "bpf_object__load for process_monitor.sys failed: " << errno << std::endl;
+ return 1;
+ }
+
+ auto process_monitor = bpf_object__find_program_by_name(object, "ProcessMonitor");
+ if (!process_monitor) {
+ std::cerr << "bpf_object__find_program_by_name for \"connection_tracker\" failed: " << errno << std::endl;
+ return 1;
+ }
+
+ auto process_monitor_link = bpf_program__attach(process_monitor);
+ if (!process_monitor_link) {
+ std::cerr << "BPF program process_monitor.sys failed to attach: " << errno << std::endl;
+ return 1;
+ }
+
+ // Attach to ring buffer.
+ bpf_map* map = bpf_object__find_map_by_name(object, "process_ringbuf");
+ if (!map) {
+ std::cerr << "Unable to locate history map: " << errno << std::endl;
+ return 1;
+ }
+ auto ring = ring_buffer__new(bpf_map__fd(map), process_monitor_history_callback, nullptr, nullptr);
+ if (!ring) {
+ std::cerr << "Unable to create ring buffer: " << errno << std::endl;
+ return 1;
+ }
+
+ // Wait for Ctrl-C.
+ {
+ std::unique_lock lock(_wait_for_shutdown_mutex);
+ _wait_for_shutdown.wait(lock, []() { return _shutdown; });
+ }
+
+ // Detach from the attach point.
+ int link_fd = bpf_link__fd(process_monitor_link);
+ bpf_link_detach(link_fd);
+ bpf_link__destroy(process_monitor_link);
+
+ // Close ring buffer.
+ ring_buffer__free(ring);
+
+ // Free the BPF object.
+ bpf_object__close(object);
+ return 0;
+}
\ No newline at end of file
diff --git a/tools/process_monitor/process_monitor.vcxproj b/tools/process_monitor/process_monitor.vcxproj
new file mode 100644
index 0000000000..31bbec8187
--- /dev/null
+++ b/tools/process_monitor/process_monitor.vcxproj
@@ -0,0 +1,148 @@
+
+
+
+
+
+ Debug
+ x64
+
+
+ NativeOnlyDebug
+ x64
+
+
+ NativeOnlyRelease
+ x64
+
+
+ Release
+ x64
+
+
+
+ 16.0
+ Win32Proj
+ {3DBF8A96-3883-448A-8BD3-B8C913A27F09}
+ process_monitor
+ 10.0
+
+
+
+ Application
+ true
+ v143
+ Unicode
+
+
+ Application
+ true
+ v143
+ Unicode
+
+
+ Application
+ false
+ v143
+ Unicode
+
+
+ Application
+ false
+ v143
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+ false
+
+
+ false
+
+
+ false
+
+
+
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ $(SolutionDir)include;$(SolutionDir)external\bpftool;$(SolutionDir)external\ebpf-verifier\src
+
+
+ Console
+ true
+
+
+
+
+ _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ $(SolutionDir)include;$(SolutionDir)external\bpftool;$(SolutionDir)external\ebpf-verifier\src
+
+
+ Console
+ true
+
+
+
+
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ $(SolutionDir)include;$(SolutionDir)external\bpftool;$(SolutionDir)external\ebpf-verifier\src
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+ true
+ NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ true
+ $(SolutionDir)include;$(SolutionDir)external\bpftool;$(SolutionDir)external\ebpf-verifier\src
+
+
+ Console
+ true
+ true
+ true
+
+
+
+
+
+
+
+ {75fe223a-3e45-4b0e-a2e8-04285e52e440}
+
+
+
+
+
+
\ No newline at end of file
diff --git a/tools/process_monitor/process_monitor.vcxproj.filters b/tools/process_monitor/process_monitor.vcxproj.filters
new file mode 100644
index 0000000000..ada4019cd8
--- /dev/null
+++ b/tools/process_monitor/process_monitor.vcxproj.filters
@@ -0,0 +1,26 @@
+
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ Source Files
+
+
+
\ No newline at end of file