Add new hook provider for process creation and termination.

Signed-off-by: Alan Jowett <[email protected]>
microsoft · Mar 2, 2024 · f61aaa1 · f61aaa1
1 parent ff2a400
commit f61aaa1
Show file tree

Hide file tree

Showing 24 changed files with 1,213 additions and 50 deletions.
diff --git a/ebpf-for-windows.sln b/ebpf-for-windows.sln
@@ -213,11 +213,11 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "redist-package", "tools\red
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ebpf_stress_tests_km", "tests\stress\km\ebpf_stress_tests_km.vcxproj", "{4F082524-9496-44FA-8CBA-4BC0BDC62568}"
 EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ebpf_store_helper_um", "libs\store_helper\user\ebpf_store_helper_um.vcxproj", "{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}"
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ebpf_store_helper", "libs\store_helper\user\ebpf_store_helper_um.vcxproj", "{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}"
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "usersim", "external\usersim\src\usersim.vcxproj", "{030A7AC6-14DC-45CF-AF34-891057AB1402}"
 EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbtf", "external\ebpf-verifier\build\external\libbtf\libbtf\libbtf.vcxproj", "{89A12D43-9B91-3960-A6BF-E506122C207A}"
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbtf", "external\ebpf-verifier\build\external\libbtf\libbtf\libbtf.vcxproj", "{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}"
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "usersim_dll_skeleton", "external\usersim\usersim_dll_skeleton\usersim_dll_skeleton.vcxproj", "{1937DB41-F3EB-4955-A636-6386DCB394F6}"
 EndProject
@@ -249,6 +249,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sample_ebpf_ext", "undocked
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sample_ext_app", "tests\sample\ext\app\sample_ext_app.vcxproj", "{6D365515-DE92-4CEB-AB3D-5608719A8886}"
 EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "process_monitor", "tools\process_monitor\process_monitor.vcxproj", "{3DBF8A96-3883-448A-8BD3-B8C913A27F09}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|ARM64 = Debug|ARM64
@@ -2667,48 +2669,48 @@ Global
 		{030A7AC6-14DC-45CF-AF34-891057AB1402}.RelWithDebInfo|x64.Build.0 = Release|x64
 		{030A7AC6-14DC-45CF-AF34-891057AB1402}.RelWithDebInfo|x86.ActiveCfg = Release|Win32
 		{030A7AC6-14DC-45CF-AF34-891057AB1402}.RelWithDebInfo|x86.Build.0 = Release|Win32
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|ARM64.ActiveCfg = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|ARM64.Build.0 = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x64.ActiveCfg = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x64.Build.0 = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x86.ActiveCfg = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x86.Build.0 = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|ARM64.Build.0 = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x64.ActiveCfg = FuzzerDebug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x64.Build.0 = FuzzerDebug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x86.ActiveCfg = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x86.Build.0 = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|ARM64.ActiveCfg = MinSizeRel|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|ARM64.Build.0 = MinSizeRel|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x64.ActiveCfg = MinSizeRel|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x64.Build.0 = MinSizeRel|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x86.ActiveCfg = MinSizeRel|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x86.Build.0 = MinSizeRel|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|ARM64.ActiveCfg = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|ARM64.Build.0 = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x64.ActiveCfg = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x64.Build.0 = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x86.ActiveCfg = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x86.Build.0 = Debug|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|ARM64.ActiveCfg = Release|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|ARM64.Build.0 = Release|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x64.ActiveCfg = Release|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x64.Build.0 = Release|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x86.ActiveCfg = Release|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x86.Build.0 = Release|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|ARM64.ActiveCfg = Release|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|ARM64.Build.0 = Release|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x64.ActiveCfg = Release|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x64.Build.0 = Release|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x86.ActiveCfg = Release|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x86.Build.0 = Release|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|ARM64.ActiveCfg = RelWithDebInfo|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|ARM64.Build.0 = RelWithDebInfo|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x64.ActiveCfg = RelWithDebInfo|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x64.Build.0 = RelWithDebInfo|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x86.ActiveCfg = RelWithDebInfo|x64
-		{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x86.Build.0 = RelWithDebInfo|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|ARM64.ActiveCfg = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|ARM64.Build.0 = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x64.ActiveCfg = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x64.Build.0 = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x86.ActiveCfg = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x86.Build.0 = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|ARM64.Build.0 = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x64.ActiveCfg = FuzzerDebug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x64.Build.0 = FuzzerDebug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x86.ActiveCfg = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x86.Build.0 = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|ARM64.ActiveCfg = MinSizeRel|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|ARM64.Build.0 = MinSizeRel|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x64.ActiveCfg = MinSizeRel|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x64.Build.0 = MinSizeRel|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x86.ActiveCfg = MinSizeRel|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x86.Build.0 = MinSizeRel|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|ARM64.ActiveCfg = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|ARM64.Build.0 = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x64.ActiveCfg = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x64.Build.0 = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x86.ActiveCfg = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x86.Build.0 = Debug|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|ARM64.ActiveCfg = Release|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|ARM64.Build.0 = Release|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x64.ActiveCfg = Release|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x64.Build.0 = Release|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x86.ActiveCfg = Release|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x86.Build.0 = Release|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|ARM64.ActiveCfg = Release|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|ARM64.Build.0 = Release|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x64.ActiveCfg = Release|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x64.Build.0 = Release|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x86.ActiveCfg = Release|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x86.Build.0 = Release|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|ARM64.ActiveCfg = RelWithDebInfo|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|ARM64.Build.0 = RelWithDebInfo|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x64.ActiveCfg = RelWithDebInfo|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x64.Build.0 = RelWithDebInfo|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x86.ActiveCfg = RelWithDebInfo|x64
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x86.Build.0 = RelWithDebInfo|x64
 		{1937DB41-F3EB-4955-A636-6386DCB394F6}.Debug|ARM64.ActiveCfg = Debug|x64
 		{1937DB41-F3EB-4955-A636-6386DCB394F6}.Debug|ARM64.Build.0 = Debug|x64
 		{1937DB41-F3EB-4955-A636-6386DCB394F6}.Debug|x64.ActiveCfg = Debug|x64
@@ -3125,6 +3127,48 @@ Global
 		{6D365515-DE92-4CEB-AB3D-5608719A8886}.RelWithDebInfo|x64.Build.0 = Release|x64
 		{6D365515-DE92-4CEB-AB3D-5608719A8886}.RelWithDebInfo|x86.ActiveCfg = Release|x64
 		{6D365515-DE92-4CEB-AB3D-5608719A8886}.RelWithDebInfo|x86.Build.0 = Release|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|ARM64.ActiveCfg = Debug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|ARM64.Build.0 = Debug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x64.ActiveCfg = Debug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x64.Build.0 = Debug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x86.ActiveCfg = Debug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x86.Build.0 = Debug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|ARM64.Build.0 = Debug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x64.ActiveCfg = Debug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x64.Build.0 = Debug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x86.ActiveCfg = Debug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x86.Build.0 = Debug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|ARM64.ActiveCfg = NativeOnlyRelease|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|ARM64.Build.0 = NativeOnlyRelease|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x64.ActiveCfg = NativeOnlyRelease|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x64.Build.0 = NativeOnlyRelease|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x86.ActiveCfg = NativeOnlyRelease|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x86.Build.0 = NativeOnlyRelease|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|ARM64.ActiveCfg = NativeOnlyDebug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|ARM64.Build.0 = NativeOnlyDebug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x64.ActiveCfg = NativeOnlyDebug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x64.Build.0 = NativeOnlyDebug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x86.ActiveCfg = NativeOnlyDebug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x86.Build.0 = NativeOnlyDebug|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|ARM64.ActiveCfg = NativeOnlyRelease|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|ARM64.Build.0 = NativeOnlyRelease|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x64.ActiveCfg = NativeOnlyRelease|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x64.Build.0 = NativeOnlyRelease|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x86.ActiveCfg = NativeOnlyRelease|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x86.Build.0 = NativeOnlyRelease|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|ARM64.ActiveCfg = Release|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|ARM64.Build.0 = Release|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x64.ActiveCfg = Release|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x64.Build.0 = Release|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x86.ActiveCfg = Release|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x86.Build.0 = Release|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|ARM64.ActiveCfg = Release|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|ARM64.Build.0 = Release|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x64.ActiveCfg = Release|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x64.Build.0 = Release|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x86.ActiveCfg = Release|x64
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x86.Build.0 = Release|x64
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -3190,7 +3234,7 @@ Global
 		{4F082524-9496-44FA-8CBA-4BC0BDC62568} = {492C9B22-9237-4996-9E33-CA14D3533616}
 		{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
 		{030A7AC6-14DC-45CF-AF34-891057AB1402} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
-		{89A12D43-9B91-3960-A6BF-E506122C207A} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
+		{018D6472-F71C-34B5-BB9B-6BC2A506DB5E} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
 		{1937DB41-F3EB-4955-A636-6386DCB394F6} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
 		{1FDAD2FD-EBD8-462A-B285-ED5174E55079} = {97D3096A-20FB-4ACB-A038-88E652FE61E3}
 		{9388DD45-7941-45D7-B4FF-BC00F550AF17} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
@@ -3202,6 +3246,7 @@ Global
 		{984080A6-5890-4ADE-BF8C-DC78EBAB0E8B} = {1A0E5E22-3CAD-412A-9268-F561A5462C77}
 		{C8D46543-5AE5-4E66-B9CE-8B84588B1C9E} = {984080A6-5890-4ADE-BF8C-DC78EBAB0E8B}
 		{6D365515-DE92-4CEB-AB3D-5608719A8886} = {492C9B22-9237-4996-9E33-CA14D3533616}
+		{3DBF8A96-3883-448A-8BD3-B8C913A27F09} = {B09749EC-3D14-414B-BA9B-CD20E218DC84}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {3D5F862D-74C6-4357-9F95-0B152E33B7B8}

diff --git a/external/usersim b/external/usersim
diff --git a/include/ebpf_nethooks.h b/include/ebpf_nethooks.h
@@ -265,6 +265,39 @@ typedef struct _bpf_sock_ops
 typedef int
 sock_ops_hook_t(bpf_sock_ops_t* context);
 
+typedef enum _process_operation
+{
+    PROCESS_OPERATION_CREATE, ///< Process creation.
+    PROCESS_OPERATION_DELETE, ///< Process deletion.
+} process_operation_t;
+
+typedef struct _process_md
+{
+    uint8_t* command_start;        ///< Pointer to start of the command line.
+    uint8_t* command_end;          ///< Pointer to end of the command line.
+    uint64_t process_id;           ///< Process ID.
+    uint64_t parent_process_id;    ///< Parent process ID.
+    uint64_t creating_process_id;  ///< Creating process ID.
+    uint64_t creating_thread_id;   ///< Creating thread ID.
+    process_operation_t operation; ///< Operation to do.
+} process_md_t;
+
+/*
+ * @brief Handle process creation and deletion.
+ *
+ * Program type: \ref EBPF_PROGRAM_TYPE_PROCESS
+ *
+ * Attach type(s):
+ * \ref EBPF_ATTACH_TYPE_PROCESS
+ *
+ * @param[in] context \ref process_md_t
+ * @return STATUS_SUCCESS to permit the operation, or a failure NTSTATUS value to deny the operation.
+ * Value of STATUS_SUCCESS is 0x0.
+ * For PROCESS_OPERATION_DELETE operation, the return value is ignored.
+ */
+typedef int
+process_hook_t(process_md_t* context);
+
 #ifdef _MSC_VER
 #pragma warning(pop)
 #endif
diff --git a/include/ebpf_program_attach_type_guids.h b/include/ebpf_program_attach_type_guids.h
@@ -85,6 +85,13 @@ extern "C"
     __declspec(selectany) ebpf_attach_type_t EBPF_ATTACH_TYPE_XDP_TEST = {
         0x0dccc15d, 0xa5f9, 0x4dc1, {0xac, 0x79, 0xfa, 0x25, 0xee, 0xf2, 0x15, 0xc3}};
 
+    /** @brief Attach type for handling process creation and destruction events.
+     *
+     * Program type: \ref EBPF_ATTACH_TYPE_PROCESS
+     */
+    __declspec(selectany) ebpf_attach_type_t EBPF_ATTACH_TYPE_PROCESS = {
+        0x66e20687, 0x9805, 0x4458, {0xa0, 0xdb, 0x38, 0xe2, 0x20, 0xd3, 0x16, 0x85}};
+
     //
     // Program Types.
     //
@@ -177,6 +184,21 @@ extern "C"
      */
     __declspec(selectany) ebpf_program_type_t EBPF_PROGRAM_TYPE_XDP_TEST = EBPF_PROGRAM_TYPE_XDP_TEST_GUID;
 
+#define EBPF_PROGRAM_TYPE_PROCESS_GUID                                                 \
+    {                                                                                  \
+        0x22ea7b37, 0x1043, 0x4d0d, { 0xb6, 0x0d, 0xca, 0xfa, 0x1c, 0x7b, 0x63, 0x8e } \
+    }
+
+    /** @brief Program type for handling process creation and destruction events.
+     *
+     * eBPF program prototype: \ref process_md_t
+     *
+     * Attach type(s): \ref EBPF_ATTACH_TYPE_PRCOESS
+     *
+     * Helpers available: see bpf_helpers.h
+     */
+    __declspec(selectany) ebpf_program_type_t EBPF_PROGRAM_TYPE_PROCESS = EBPF_PROGRAM_TYPE_PROCESS_GUID;
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/include/ebpf_structs.h b/include/ebpf_structs.h
@@ -218,6 +218,17 @@ enum bpf_prog_type
      */
     BPF_PROG_TYPE_SOCK_OPS,
 
+    /** @brief Program type for handling process creation and destruction events.
+     *
+     * **eBPF program prototype:** \ref process_md_t
+     *
+     * **Attach type(s):**
+     *  \ref BPF_ATTACH_TYPE_PROCESS
+     *
+     * **Helpers available:** all helpers defined in bpf_helpers.h
+     */
+    BPF_PROG_TYPE_PROCESS,
+
     /** @brief Program type for handling incoming packets as early as possible.
      *
      * **eBPF program prototype:** \ref xdp_hook_t
@@ -320,6 +331,12 @@ enum bpf_attach_type
      */
     BPF_XDP_TEST,
 
+    /** @brief Attach type for handling process events.
+     *
+     * **Program type:** \ref BPF_PROG_TYPE_PROCESS
+     */
+    BPF_ATTACH_TYPE_PROCESS,
+
     __MAX_BPF_ATTACH_TYPE,
 };
 

diff --git a/netebpfext/net_ebpf_ext.c b/netebpfext/net_ebpf_ext.c
@@ -19,6 +19,7 @@
 
 #include "net_ebpf_ext.h"
 #include "net_ebpf_ext_bind.h"
+#include "net_ebpf_ext_process.h"
 #include "net_ebpf_ext_sock_addr.h"
 #include "net_ebpf_ext_sock_ops.h"
 #include "net_ebpf_ext_xdp.h"
@@ -34,6 +35,7 @@ static bool _net_ebpf_xdp_providers_registered = false;
 static bool _net_ebpf_bind_providers_registered = false;
 static bool _net_ebpf_sock_addr_providers_registered = false;
 static bool _net_ebpf_sock_ops_providers_registered = false;
+static bool _net_ebpf_process_providers_registered = false;
 
 static net_ebpf_ext_sublayer_info_t _net_ebpf_ext_sublayers[] = {
     {&EBPF_DEFAULT_SUBLAYER, L"EBPF Sub-Layer", L"Sub-Layer for use by eBPF callouts", 0, SUBLAYER_WEIGHT_MAXIMUM},
@@ -811,6 +813,17 @@ net_ebpf_ext_register_providers()
     }
     _net_ebpf_sock_ops_providers_registered = true;
 
+    status = net_ebpf_ext_process_register_providers();
+    if (!NT_SUCCESS(status)) {
+        NET_EBPF_EXT_LOG_MESSAGE_NTSTATUS(
+            NET_EBPF_EXT_TRACELOG_LEVEL_ERROR,
+            NET_EBPF_EXT_TRACELOG_KEYWORD_EXTENSION,
+            "net_ebpf_ext_process_register_providers failed.",
+            status);
+        goto Exit;
+    }
+    _net_ebpf_process_providers_registered = true;
+
 Exit:
     if (!NT_SUCCESS(status)) {
         net_ebpf_ext_unregister_providers();
@@ -837,4 +850,8 @@ net_ebpf_ext_unregister_providers()
         net_ebpf_ext_sock_ops_unregister_providers();
         _net_ebpf_sock_ops_providers_registered = false;
     }
+    if (_net_ebpf_process_providers_registered) {
+        net_ebpf_ext_process_unregister_providers();
+        _net_ebpf_process_providers_registered = false;
+    }
 }
+41 −0		inc/usersim/ps.h
+42 −3		src/ps.cpp
+1 −0		tests/CMakeLists.txt
+44 −0		tests/ps_test.cpp