Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add process creation and destruction hooks to netebpfext #3307

Closed
wants to merge 4 commits into from
Closed

Add process creation and destruction hooks to netebpfext #3307

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a994346
Add new hook provider for process creation and termination.
Alan-Jowett Feb 28, 2024
dc6bf0a
Adopt utility functions
Mar 3, 2024
b438d19
Switch to utf-8 to save space
Mar 4, 2024
817d29f
Merge branch 'microsoft:main' into psebpfext
Alan-Jowett Mar 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
135 changes: 90 additions & 45 deletions ebpf-for-windows.sln
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,11 +213,11 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "redist-package", "tools\red
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ebpf_stress_tests_km", "tests\stress\km\ebpf_stress_tests_km.vcxproj", "{4F082524-9496-44FA-8CBA-4BC0BDC62568}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ebpf_store_helper_um", "libs\store_helper\user\ebpf_store_helper_um.vcxproj", "{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}"
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ebpf_store_helper", "libs\store_helper\user\ebpf_store_helper_um.vcxproj", "{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "usersim", "external\usersim\src\usersim.vcxproj", "{030A7AC6-14DC-45CF-AF34-891057AB1402}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbtf", "external\ebpf-verifier\build\external\libbtf\libbtf\libbtf.vcxproj", "{89A12D43-9B91-3960-A6BF-E506122C207A}"
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbtf", "external\ebpf-verifier\build\external\libbtf\libbtf\libbtf.vcxproj", "{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "usersim_dll_skeleton", "external\usersim\usersim_dll_skeleton\usersim_dll_skeleton.vcxproj", "{1937DB41-F3EB-4955-A636-6386DCB394F6}"
EndProject
Expand Down Expand Up @@ -249,6 +249,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sample_ebpf_ext", "undocked
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sample_ext_app", "tests\sample\ext\app\sample_ext_app.vcxproj", "{6D365515-DE92-4CEB-AB3D-5608719A8886}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "process_monitor", "tools\process_monitor\process_monitor.vcxproj", "{3DBF8A96-3883-448A-8BD3-B8C913A27F09}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM64 = Debug|ARM64
Expand Down Expand Up @@ -2667,48 +2669,48 @@ Global
{030A7AC6-14DC-45CF-AF34-891057AB1402}.RelWithDebInfo|x64.Build.0 = Release|x64
{030A7AC6-14DC-45CF-AF34-891057AB1402}.RelWithDebInfo|x86.ActiveCfg = Release|Win32
{030A7AC6-14DC-45CF-AF34-891057AB1402}.RelWithDebInfo|x86.Build.0 = Release|Win32
{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|ARM64.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|ARM64.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x64.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x64.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x86.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Debug|x86.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|ARM64.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x64.ActiveCfg = FuzzerDebug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x64.Build.0 = FuzzerDebug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x86.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.FuzzerDebug|x86.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|ARM64.ActiveCfg = MinSizeRel|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|ARM64.Build.0 = MinSizeRel|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x64.ActiveCfg = MinSizeRel|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x64.Build.0 = MinSizeRel|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x86.ActiveCfg = MinSizeRel|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.MinSizeRel|x86.Build.0 = MinSizeRel|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|ARM64.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|ARM64.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x64.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x64.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x86.ActiveCfg = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyDebug|x86.Build.0 = Debug|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|ARM64.ActiveCfg = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|ARM64.Build.0 = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x64.ActiveCfg = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x64.Build.0 = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x86.ActiveCfg = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.NativeOnlyRelease|x86.Build.0 = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|ARM64.ActiveCfg = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|ARM64.Build.0 = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x64.ActiveCfg = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x64.Build.0 = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x86.ActiveCfg = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.Release|x86.Build.0 = Release|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|ARM64.ActiveCfg = RelWithDebInfo|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|ARM64.Build.0 = RelWithDebInfo|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x64.ActiveCfg = RelWithDebInfo|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x64.Build.0 = RelWithDebInfo|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x86.ActiveCfg = RelWithDebInfo|x64
{89A12D43-9B91-3960-A6BF-E506122C207A}.RelWithDebInfo|x86.Build.0 = RelWithDebInfo|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|ARM64.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|ARM64.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x64.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x64.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x86.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Debug|x86.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|ARM64.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x64.ActiveCfg = FuzzerDebug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x64.Build.0 = FuzzerDebug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x86.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.FuzzerDebug|x86.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|ARM64.ActiveCfg = MinSizeRel|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|ARM64.Build.0 = MinSizeRel|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x64.ActiveCfg = MinSizeRel|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x64.Build.0 = MinSizeRel|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x86.ActiveCfg = MinSizeRel|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.MinSizeRel|x86.Build.0 = MinSizeRel|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|ARM64.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|ARM64.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x64.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x64.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x86.ActiveCfg = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyDebug|x86.Build.0 = Debug|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|ARM64.ActiveCfg = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|ARM64.Build.0 = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x64.ActiveCfg = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x64.Build.0 = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x86.ActiveCfg = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.NativeOnlyRelease|x86.Build.0 = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|ARM64.ActiveCfg = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|ARM64.Build.0 = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x64.ActiveCfg = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x64.Build.0 = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x86.ActiveCfg = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.Release|x86.Build.0 = Release|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|ARM64.ActiveCfg = RelWithDebInfo|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|ARM64.Build.0 = RelWithDebInfo|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x64.ActiveCfg = RelWithDebInfo|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x64.Build.0 = RelWithDebInfo|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x86.ActiveCfg = RelWithDebInfo|x64
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E}.RelWithDebInfo|x86.Build.0 = RelWithDebInfo|x64
{1937DB41-F3EB-4955-A636-6386DCB394F6}.Debug|ARM64.ActiveCfg = Debug|x64
{1937DB41-F3EB-4955-A636-6386DCB394F6}.Debug|ARM64.Build.0 = Debug|x64
{1937DB41-F3EB-4955-A636-6386DCB394F6}.Debug|x64.ActiveCfg = Debug|x64
Expand Down Expand Up @@ -3125,6 +3127,48 @@ Global
{6D365515-DE92-4CEB-AB3D-5608719A8886}.RelWithDebInfo|x64.Build.0 = Release|x64
{6D365515-DE92-4CEB-AB3D-5608719A8886}.RelWithDebInfo|x86.ActiveCfg = Release|x64
{6D365515-DE92-4CEB-AB3D-5608719A8886}.RelWithDebInfo|x86.Build.0 = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|ARM64.ActiveCfg = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|ARM64.Build.0 = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x64.ActiveCfg = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x64.Build.0 = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x86.ActiveCfg = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Debug|x86.Build.0 = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|ARM64.ActiveCfg = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|ARM64.Build.0 = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x64.ActiveCfg = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x64.Build.0 = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x86.ActiveCfg = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.FuzzerDebug|x86.Build.0 = Debug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|ARM64.ActiveCfg = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|ARM64.Build.0 = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x64.ActiveCfg = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x64.Build.0 = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x86.ActiveCfg = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.MinSizeRel|x86.Build.0 = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|ARM64.ActiveCfg = NativeOnlyDebug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|ARM64.Build.0 = NativeOnlyDebug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x64.ActiveCfg = NativeOnlyDebug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x64.Build.0 = NativeOnlyDebug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x86.ActiveCfg = NativeOnlyDebug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyDebug|x86.Build.0 = NativeOnlyDebug|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|ARM64.ActiveCfg = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|ARM64.Build.0 = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x64.ActiveCfg = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x64.Build.0 = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x86.ActiveCfg = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.NativeOnlyRelease|x86.Build.0 = NativeOnlyRelease|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|ARM64.ActiveCfg = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|ARM64.Build.0 = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x64.ActiveCfg = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x64.Build.0 = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x86.ActiveCfg = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.Release|x86.Build.0 = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|ARM64.ActiveCfg = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|ARM64.Build.0 = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x64.ActiveCfg = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x64.Build.0 = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x86.ActiveCfg = Release|x64
{3DBF8A96-3883-448A-8BD3-B8C913A27F09}.RelWithDebInfo|x86.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
Expand Down Expand Up @@ -3190,7 +3234,7 @@ Global
{4F082524-9496-44FA-8CBA-4BC0BDC62568} = {492C9B22-9237-4996-9E33-CA14D3533616}
{AA933B9F-B5D8-4AA8-AC18-98FE1A161E8A} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{030A7AC6-14DC-45CF-AF34-891057AB1402} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{89A12D43-9B91-3960-A6BF-E506122C207A} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{018D6472-F71C-34B5-BB9B-6BC2A506DB5E} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{1937DB41-F3EB-4955-A636-6386DCB394F6} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
{1FDAD2FD-EBD8-462A-B285-ED5174E55079} = {97D3096A-20FB-4ACB-A038-88E652FE61E3}
{9388DD45-7941-45D7-B4FF-BC00F550AF17} = {69CDB6A1-434D-4BC9-9BFF-D12DF7EDBB6B}
Expand All @@ -3202,6 +3246,7 @@ Global
{984080A6-5890-4ADE-BF8C-DC78EBAB0E8B} = {1A0E5E22-3CAD-412A-9268-F561A5462C77}
{C8D46543-5AE5-4E66-B9CE-8B84588B1C9E} = {984080A6-5890-4ADE-BF8C-DC78EBAB0E8B}
{6D365515-DE92-4CEB-AB3D-5608719A8886} = {492C9B22-9237-4996-9E33-CA14D3533616}
{3DBF8A96-3883-448A-8BD3-B8C913A27F09} = {B09749EC-3D14-414B-BA9B-CD20E218DC84}
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {3D5F862D-74C6-4357-9F95-0B152E33B7B8}
Expand Down
2 changes: 1 addition & 1 deletion external/usersim
Open in desktop
Submodule usersim updated 6 files
+41 −0 inc/usersim/ps.h
+63 −1 inc/usersim/rtl.h
+42 −3 src/ps.cpp
+1 −0 tests/CMakeLists.txt
+44 −0 tests/ps_test.cpp
+26 −0 tests/rtl_test.cpp
60 changes: 60 additions & 0 deletions include/ebpf_nethooks.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,66 @@ typedef struct _bpf_sock_ops
typedef int
sock_ops_hook_t(bpf_sock_ops_t* context);

typedef enum _process_operation
{
PROCESS_OPERATION_CREATE, ///< Process creation.
PROCESS_OPERATION_DELETE, ///< Process deletion.
} process_operation_t;

typedef struct _process_md
{
uint8_t* command_start; ///< Pointer to start of the command line as UTF-8 string.
uint8_t* command_end; ///< Pointer to end of the command line as UTF-8 string.
uint64_t process_id; ///< Process ID.
uint64_t parent_process_id; ///< Parent process ID.
uint64_t creating_process_id; ///< Creating process ID.
uint64_t creating_thread_id; ///< Creating thread ID.
process_operation_t operation; ///< Operation to do.
} process_md_t;

/*
* @brief Handle process creation and deletion.
*
* Program type: \ref EBPF_PROGRAM_TYPE_PROCESS
*
* Attach type(s):
* \ref EBPF_ATTACH_TYPE_PROCESS
*
* @param[in] context \ref process_md_t
* @return STATUS_SUCCESS to permit the operation, or a failure NTSTATUS value to deny the operation.
* Value of STATUS_SUCCESS is 0x0.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems odd to say what the value of STATUS_SUCCESS is without saying what range of values are "a failure". I'd either remove line 295 (my preference), or else say more... e.g., failure values have the high bit set.

Still if the point is to document that values 0x1 through 0x7fffffff are not legal to return, the hook still has to do something if they are returned. E.g., what happens if the BPF program returns STATUS_PENDING?

* For PROCESS_OPERATION_DELETE operation, the return value is ignored.
*/
typedef int
process_hook_t(process_md_t* context);

// Process helper functions.
#define PROCESS_EXT_HELPER_FN_BASE 0xFFFF

#ifndef __doxygen
#define EBPF_HELPER(return_type, name, args) typedef return_type(*name##_t) args
#endif

typedef enum
{
BPF_FUNC_process_get_image_path = PROCESS_EXT_HELPER_FN_BASE + 1,
} ebpf_process_helper_id_t;

/**
* @brief Get the image path of the process.
*
* @param[in] context Process metadata.
* @param[out] path Buffer to store the image path.
* @param[in] path_length Length of the buffer.
*
* @retval >=0 The length of the image path.
* @retval <0 A failure occurred.
*/
EBPF_HELPER(int, bpf_process_get_image_path, (process_md_t * ctx, uint8_t* path, uint32_t path_length));
#ifndef __doxygen
#define bpf_process_get_image_path ((bpf_process_get_image_path_t)BPF_FUNC_process_get_image_path)
#endif

#ifdef _MSC_VER
#pragma warning(pop)
#endif
22 changes: 22 additions & 0 deletions include/ebpf_program_attach_type_guids.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,13 @@ extern "C"
__declspec(selectany) ebpf_attach_type_t EBPF_ATTACH_TYPE_XDP_TEST = {
0x0dccc15d, 0xa5f9, 0x4dc1, {0xac, 0x79, 0xfa, 0x25, 0xee, 0xf2, 0x15, 0xc3}};

/** @brief Attach type for handling process creation and destruction events.
*
* Program type: \ref EBPF_ATTACH_TYPE_PROCESS
*/
__declspec(selectany) ebpf_attach_type_t EBPF_ATTACH_TYPE_PROCESS = {
0x66e20687, 0x9805, 0x4458, {0xa0, 0xdb, 0x38, 0xe2, 0x20, 0xd3, 0x16, 0x85}};

//
// Program Types.
//
Expand Down Expand Up @@ -177,6 +184,21 @@ extern "C"
*/
__declspec(selectany) ebpf_program_type_t EBPF_PROGRAM_TYPE_XDP_TEST = EBPF_PROGRAM_TYPE_XDP_TEST_GUID;

#define EBPF_PROGRAM_TYPE_PROCESS_GUID \
{ \
0x22ea7b37, 0x1043, 0x4d0d, { 0xb6, 0x0d, 0xca, 0xfa, 0x1c, 0x7b, 0x63, 0x8e } \
}

/** @brief Program type for handling process creation and destruction events.
*
* eBPF program prototype: \ref process_md_t
*
* Attach type(s): \ref EBPF_ATTACH_TYPE_PRCOESS
*
* Helpers available: see bpf_helpers.h
*/
__declspec(selectany) ebpf_program_type_t EBPF_PROGRAM_TYPE_PROCESS = EBPF_PROGRAM_TYPE_PROCESS_GUID;

#ifdef __cplusplus
}
#endif
17 changes: 17 additions & 0 deletions include/ebpf_structs.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -222,6 +222,17 @@ enum bpf_prog_type
*/
BPF_PROG_TYPE_SOCK_OPS,

/** @brief Program type for handling process creation and destruction events.
*
* **eBPF program prototype:** \ref process_md_t
*
* **Attach type(s):**
* \ref BPF_ATTACH_TYPE_PROCESS
*
* **Helpers available:** all helpers defined in bpf_helpers.h
*/
BPF_PROG_TYPE_PROCESS,

/** @brief Program type for handling incoming packets as early as possible.
*
* **eBPF program prototype:** \ref xdp_hook_t
Expand Down Expand Up @@ -324,6 +335,12 @@ enum bpf_attach_type
*/
BPF_XDP_TEST,

/** @brief Attach type for handling process events.
*
* **Program type:** \ref BPF_PROG_TYPE_PROCESS
*/
BPF_ATTACH_TYPE_PROCESS,

__MAX_BPF_ATTACH_TYPE,
};

Expand Down
Loading
Loading