Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft PR - Differences between Fork & Official Repo #3627

Draft
wants to merge 47 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
47 commits
Select commit Hold shift + click to select a range
5afdaf5
Added the 2 basic eBPF programs
trishms Jul 28, 2021
32b855e
Incorporated Eric's feedback for eBPF programs
trishms Jul 28, 2021
7c1c5b4
Incorporated Eric's Feedback Pt.2
trishms Jul 28, 2021
dbe2c22
Reformatted to match epf-for-data-usage repo
trishms Aug 3, 2021
36fb9f9
Merge pull request #1 from trishms/trishms/ebpfprograms
trishms Aug 3, 2021
6dacbf4
Added program and hook prototypes
trishms Aug 3, 2021
49d0ca5
Merge branch 'master' into program-and-hook-prototypes
trishms Aug 3, 2021
231e0fa
Merge branch 'microsoft:master' into master
trishms Aug 4, 2021
680ac12
Merge branch 'master' into program-and-hook-prototypes
trishms Aug 4, 2021
a794516
Added function definitions and changed param args number
Aug 4, 2021
4e22842
Changes from verification, change return type of ebpf programs. Added…
Aug 6, 2021
4e70a09
Reformat ebpf progs to OS repo clang format
Aug 6, 2021
92403e8
Changed eBPF programs so that it passes verifier
Aug 7, 2021
ed62d87
Merge pull request #2 from trishms/program-and-hook-prototypes
trishms Aug 9, 2021
e3cc543
Added user mode application: console. Includes the build for console.…
Aug 11, 2021
6b92e0f
Changing app_id in flow struct to app_id_start and app_id_end
Aug 11, 2021
3a9f4c2
Changed app_id to app_id_start and app_id_end. Added logic to get the…
Aug 12, 2021
9246e48
app_id to app_name and default initialize in console
Aug 13, 2021
ae647b6
Incorporated feedback and took out tracing from programs.cpp
Aug 13, 2021
5b5a6de
Incorporated feedback
Aug 13, 2021
b0263fa
Merge pull request #3 from trishms/usermodeapp
trishms Aug 13, 2021
51d371a
Adding what I have so far for hook and testing for Eric
Aug 23, 2021
703fc54
Adding what I have so far for hook and testing for Eric
Aug 23, 2021
a30c062
Adding what I have so far for hook and testing for Eric
Aug 23, 2021
c6f96d8
Adding what I have so far for hook and testing for Eric
Aug 23, 2021
0e12a0b
Adding what I have so far for hook and testing for Eric
Aug 23, 2021
6f7f19c
KdPrint to test
Aug 23, 2021
8585fc1
Add countbytes test
Aug 24, 2021
32db36f
Merge from upstream microsoft:ebpf-for-windows in order to solve issu…
Aug 24, 2021
e24c4a7
Merge branch 'master' into flowhook
Aug 24, 2021
fc96df9
Console and hook callouts working with newer upstream commits
Aug 25, 2021
a35d3fd
Console and hook callouts working with newer upstream commits
Aug 25, 2021
4af71f9
Working hook callouts, five-tuple parsing, and UM app.
Aug 26, 2021
8a52ef5
Changed console to add commands like load and unload. Incorporated fe…
Sep 1, 2021
db45fb7
Default initialize
Sep 1, 2021
6c38487
Update console.cpp with feedback: result{}
Sep 1, 2021
79a7ad8
Merge pull request #5 from trishms/flowhook
trishms Sep 1, 2021
6661aba
Basic end-to-end tests
Sep 1, 2021
1d40850
Create setup.md
trishms Sep 2, 2021
d973d93
Update setup.md
trishms Sep 2, 2021
6d0cd7b
Update setup.md
trishms Sep 2, 2021
07a1334
Update setup.md
trishms Sep 2, 2021
b27838b
Update setup.md
trishms Sep 2, 2021
f42a885
Update setup.md
trishms Sep 2, 2021
8d06662
Update setup.md
trishms Sep 2, 2021
8ce50ad
Merge pull request #6 from trishms/testing
aschoorl Sep 9, 2021
8521cf6
Merge pull request #7 from trishms/setup
aschoorl Sep 9, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
161 changes: 142 additions & 19 deletions .clang-format
Original file line number Diff line number Diff line change
@@ -1,23 +1,146 @@
BasedOnStyle: LLVM
IndentWidth: 4
ColumnLimit: 120
AlignEscapedNewlines: Left
---
Language: Cpp
# BasedOnStyle: LLVM
AccessModifierOffset: -4
AlignAfterOpenBracket: AlwaysBreak
#
# Bind * to the type rather than the name.
PointerAlignment: Left
#
# Put function name on separate line from return type.
AlwaysBreakAfterReturnType: All
#
# Put arguments either all on same line or on separate lines.
AlignConsecutiveAssignments: false
AlignEscapedNewlines: DontAlign
AlignOperands: true
AlignTrailingComments: true
AllowAllParametersOfDeclarationOnNextLine: true
AllowShortBlocksOnASingleLine: false
AllowShortCaseLabelsOnASingleLine: false
AllowShortFunctionsOnASingleLine: None
AllowShortIfStatementsOnASingleLine: false
AllowShortLoopsOnASingleLine: false
AlwaysBreakAfterDefinitionReturnType: None
AlwaysBreakAfterReturnType: None
AlwaysBreakBeforeMultilineStrings: true
AlwaysBreakTemplateDeclarations: true
BinPackArguments: false
#
# Put function parameters on separate lines.
BinPackParameters: false
#
# Open brace goes on new line only when starting a new struct, enum, or func.
BreakBeforeBraces: Mozilla
#
# Don't sort includes in alphabetical order because Windows headers are odd.
BreakBeforeBinaryOperators: None
BreakBeforeBraces: Custom
BraceWrapping:
AfterCaseLabel: true
AfterClass: true
AfterControlStatement: true
AfterEnum: true
AfterFunction: true
AfterNamespace: false
AfterStruct: true
AfterUnion: true
AfterExternBlock: false
BeforeCatch: true
BeforeElse: true
SplitEmptyFunction: true
SplitEmptyRecord: true
SplitEmptyNamespace: true
BreakBeforeTernaryOperators: true
BreakConstructorInitializers: AfterColon
ColumnLimit: 130
CommentPragmas: '^ IWYU pragma:'
CompactNamespaces: true
ConstructorInitializerAllOnOneLineOrOnePerLine: true
ConstructorInitializerIndentWidth: 4
ContinuationIndentWidth: 4
Cpp11BracedListStyle: true
DerivePointerAlignment: false
DisableFormat: false
ExperimentalAutoDetectBinPacking: false
FixNamespaceComments: true
ForEachMacros: [ foreach, Q_FOREACH, BOOST_FOREACH ]
IncludeBlocks: Regroup
IncludeCategories:
- Regex: '^"(stdafx.h|pch.h|precomp.h)"$'
Priority: -1
IndentCaseLabels: false
IndentWidth: 4
IndentWrappedFunctionNames: false
KeepEmptyLinesAtTheStartOfBlocks: true
MacroBlockBegin: '^BEGIN_COM_MAP$|^BEGIN_CONNECTION_POINT_MAP$|^BEGIN_HELPER_NODEMAP$|^BEGIN_MODULE$|^BEGIN_MSG_MAP$|^BEGIN_OBJECT_MAP$|^BEGIN_TEST_CLASS$|^BEGIN_TEST_METHOD$|^BEGIN_TEST_METHOD_PROPERTIES$'
MacroBlockEnd: '^END_COM_MAP$|^END_CONNECTION_POINT_MAP$|^END_HELPER_NODEMAP$|^END_MODULE$|^END_MSG_MAP$|^END_OBJECT_MAP$|^END_TEST_CLASS$|^END_TEST_METHOD$|^END_TEST_METHOD_PROPERTIES$'
MaxEmptyLinesToKeep: 1
NamespaceIndentation: Inner
ObjCBlockIndentWidth: 2
ObjCSpaceAfterProperty: false
ObjCSpaceBeforeProtocolList: true
PenaltyBreakBeforeFirstCallParameter: 19
PenaltyBreakComment: 300
PenaltyBreakFirstLessLess: 120
PenaltyBreakString: 1000
PenaltyExcessCharacter: 1
PenaltyReturnTypeOnItsOwnLine: 1000
PointerAlignment: Left
SortIncludes: false
SpaceAfterCStyleCast: false
SpaceBeforeAssignmentOperators: true
SpaceBeforeParens: ControlStatements
SpaceInEmptyParentheses: false
SpacesBeforeTrailingComments: 1
SpacesInAngles: false
SpacesInContainerLiterals: true
SpacesInCStyleCastParentheses: false
SpacesInParentheses: false
SpacesInSquareBrackets: false
Standard: Cpp11
StatementMacros: [
_Acquires_exclusive_lock_,
_Acquires_lock_,
_Acquires_nonreentrant_lock_,
_Acquires_shared_lock_,
_Analysis_assume_smart_lock_acquired_,
_Analysis_assume_smart_lock_released_,
_Create_lock_level_,
_Detaches_lock_,
_Function_class_,
_Global_cancel_spin_lock_,
_Global_critical_region_,
_Global_interlock_,
_Global_priority_region_,
_Has_lock_kind_,
_Has_lock_level_,
_IRQL_always_function_max_,
_IRQL_always_function_min_,
_IRQL_raises_,
_IRQL_requires_,
_IRQL_requires_max_,
_IRQL_requires_min_,
_IRQL_requires_same_,
_IRQL_restores_,
_IRQL_restores_global_,
_IRQL_saves_,
_IRQL_saves_global_,
_Lock_level_order_,
_Moves_lock_,
_Must_inspect_result_,
_No_competing_thread_,
_Post_same_lock_,
_Post_writable_byte_size_,
_Pre_satisfies_,
_Releases_exclusive_lock_,
_Releases_lock_,
_Releases_nonreentrant_lock_,
_Releases_shared_lock_,
_Replaces_lock_,
_Requires_exclusive_lock_held_,
_Requires_lock_held_,
_Requires_lock_not_held_,
_Requires_no_locks_held_,
_Requires_shared_lock_held_,
_Ret_maybenull_,
_Ret_range_,
_Success_,
_Swaps_locks_,
_Use_decl_annotations_,
_When_,
RpcEndExcept,
]
TabWidth: 4
TypenameMacros: [
IFACEMETHOD,
STDMETHOD,
]
UseTab: Never
...

31 changes: 31 additions & 0 deletions ebpf-for-windows.sln
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "setup_build", "scripts\setu
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "port_quota", "tools\port_quota\port_quota.vcxproj", "{DDADF35D-C02C-40BB-9F95-5BF8BFDB51CE}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "console", "tools\data_usage\console.vcxproj", "{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "port_leak", "tools\port_leak\port_leak.vcxproj", "{DB2AF239-5251-43F1-BABF-11E707DC5523}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "platform_user", "libs\platform\user\platform_user.vcxproj", "{C26CB6A9-158C-4A9E-A243-755DDD98E5FE}"
Expand Down Expand Up @@ -506,6 +508,35 @@ Global
{DDADF35D-C02C-40BB-9F95-5BF8BFDB51CE}.RelWithDebInfo|x64.Build.0 = Release|x64
{DDADF35D-C02C-40BB-9F95-5BF8BFDB51CE}.RelWithDebInfo|x86.ActiveCfg = Release|Win32
{DDADF35D-C02C-40BB-9F95-5BF8BFDB51CE}.RelWithDebInfo|x86.Build.0 = Release|Win32
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Debug|ARM.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Debug|ARM64.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Debug|x64.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Debug|x64.Build.0 = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Debug|x86.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.MinSizeRel|ARM.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.MinSizeRel|ARM.Build.0 = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.MinSizeRel|ARM64.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.MinSizeRel|ARM64.Build.0 = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.MinSizeRel|x64.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.MinSizeRel|x64.Build.0 = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.MinSizeRel|x86.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.MinSizeRel|x86.Build.0 = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Release|ARM.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Release|ARM.Build.0 = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Release|ARM64.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Release|ARM64.Build.0 = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Release|x64.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Release|x64.Build.0 = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Release|x86.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.Release|x86.Build.0 = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.RelWithDebInfo|ARM.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.RelWithDebInfo|ARM.Build.0 = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.RelWithDebInfo|ARM64.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.RelWithDebInfo|ARM64.Build.0 = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.RelWithDebInfo|x64.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.RelWithDebInfo|x64.Build.0 = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.RelWithDebInfo|x86.ActiveCfg = Debug|x64
{A6340F56-8DEE-48EE-9248-E9FAAF3BA450}.RelWithDebInfo|x86.Build.0 = Debug|x64
{DB2AF239-5251-43F1-BABF-11E707DC5523}.Debug|ARM.ActiveCfg = Debug|Win32
{DB2AF239-5251-43F1-BABF-11E707DC5523}.Debug|ARM64.ActiveCfg = Debug|Win32
{DB2AF239-5251-43F1-BABF-11E707DC5523}.Debug|x64.ActiveCfg = Debug|x64
Expand Down
6 changes: 6 additions & 0 deletions ebpfapi/ebpfapi.vcxproj
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<PlatformToolset>v142</PlatformToolset>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<PlatformToolset>v142</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
Expand Down
32 changes: 32 additions & 0 deletions include/ebpf_api.h
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,20 @@ extern "C"
__declspec(selectany) ebpf_attach_type_t EBPF_ATTACH_TYPE_BIND = {
0xb9707e04, 0x8127, 0x4c72, {0x83, 0x3e, 0x05, 0xb1, 0xfb, 0x43, 0x94, 0x96}};

/** @brief Attach type for flow established layer.
*
* Program type: \ref EBPF_PROGRAM_TYPE_FLOW
*/
__declspec(selectany) ebpf_attach_type_t EBPF_ATTACH_TYPE_FLOW = {
0x8606fa87, 0x72aa, 0x4c31, {0x88, 0x9e, 0x04, 0xbb, 0xb2, 0xdc, 0xa8, 0x9a}};

/** @brief Attach type for MAC layer.
*
* Program type: \ref EBPF_PROGRAM_TYPE_MAC
*/
__declspec(selectany) ebpf_attach_type_t EBPF_ATTACH_TYPE_MAC = {
0x6f9676f8, 0xaa95, 0x4f80, {0xa4, 0xb7, 0x48, 0x10, 0xbd, 0xb3, 0xfd, 0x61}};

__declspec(selectany) ebpf_attach_type_t EBPF_ATTACH_TYPE_SAMPLE = {
0xf788ef4b, 0x207d, 0x4dc3, {0x85, 0xcf, 0x0f, 0x2e, 0xa1, 0x07, 0x21, 0x3c}};

Expand Down Expand Up @@ -59,6 +73,24 @@ extern "C"
__declspec(selectany) ebpf_program_type_t EBPF_PROGRAM_TYPE_BIND = {
0x608c517c, 0x6c52, 0x4a26, {0xb6, 0x77, 0xbb, 0x1c, 0x34, 0x42, 0x5a, 0xdf}};

/** @brief Program type for flow established layer.
*
* Attach type(s): \ref EBPF_ATTACH_TYPE_FLOW
*
* Helpers available: see ebpf_helpers.h
*/
__declspec(selectany) ebpf_program_type_t EBPF_PROGRAM_TYPE_FLOW = {
0x75fa0380, 0x999c, 0x461d, {0xa1, 0x84, 0x07, 0x54, 0xf0, 0x53, 0xab, 0x1d}};

/** @brief Program type for MAC layer.
*
* Attach type(s): \ref EBPF_ATTACH_TYPE_MAC
*
* Helpers available: see ebpf_helpers.h
*/
__declspec(selectany) ebpf_program_type_t EBPF_PROGRAM_TYPE_MAC = {
0x930232df, 0x0699, 0x4f41, {0x92, 0x24, 0x4a, 0xc1, 0xb7, 0x4c, 0xea, 0x4d}};

__declspec(selectany) ebpf_program_type_t EBPF_PROGRAM_TYPE_SAMPLE = {
0xf788ef4a, 0x207d, 0x4dc3, {0x85, 0xcf, 0x0f, 0x2e, 0xa1, 0x07, 0x21, 0x3c}};

Expand Down
36 changes: 36 additions & 0 deletions include/ebpf_nethooks.h
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
// SPDX-License-Identifier: MIT
#pragma once
#include <stdint.h>
#include <stdbool.h>

// This file contains APIs for hooks and helpers that are
// exposed by netebpfext.sys for use by eBPF programs.
Expand Down Expand Up @@ -74,3 +75,38 @@ typedef enum _bind_action
*/
typedef bind_action_t
bind_hook_t(bind_md_t* context);


// Five-tuple Struct
typedef struct _five_tuple
{
bool v4;
uint8_t source_ip[16];
uint8_t dest_ip[16];
uint16_t source_port;
uint16_t dest_port;
uint8_t protocol;
} five_tuple_t;

//Flow Established Hook
typedef struct _flow_md
{
uint8_t* app_name_start;
uint8_t* app_name_end;
bool flow_established_flag;
five_tuple_t five_tuple;
} flow_md_t;

typedef int
flow_hook_t(flow_md_t* context);

//MAC Hook
typedef struct _mac_md
{
five_tuple_t five_tuple;
uint64_t packet_length;
bool v4;
} mac_md_t;

typedef int
mac_hook_t(mac_md_t* context);
2 changes: 2 additions & 0 deletions libs/api/Verifier.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
#include "ebpf_program_types.h"
#include "ebpf_verifier_wrapper.hpp"
#include "ebpf_xdp_program_data.h"
#include "ebpf_flow_program_data.h"
#include "ebpf_mac_program_data.h"
#include "elfio_wrapper.hpp"
#include "platform.hpp"
#include "tlv.h"
Expand Down
2 changes: 1 addition & 1 deletion libs/api_common/api_common.vcxproj
Original file line number Diff line number Diff line change
Expand Up @@ -199,4 +199,4 @@
</PropertyGroup>
<Error Condition="!Exists('..\..\packages\boost.1.75.0.0\build\boost.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\..\packages\boost.1.75.0.0\build\boost.targets'))" />
</Target>
</Project>
</Project>
2 changes: 2 additions & 0 deletions libs/api_common/device_helper.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
#include "ebpf_protocol.h"
#include "ebpf_result.h"
#include "ebpf_xdp_program_data.h"
#include "ebpf_flow_program_data.h"
#include "ebpf_mac_program_data.h"
#include "platform.h"
#include "platform.hpp"

Expand Down
8 changes: 8 additions & 0 deletions libs/api_common/windows_helpers.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
#include "ebpf_result.h"
#include "ebpf_serialize.h"
#include "ebpf_xdp_program_data.h"
#include "ebpf_flow_program_data.h"
#include "ebpf_mac_program_data.h"
#include "platform.h"
#include "platform.hpp"

Expand Down Expand Up @@ -116,6 +118,12 @@ get_program_type_info(const ebpf_program_info_t** info)
} else if (memcmp(program_type, &EBPF_PROGRAM_TYPE_BIND, sizeof(*program_type)) == 0) {
encoded_data = _ebpf_encoded_bind_program_info_data;
encoded_data_size = sizeof(_ebpf_encoded_bind_program_info_data);
} else if (memcmp(program_type, &EBPF_PROGRAM_TYPE_FLOW, sizeof(*program_type)) == 0) {
encoded_data = _ebpf_encoded_flow_program_info_data;
encoded_data_size = sizeof(_ebpf_encoded_flow_program_info_data);
} else if (memcmp(program_type, &EBPF_PROGRAM_TYPE_MAC, sizeof(*program_type)) == 0) {
encoded_data = _ebpf_encoded_mac_program_info_data;
encoded_data_size = sizeof(_ebpf_encoded_mac_program_info_data);
}
ebpf_assert(encoded_data != nullptr);

Expand Down
Loading