ebpf-for-windows/README.md

# eBPF on Windows

## Prerequisites

The following must be installed in order to build this project:

1. Git (e.g., [Git for Windows 64-bit](https://git-scm.com/download/win))
2. [Visual Studio 2019](https://visualstudio.microsoft.com/vs/), including
   the "MSVC v142 - VS 2019 C++ x64/x86 Spectre-mitigated libs (v14.28)"
   which must be selected as an Individual component in the VS installer
3. [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe)
4. [WDK for Windows 10, version 2004](https://go.microsoft.com/fwlink/?linkid=2128854)
5. [Clang/LLVM for Windows 64-bit](https://github.com/llvm/llvm-project/releases/download/llvmorg-8.0.1/LLVM-8.0.1-win64.exe)

## How to build the demo project

1. ```git clone -b demo --recurse-submodules https://msazure.visualstudio.com/DefaultCollection/One/_git/EdgeOS-CoreNetworking-WindowsEbpf```
2. ```cd EdgeOS-CoreNetworking-WindowsEbpf```
3. ```cmake -S external\ebpf-verifier -B external\ebpf-verifier\build```
4. Open ebpf-demo.sln
5. Switch to debug / x64
6. Build solution

## Demo script

### Prep 
1. Setup 2 VMs, attacker and defender
2. On defender, install and setup DNS
3. On defender, make sure KD is attached and running.
1. Install Debug VS 2019 VC redist from TBD (or switch everything to Multi-threaded Debug (/MTd) and rebuild)
2. Copy ebpfcore.sys to %windir%\system32\drivers
3. Copy ebpfapi.dll and ebpfnetsh.dll to %windir%\system32
4. sc create EbpfCore type=kernel start=boot binpath=%windir%\system32\drivers\ebpfcore.sys
5. sc start EbpfCore
6. netsh add helper %windir%\system32\ebpfnetsh.dll
7. Install [clang](https://github.com/llvm/llvm-project/releases/download/llvmorg-11.0.0/LLVM-11.0.0-win64.exe)
8. Copy droppacket.c and ebpf.h to a folder (like c:\test)


### Demo
#### On attacker machine
1. Copy DnsFlood.exe to attacker machine
2. Run ```for /L %i in (1,1,4) do start /min DnsFlood <ip of defender>```

#### On defender machine
1. Start perfomance monitor and add UDPv4 Datagrams/sec
2. Show that 200K packets per second are being received
3. Show & explain code of droppacket.c 
4. Compile droppacket.c ```clang -target bpf -O2 -Wall -c droppacket.c -o droppacket.o```
5. Show eBPF byte code for droppacket.o ```netsh ebpf show disassembly droppacket.o xdp```
6. Show that the verifier checks the code ```netsh ebpf show verification droppacket.o xdp```
7. Launch netsh ```netsh```
8. Switch to ebpf context ```ebpf```
9. Load eBPF program ```add program droppacket.o xdp```
10. Show UDP datagrams received drop to under 10 per second
11. Unload program ```delete program droppacket.o xdp```
12. Show UDP datagrams received drop to back up to ~200K per second
13. Modify droppacket.c to be unsafe - Comment out line 20 & 21
14. Compile droppacket.c ```clang -target bpf -O2 -Wall -c droppacket.c -o droppacket.o```
15. Show that the verifier rejects the code ```netsh ebpf show verification droppacket.o xdp```
16. Show that loading the program fails ```netsh ebpf add program droppacket.o xdp```
Add prereqs to readme file Rename README_build to README Add standard LICENSE file Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com> 2021-02-13 03:16:49 +03:00			`# eBPF on Windows`

			`## Prerequisites`

			`The following must be installed in order to build this project:`

			`1. Git (e.g., [Git for Windows 64-bit](https://git-scm.com/download/win))`
			`2. [Visual Studio 2019](https://visualstudio.microsoft.com/vs/), including`
			`the "MSVC v142 - VS 2019 C++ x64/x86 Spectre-mitigated libs (v14.28)"`
			`which must be selected as an Individual component in the VS installer`
			`3. [Visual Studio Build Tools 2019](https://aka.ms/vs/16/release/vs_buildtools.exe)`
			`4. [WDK for Windows 10, version 2004](https://go.microsoft.com/fwlink/?linkid=2128854)`
			`5. [Clang/LLVM for Windows 64-bit](https://github.com/llvm/llvm-project/releases/download/llvmorg-8.0.1/LLVM-8.0.1-win64.exe)`

			`## How to build the demo project`

			1. ```git clone -b demo --recurse-submodules https://msazure.visualstudio.com/DefaultCollection/One/_git/EdgeOS-CoreNetworking-WindowsEbpf```
			2. ```cd EdgeOS-CoreNetworking-WindowsEbpf```
Add setup_build project to install git hook Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com> 2021-03-06 08:08:31 +03:00			3. ```cmake -S external\ebpf-verifier -B external\ebpf-verifier\build```
			`4. Open ebpf-demo.sln`
			`5. Switch to debug / x64`
			`6. Build solution`
Add prereqs to readme file Rename README_build to README Add standard LICENSE file Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com> 2021-02-13 03:16:49 +03:00
			`## Demo script`

			`### Prep`
			`1. Setup 2 VMs, attacker and defender`
			`2. On defender, install and setup DNS`
			`3. On defender, make sure KD is attached and running.`
			`1. Install Debug VS 2019 VC redist from TBD (or switch everything to Multi-threaded Debug (/MTd) and rebuild)`
Update to use latest verifier fixes and error messages Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com> 2021-02-27 02:36:50 +03:00			`2. Copy ebpfcore.sys to %windir%\system32\drivers`
Add prereqs to readme file Rename README_build to README Add standard LICENSE file Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com> 2021-02-13 03:16:49 +03:00			`3. Copy ebpfapi.dll and ebpfnetsh.dll to %windir%\system32`
			`4. sc create EbpfCore type=kernel start=boot binpath=%windir%\system32\drivers\ebpfcore.sys`
			`5. sc start EbpfCore`
			`6. netsh add helper %windir%\system32\ebpfnetsh.dll`
			`7. Install [clang](https://github.com/llvm/llvm-project/releases/download/llvmorg-11.0.0/LLVM-11.0.0-win64.exe)`
			`8. Copy droppacket.c and ebpf.h to a folder (like c:\test)`


			`### Demo`
			`#### On attacker machine`
			`1. Copy DnsFlood.exe to attacker machine`
			2. Run ```for /L %i in (1,1,4) do start /min DnsFlood <ip of defender>```

			`#### On defender machine`
			`1. Start perfomance monitor and add UDPv4 Datagrams/sec`
			`2. Show that 200K packets per second are being received`
			`3. Show & explain code of droppacket.c`
			4. Compile droppacket.c ```clang -target bpf -O2 -Wall -c droppacket.c -o droppacket.o```
			5. Show eBPF byte code for droppacket.o ```netsh ebpf show disassembly droppacket.o xdp```
			6. Show that the verifier checks the code ```netsh ebpf show verification droppacket.o xdp```
			7. Launch netsh ```netsh```
			8. Switch to ebpf context ```ebpf```
			9. Load eBPF program ```add program droppacket.o xdp```
			`10. Show UDP datagrams received drop to under 10 per second`
			11. Unload program ```delete program droppacket.o xdp```
			`12. Show UDP datagrams received drop to back up to ~200K per second`
			`13. Modify droppacket.c to be unsafe - Comment out line 20 & 21`
			14. Compile droppacket.c ```clang -target bpf -O2 -Wall -c droppacket.c -o droppacket.o```
			15. Show that the verifier rejects the code ```netsh ebpf show verification droppacket.o xdp```
			16. Show that loading the program fails ```netsh ebpf add program droppacket.o xdp```