The eBPF bytecode is sent to a static verifier (the [PREVAIL verifier](https://github.com/vbpf/ebpf-verifier))
that is hosted in a user-mode [protected process](https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-#system-protected-process)
(a Windows security environment that allows a kernel component to trust a user-mode daemon signed by
a key that it trusts). If the bytecode passes all the verifier checks, it can be either loaded into
an interpreter (from [uBPF](https://github.com/iovisor/ubpf) in the kernel-mode execution context, or
JIT compiled (via the [uBPF](https://github.com/iovisor/ubpf) JIT compiler) and have native code load
into the kernel-mode execution context (but see the FAQ at bottom about HVCI).
*Temporary Note: some parts are still under development and may not appear
when building the master branch, but the end-to-end functionality can still be tested immediately
while the security hardening is still in progress.*
eBPF programs installed into the kernel-mode execution context can attach to various hooks (currently
two hooks so far: XDP and a socket bind hook) and call various helper APIs exposed by the eBPF shim,
which internally wraps public Windows kernel APIs, allowing the use of eBPF on existing versions of Windows.
More hooks and helpers will be added over time.
## Getting Started
This project supports eBPF on Windows 10, and on Windows Server 2016 or later.
To try out this project, see our [Getting Started Guide](docs/GettingStarted.md).
Want to help? We welcome contributions! See our [Contributing guidelines](CONTRIBUTING.md).