More cleanup (#91)
Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com>
This commit is contained in:
Родитель
762e25939f
Коммит
08c116b8d6
|
@ -53,7 +53,7 @@ Set up 2 VMs, which we will refer to as the "attacker" machine and the "defender
|
|||
|
||||
On the defender machine, do the following:
|
||||
1. Install and set up a DNS server
|
||||
2. Make sure that either the kernel debugger (KD) is attached and running, or one of the [alternatives to running with kernel debugger attached](#alternative-to-running-with-kernel-debugger-attached) is in place
|
||||
2. Make sure that either the kernel debugger (KD) is attached and running, or one of the [alternatives to running with kernel debugger attached](#alternatives-to-running-with-kernel-debugger-attached) is in place
|
||||
3. Install Debug VS 2019 VC redist from TBD (or switch everything to Multi-threaded Debug (/MTd) and rebuild)
|
||||
4. Copy ebpfcore.sys to %windir%\system32\drivers
|
||||
5. Copy ebpfapi.dll and ebpfnetsh.dll to %windir%\system32
|
||||
|
|
|
@ -289,7 +289,7 @@ Verification succeeded
|
|||
The verification command succeeded because there was only one
|
||||
non-empty TEXT section in bpf.o, so the verifier found it and used that
|
||||
as the eBPF program to verify. If we try the same on an object file with
|
||||
multiple such sections, we instead get this:
|
||||
multiple such sections, we get this:
|
||||
|
||||
```
|
||||
> netsh ebpf show verification bpf2.o
|
||||
|
@ -529,7 +529,7 @@ are safe to access start at offset 16.
|
|||
With the above, our sample program will pass verification:
|
||||
|
||||
```
|
||||
> >netsh ebpf show verification myxdp.o
|
||||
> netsh ebpf show verification myxdp.o
|
||||
|
||||
Verification succeeded
|
||||
```
|
||||
|
@ -880,7 +880,7 @@ RELOCATION RECORDS FOR [.relmyprog]:
|
|||
0000000000000040 R_BPF_64_64 map
|
||||
```
|
||||
|
||||
This record means that the actual address of map should be inserted at
|
||||
This record means that the actual address of `map` should be inserted at
|
||||
offset 0x40, but where is that? llvm-objdump and check both gave us
|
||||
instruction numbers not offsets, but we can see the raw bytes as follows:
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
Abstract:
|
||||
WDF based driver that does the following:
|
||||
1. Registers as a WFP L2 Callout
|
||||
2. Opens a IOCTL surface
|
||||
2. Opens an IOCTL surface
|
||||
|
||||
Environment:
|
||||
|
||||
|
@ -71,9 +71,9 @@ static VOID
|
|||
EbpfCoreEvtIoDeviceControl(
|
||||
_In_ WDFQUEUE queue,
|
||||
_In_ WDFREQUEST request,
|
||||
_In_ size_t output_buffer_length,
|
||||
_In_ size_t input_buffer_length,
|
||||
_In_ ULONG io_control_code);
|
||||
size_t output_buffer_length,
|
||||
size_t input_buffer_length,
|
||||
ULONG io_control_code);
|
||||
|
||||
inline NTSTATUS
|
||||
ebpf_error_code_to_ntstatus(ebpf_error_code_t error)
|
||||
|
@ -88,8 +88,7 @@ ebpf_error_code_to_ntstatus(ebpf_error_code_t error)
|
|||
case EBPF_ERROR_INVALID_PARAMETER:
|
||||
return STATUS_INVALID_PARAMETER;
|
||||
case EBPF_ERROR_BLOCKED_BY_POLICY:
|
||||
// TODO: Find a better error code for this.
|
||||
return STATUS_NOT_SUPPORTED;
|
||||
return STATUS_CONTENT_BLOCKED;
|
||||
case EBPF_ERROR_NO_MORE_KEYS:
|
||||
return STATUS_NO_MORE_MATCHES;
|
||||
case EBPF_ERROR_INVALID_HANDLE:
|
||||
|
@ -173,7 +172,7 @@ EbpfCoreInitDriverObjects(
|
|||
|
||||
device_create_flag = TRUE;
|
||||
|
||||
// create symbolic link for control object for um
|
||||
// Create symbolic link for control object for user mode.
|
||||
RtlInitUnicodeString(&ebpf_symbolic_device_name, EBPF_SYMBOLIC_DEVICE_NAME);
|
||||
status = WdfDeviceCreateSymbolicLink(*device, &ebpf_symbolic_device_name);
|
||||
|
||||
|
@ -220,9 +219,9 @@ static VOID
|
|||
EbpfCoreEvtIoDeviceControl(
|
||||
_In_ WDFQUEUE queue,
|
||||
_In_ WDFREQUEST request,
|
||||
_In_ size_t output_buffer_length,
|
||||
_In_ size_t input_buffer_length,
|
||||
_In_ ULONG io_control_code)
|
||||
size_t output_buffer_length,
|
||||
size_t input_buffer_length,
|
||||
ULONG io_control_code)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
WDFDEVICE device;
|
||||
|
|
|
@ -120,7 +120,7 @@ ebpf_hook_layer_2_classify(
|
|||
_Inout_opt_ void* layer_data,
|
||||
_In_opt_ const void* classify_context,
|
||||
_In_ const FWPS_FILTER* filter,
|
||||
_In_ uint64_t flow_context,
|
||||
uint64_t flow_context,
|
||||
_Inout_ FWPS_CLASSIFY_OUT* classify_output);
|
||||
|
||||
static void
|
||||
|
@ -130,7 +130,7 @@ ebpf_hook_resource_allocation_classify(
|
|||
_Inout_opt_ void* layer_data,
|
||||
_In_opt_ const void* classify_context,
|
||||
_In_ const FWPS_FILTER* filter,
|
||||
_In_ uint64_t flow_context,
|
||||
uint64_t flow_context,
|
||||
_Inout_ FWPS_CLASSIFY_OUT* classify_output);
|
||||
|
||||
static void
|
||||
|
@ -140,17 +140,15 @@ ebpf_hook_resource_release_classify(
|
|||
_Inout_opt_ void* layer_data,
|
||||
_In_opt_ const void* classify_context,
|
||||
_In_ const FWPS_FILTER* filter,
|
||||
_In_ uint64_t flow_context,
|
||||
uint64_t flow_context,
|
||||
_Inout_ FWPS_CLASSIFY_OUT* classify_output);
|
||||
|
||||
static void
|
||||
ebpf_hook_no_op_flow_delete(_In_ uint16_t layer_id, _In_ uint32_t fwpm_callout_id, _In_ uint64_t flow_context);
|
||||
ebpf_hook_no_op_flow_delete(uint16_t layer_id, uint32_t fwpm_callout_id, uint64_t flow_context);
|
||||
|
||||
static NTSTATUS
|
||||
ebpf_hook_no_op_notify(
|
||||
_In_ FWPS_CALLOUT_NOTIFY_TYPE callout_notification_type,
|
||||
_In_ const GUID* filter_key,
|
||||
_Inout_ const FWPS_FILTER* filter);
|
||||
FWPS_CALLOUT_NOTIFY_TYPE callout_notification_type, _In_ const GUID* filter_key, _Inout_ const FWPS_FILTER* filter);
|
||||
|
||||
typedef struct _ebpf_wfp_callout_state
|
||||
{
|
||||
|
@ -411,7 +409,7 @@ ebpf_hook_layer_2_classify(
|
|||
_Inout_opt_ void* layer_data,
|
||||
_In_opt_ const void* classify_context,
|
||||
_In_ const FWPS_FILTER* filter,
|
||||
_In_ uint64_t flow_context,
|
||||
uint64_t flow_context,
|
||||
_Inout_ FWPS_CLASSIFY_OUT* classify_output)
|
||||
/* ++
|
||||
|
||||
|
@ -483,7 +481,7 @@ ebpf_hook_resource_allocation_classify(
|
|||
_Inout_opt_ void* layer_data,
|
||||
_In_opt_ const void* classify_context,
|
||||
_In_ const FWPS_FILTER* filter,
|
||||
_In_ uint64_t flow_context,
|
||||
uint64_t flow_context,
|
||||
_Inout_ FWPS_CLASSIFY_OUT* classify_output)
|
||||
/* ++
|
||||
|
||||
|
@ -538,7 +536,7 @@ ebpf_hook_resource_release_classify(
|
|||
_Inout_opt_ void* layer_data,
|
||||
_In_opt_ const void* classify_context,
|
||||
_In_ const FWPS_FILTER* filter,
|
||||
_In_ uint64_t flow_context,
|
||||
uint64_t flow_context,
|
||||
_Inout_ FWPS_CLASSIFY_OUT* classify_output)
|
||||
/* ++
|
||||
|
||||
|
@ -580,9 +578,7 @@ ebpf_hook_resource_release_classify(
|
|||
|
||||
static NTSTATUS
|
||||
ebpf_hook_no_op_notify(
|
||||
_In_ FWPS_CALLOUT_NOTIFY_TYPE callout_notification_type,
|
||||
_In_ const GUID* filter_key,
|
||||
_Inout_ const FWPS_FILTER* filter)
|
||||
FWPS_CALLOUT_NOTIFY_TYPE callout_notification_type, _In_ const GUID* filter_key, _Inout_ const FWPS_FILTER* filter)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(callout_notification_type);
|
||||
UNREFERENCED_PARAMETER(filter_key);
|
||||
|
@ -592,7 +588,7 @@ ebpf_hook_no_op_notify(
|
|||
}
|
||||
|
||||
static void
|
||||
ebpf_hook_no_op_flow_delete(_In_ uint16_t layer_id, _In_ uint32_t fwpm_callout_id, _In_ uint64_t flow_context)
|
||||
ebpf_hook_no_op_flow_delete(uint16_t layer_id, uint32_t fwpm_callout_id, uint64_t flow_context)
|
||||
/* ++
|
||||
|
||||
This is the flowDeleteFn function of the L2 callout.
|
||||
|
|
Загрузка…
Ссылка в новой задаче