microsoft
/
ebpf-for-windows
зеркало из https://github.com/microsoft/ebpf-for-windows.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
eBPF implementation that runs on top of Windows
92 коммитов 34 Ветки 22 Теги 41 MiB
C 80.1%
C++ 17.7%
PowerShell 1.7%
Batchfile 0.2%
Shell 0.2%
Разное 0.1%
Перейти к файлу
Dave Thaler 2557f029b9 Check code formatting and licenses when committing 
Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com>
 		2021-03-05 21:15:17 -08:00
.config Deleted cloudvault.json - breaks customers who copy this and do not change it 2020-03-10 17:53:10 +00:00
.pipelines Merged PR 3981140: Cleanup unused demo files 2021-01-14 22:12:54 +00:00
.version build files 2019-10-30 17:08:48 -07:00
external Fix wrong submodule commit id 2021-03-05 22:05:37 -07:00
scripts Check code formatting and licenses when committing 2021-03-05 21:15:17 -08:00
src Merged PR 4205675: Add option to execute eBPF program via JIT or interpreter 2021-03-05 22:47:18 +00:00
.clang-format Check code formatting and licenses when committing 2021-03-05 21:15:17 -08:00
.gitattributes Merged PR 10330: 1809 builds - no haskell, rust on windows 2020-04-23 14:34:23 +00:00
.gitignore Add verifier-in-an-enclave demo 2021-01-21 17:06:26 -08:00
.gitmodules Use the Prevail master branch 2021-03-02 20:54:15 -08:00
Directory.Build.props Merged PR 3981140: Cleanup unused demo files 2021-01-14 22:12:54 +00:00
LICENSE.txt Add prereqs to readme file 2021-02-12 16:18:45 -08:00
Nuget.config Add public nuget source 2021-02-12 10:22:56 -07:00
README.md Update to use latest verifier fixes and error messages 2021-02-26 15:36:50 -08:00
ebpf-demo.sln Merged PR 4205675: Add option to execute eBPF program via JIT or interpreter 2021-03-05 22:47:18 +00:00
global.json Merged PR 3981140: Cleanup unused demo files 2021-01-14 22:12:54 +00:00
owners.txt Merged PR 4008117: Add all members of team as owners of the repo 2021-01-21 20:18:06 +00:00
repo.config initial user samples 2019-10-30 17:01:05 -07:00

README.md

eBPF on Windows

Prerequisites

The following must be installed in order to build this project:

  1. Git (e.g., Git for Windows 64-bit)
  2. Visual Studio 2019, including the "MSVC v142 - VS 2019 C++ x64/x86 Spectre-mitigated libs (v14.28)" which must be selected as an Individual component in the VS installer
  3. Visual Studio Build Tools 2019
  4. WDK for Windows 10, version 2004
  5. Clang/LLVM for Windows 64-bit

How to build the demo project

  1. git clone -b demo --recurse-submodules https://msazure.visualstudio.com/DefaultCollection/One/_git/EdgeOS-CoreNetworking-WindowsEbpf
  2. cd EdgeOS-CoreNetworking-WindowsEbpf
  3. cd external\ebpf-verifier
  4. cmake -B build
  5. cd ..\..
  6. Open ebpf-demo.sln
  7. Switch to debug / x64
  8. Build solution

Demo script

Prep

  1. Setup 2 VMs, attacker and defender
  2. On defender, install and setup DNS
  3. On defender, make sure KD is attached and running.
  4. Install Debug VS 2019 VC redist from TBD (or switch everything to Multi-threaded Debug (/MTd) and rebuild)
  5. Copy ebpfcore.sys to %windir%\system32\drivers
  6. Copy ebpfapi.dll and ebpfnetsh.dll to %windir%\system32
  7. sc create EbpfCore type=kernel start=boot binpath=%windir%\system32\drivers\ebpfcore.sys
  8. sc start EbpfCore
  9. netsh add helper %windir%\system32\ebpfnetsh.dll
  10. Install clang
  11. Copy droppacket.c and ebpf.h to a folder (like c:\test)

Demo

On attacker machine

  1. Copy DnsFlood.exe to attacker machine
  2. Run for /L %i in (1,1,4) do start /min DnsFlood <ip of defender>

On defender machine

  1. Start perfomance monitor and add UDPv4 Datagrams/sec
  2. Show that 200K packets per second are being received
  3. Show & explain code of droppacket.c
  4. Compile droppacket.c clang -target bpf -O2 -Wall -c droppacket.c -o droppacket.o
  5. Show eBPF byte code for droppacket.o netsh ebpf show disassembly droppacket.o xdp
  6. Show that the verifier checks the code netsh ebpf show verification droppacket.o xdp
  7. Launch netsh netsh
  8. Switch to ebpf context ebpf
  9. Load eBPF program add program droppacket.o xdp
  10. Show UDP datagrams received drop to under 10 per second
  11. Unload program delete program droppacket.o xdp
  12. Show UDP datagrams received drop to back up to ~200K per second
  13. Modify droppacket.c to be unsafe - Comment out line 20 & 21
  14. Compile droppacket.c clang -target bpf -O2 -Wall -c droppacket.c -o droppacket.o
  15. Show that the verifier rejects the code netsh ebpf show verification droppacket.o xdp
  16. Show that loading the program fails netsh ebpf add program droppacket.o xdp