2.9 KiB
2.9 KiB
eBPF on Windows
Prerequisites
The following must be installed in order to build this project:
- Git (e.g., Git for Windows 64-bit)
- Visual Studio 2019, including the "MSVC v142 - VS 2019 C++ x64/x86 Spectre-mitigated libs (v14.28)" which must be selected as an Individual component in the VS installer
- Visual Studio Build Tools 2019
- WDK for Windows 10, version 2004
- Clang/LLVM for Windows 64-bit
How to build the demo project
git clone -b demo --recurse-submodules https://msazure.visualstudio.com/DefaultCollection/One/_git/EdgeOS-CoreNetworking-WindowsEbpf
cd EdgeOS-CoreNetworking-WindowsEbpf
cmake -S external\ebpf-verifier -B external\ebpf-verifier\build
- Open ebpf-demo.sln
- Switch to debug / x64
- Build solution
Demo script
Prep
- Setup 2 VMs, attacker and defender
- On defender, install and setup DNS
- On defender, make sure KD is attached and running.
- Install Debug VS 2019 VC redist from TBD (or switch everything to Multi-threaded Debug (/MTd) and rebuild)
- Copy ebpfcore.sys to %windir%\system32\drivers
- Copy ebpfapi.dll and ebpfnetsh.dll to %windir%\system32
- sc create EbpfCore type=kernel start=boot binpath=%windir%\system32\drivers\ebpfcore.sys
- sc start EbpfCore
- netsh add helper %windir%\system32\ebpfnetsh.dll
- Install clang
- Copy droppacket.c and ebpf.h to a folder (like c:\test)
Demo
On attacker machine
- Copy DnsFlood.exe to attacker machine
- Run
for /L %i in (1,1,4) do start /min DnsFlood <ip of defender>
On defender machine
- Start perfomance monitor and add UDPv4 Datagrams/sec
- Show that 200K packets per second are being received
- Show & explain code of droppacket.c
- Compile droppacket.c
clang -target bpf -O2 -Wall -c droppacket.c -o droppacket.o
- Show eBPF byte code for droppacket.o
netsh ebpf show disassembly droppacket.o xdp
- Show that the verifier checks the code
netsh ebpf show verification droppacket.o xdp
- Launch netsh
netsh
- Switch to ebpf context
ebpf
- Load eBPF program
add program droppacket.o xdp
- Show UDP datagrams received drop to under 10 per second
- Unload program
delete program droppacket.o xdp
- Show UDP datagrams received drop to back up to ~200K per second
- Modify droppacket.c to be unsafe - Comment out line 20 & 21
- Compile droppacket.c
clang -target bpf -O2 -Wall -c droppacket.c -o droppacket.o
- Show that the verifier rejects the code
netsh ebpf show verification droppacket.o xdp
- Show that loading the program fails
netsh ebpf add program droppacket.o xdp