Switch to ebpf 0.18.0 and add supports_context_header

Signed-off-by: Alan Jowett <[email protected]>

.github/workflows/cicd.yml

@@ -77,7 +77,7 @@ jobs:
     uses: ./.github/workflows/reusable-test.yml
     with:
       name: process_monitor
-      pre_test: powershell -file .\bin\process_monitor.Tests\win-x64\Install-eBpfForWindows.ps1 0.17.0 && powershell -file .\bin\process_monitor.Tests\win-x64\Setup-ProcessMonitorTests.ps1 -ArtifactsRoot .
+      pre_test: powershell -file .\bin\process_monitor.Tests\win-x64\Install-eBpfForWindows.ps1 0.18.0 && powershell -file .\bin\process_monitor.Tests\win-x64\Setup-ProcessMonitorTests.ps1 -ArtifactsRoot .
       test_command: dotnet test .\bin\process_monitor.Tests\win-x64\process_monitor.Tests.dll
       build_artifact: Build-x64
       environment: windows-2022
@@ -91,7 +91,7 @@ jobs:
     uses: ./.github/workflows/reusable-test.yml
     with:
       name: neteventebpfext unit tests
-      pre_test: powershell -file .\bin\process_monitor.Tests\win-x64\Install-eBpfForWindows.ps1 0.17.0
+      pre_test: powershell -file .\bin\process_monitor.Tests\win-x64\Install-eBpfForWindows.ps1 0.18.0
       test_command: .\neteventebpfext_unit.exe -d yes
       build_artifact: Build-x64
       environment: windows-2022

CONTRIBUTING.md

@@ -93,7 +93,7 @@ Do the following once:
 1. Open a command prompt as admin
 1. `cd <your local clone root>`
 1. `cd x64\Debug\bin\process_monitor.Tests\win-x64`
-1. `powershell -file .\Install-eBpfForWindows.ps1 0.17.0`
+1. `powershell -file .\Install-eBpfForWindows.ps1 0.18.0`
 1. `powershell -file .\Setup-ProcessMonitorTests.ps1`
 
 Then do this each time you want to re-run the tests:

Directory.Packages.props

@@ -10,7 +10,7 @@
     <!-- Try to keep these in alphabetical order -->
     <PackageVersion Include="DotNet.ReproducibleBuilds" Version="1.2.4"/>
     <PackageVersion Include="DotNet.ReproducibleBuilds.Isolated" Version="1.2.4"/>
-    <PackageVersion Include="eBPF-for-Windows" Version="0.17.0" />
+    <PackageVersion Include="eBPF-for-Windows" Version="0.18.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="8.0.0" />
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />

ebpf_extensions/neteventebpfext/netevent_ebpf_ext_event.c

@@ -168,12 +168,13 @@ uint64_t _ebpf_netevent_event_hook_provider_registration_count = 0;
 // Event Program Information NPI Provider.
 //
 static ebpf_program_data_t _ebpf_netevent_event_program_data = {
-    .header = {.version = EBPF_PROGRAM_DATA_CURRENT_VERSION, .size = EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE},
+    .header = EBPF_PROGRAM_DATA_HEADER,
     .program_info = &_ebpf_netevent_event_program_info,
     .program_type_specific_helper_function_addresses = NULL, // No helper functions exposed to client eBPF programs.
     .context_create = _ebpf_netevent_program_context_create,
     .context_destroy = _ebpf_netevent_program_context_destroy,
     .required_irql = PASSIVE_LEVEL,
+    .capabilities = {.supports_context_header = true},
 };
 static ebpf_extension_data_t _ebpf_netevent_event_program_info_provider_data = {
     .header = {EBPF_EXTENSION_NPI_PROVIDER_VERSION, sizeof(_ebpf_netevent_event_program_data)},
@@ -351,6 +352,15 @@ ebpf_ext_unregister_netevent()
     }
 }
 
+//
+// Event Hook NPI client helper functions (invoked by NetEvent as the NPI provider).
+//
+typedef struct _netevent_event_notify_context
+{
+    EBPF_CONTEXT_HEADER;
+    netevent_event_md_t netevent_event_md;
+} netevent_event_notify_context_t;
+
 //
 // eBPF NetEvent Program Information NPI helper routines.
 //
@@ -364,7 +374,7 @@ _ebpf_netevent_program_context_create(
 {
     EBPF_EXT_LOG_ENTRY();
     ebpf_result_t result;
-    netevent_event_md_t* netevent_event_context = NULL;
+    netevent_event_notify_context_t* netevent_event_context = NULL;
 
     if (context_in == NULL || context_size_in < sizeof(netevent_event_md_t)) {
         EBPF_EXT_LOG_MESSAGE(
@@ -382,17 +392,17 @@ _ebpf_netevent_program_context_create(
     *context = NULL;
 
     // Allocate memory for the context.
-    netevent_event_context = (netevent_event_md_t*)ExAllocatePoolUninitialized(
-        NonPagedPoolNx, sizeof(netevent_event_md_t), EBPF_NETEVENT_EXTENSION_POOL_TAG);
+    netevent_event_context = (netevent_event_notify_context_t*)ExAllocatePoolUninitialized(
+        NonPagedPoolNx, sizeof(netevent_event_notify_context_t), EBPF_NETEVENT_EXTENSION_POOL_TAG);
     EBPF_EXT_BAIL_ON_ALLOC_FAILURE_RESULT(
         EBPF_EXT_TRACELOG_KEYWORD_NETEVENT, netevent_event_context, "netevent_event_context", result);
 
     // Copy the context from the caller.
-    memcpy(netevent_event_context, context_in, sizeof(netevent_event_md_t));
+    memcpy(&netevent_event_context->netevent_event_md, context_in, sizeof(netevent_event_md_t));
 
     // Copy the event's pointer & size from the caller, to the out context.
-    netevent_event_context->event_data_start = (uint8_t*)data_in;
-    netevent_event_context->event_data_end = (uint8_t*)data_in + data_size_in;
+    netevent_event_context->netevent_event_md.event_data_start = (uint8_t*)data_in;
+    netevent_event_context->netevent_event_md.event_data_end = (uint8_t*)data_in + data_size_in;
     *context = netevent_event_context;
     netevent_event_context = NULL;
     result = EBPF_SUCCESS;
@@ -415,7 +425,7 @@ _ebpf_netevent_program_context_destroy(
 {
     EBPF_EXT_LOG_ENTRY();
 
-    netevent_event_md_t* netevent_event_context = (netevent_event_md_t*)context;
+    netevent_event_notify_context_t* netevent_event_context = (netevent_event_notify_context_t*)context;
     netevent_event_md_t* netevent_event_context_out = (netevent_event_md_t*)context_out;
 
     if (!netevent_event_context) {
@@ -424,7 +434,7 @@ _ebpf_netevent_program_context_destroy(
 
     if (context_out != NULL && *context_size_out >= sizeof(netevent_event_md_t)) {
         // Copy the context to the caller.
-        memcpy(netevent_event_context_out, netevent_event_context, sizeof(netevent_event_md_t));
+        memcpy(netevent_event_context_out, &netevent_event_context->netevent_event_md, sizeof(netevent_event_md_t));
         *context_size_out = sizeof(netevent_event_md_t);
 
         // Zero out the event context info.
@@ -436,13 +446,16 @@ _ebpf_netevent_program_context_destroy(
     }
 
     // Copy the event data to 'data_out'.
-    if (data_out != NULL &&
-        *data_size_out >= (size_t)(netevent_event_context->event_data_end - netevent_event_context->event_data_start)) {
+    if (data_out != NULL && *data_size_out >= (size_t)(
+                                                  netevent_event_context->netevent_event_md.event_data_end -
+                                                  netevent_event_context->netevent_event_md.event_data_start)) {
         memcpy(
             data_out,
-            netevent_event_context->event_data_start,
-            netevent_event_context->event_data_end - netevent_event_context->event_data_start);
-        *data_size_out = netevent_event_context->event_data_end - netevent_event_context->event_data_start;
+            netevent_event_context->netevent_event_md.event_data_start,
+            netevent_event_context->netevent_event_md.event_data_end -
+                netevent_event_context->netevent_event_md.event_data_start);
+        *data_size_out = netevent_event_context->netevent_event_md.event_data_end -
+                         netevent_event_context->netevent_event_md.event_data_start;
     } else {
         *data_size_out = 0;
     }
@@ -453,14 +466,6 @@ _ebpf_netevent_program_context_destroy(
     EBPF_EXT_LOG_EXIT();
 }
 
-//
-// Event Hook NPI client helper functions (invoked by NetEvent as the NPI provider).
-//
-typedef struct _netevent_event_notify_context
-{
-    netevent_event_md_t netevent_event_md;
-} netevent_event_notify_context_t;
-
 void
 _ebpf_netevent_push_event(_In_ netevent_event_md_t* netevent_event)
 {

ebpf_extensions/neteventebpfext/sys/neteventebpfext.vcxproj

@@ -4,7 +4,7 @@
   SPDX-License-Identifier: MIT
 -->
 <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <Import Project="..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props" Condition="Exists('..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props')" />
+  <Import Project="..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props" Condition="Exists('..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props')" />
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|x64">
       <Configuration>Debug</Configuration>
@@ -246,6 +246,6 @@
     <PropertyGroup>
       <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
     </PropertyGroup>
-    <Error Condition="!Exists('..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props'))" />
+    <Error Condition="!Exists('..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props'))" />
   </Target>
 </Project>

ebpf_extensions/neteventebpfext/sys/packages.config

@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
-  <package id="eBPF-for-Windows" version="0.17.0" targetFramework="native" />
+  <package id="eBPF-for-Windows" version="0.18.0" targetFramework="native" />
 </packages>

ebpf_extensions/neteventebpfext/user/neteventebpfext_user.vcxproj

@@ -4,7 +4,7 @@
   SPDX-License-Identifier: MIT
 -->
 <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <Import Project="..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props" Condition="Exists('..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props')" />
+  <Import Project="..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props" Condition="Exists('..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props')" />
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|x64">
       <Configuration>Debug</Configuration>
@@ -153,6 +153,6 @@
     <PropertyGroup>
       <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
     </PropertyGroup>
-    <Error Condition="!Exists('..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props'))" />
+    <Error Condition="!Exists('..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props'))" />
   </Target>
 </Project>

ebpf_extensions/neteventebpfext/user/packages.config

@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
-  <package id="eBPF-for-Windows" version="0.17.0" targetFramework="native" />
+  <package id="eBPF-for-Windows" version="0.18.0" targetFramework="native" />
 </packages>

ebpf_extensions/ntosebpfext/ntos_ebpf_ext_process.c

@@ -47,12 +47,13 @@ static ebpf_helper_function_addresses_t _ebpf_process_helper_function_address_ta
 // Process Program Information NPI Provider.
 //
 static ebpf_program_data_t _ebpf_process_program_data = {
-    .header = {EBPF_PROGRAM_DATA_CURRENT_VERSION, EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE},
+    .header = EBPF_PROGRAM_DATA_HEADER,
     .program_info = &_ebpf_process_program_info,
     .program_type_specific_helper_function_addresses = &_ebpf_process_helper_function_address_table,
     .context_create = _ebpf_process_context_create,
     .context_destroy = _ebpf_process_context_destroy,
     .required_irql = PASSIVE_LEVEL,
+    .capabilities = {.supports_context_header = true},
 };
 
 static ebpf_extension_data_t _ebpf_process_program_info_provider_data = {
@@ -223,6 +224,16 @@ ebpf_ext_register_ntos()
     EBPF_EXT_RETURN_NTSTATUS(status);
 }
 
+typedef struct _process_notify_context
+{
+    EBPF_CONTEXT_HEADER;
+    process_md_t process_md;
+    PEPROCESS process;
+    PPS_CREATE_NOTIFY_INFO create_info;
+    UNICODE_STRING command_line;
+    UNICODE_STRING image_file_name;
+} process_notify_context_t;
+
 static ebpf_result_t
 _ebpf_process_context_create(
     _In_reads_bytes_opt_(data_size_in) const uint8_t* data_in,
@@ -233,7 +244,7 @@ _ebpf_process_context_create(
 {
     EBPF_EXT_LOG_ENTRY();
     ebpf_result_t result;
-    process_md_t* process_context = NULL;
+    process_notify_context_t* process_context = NULL;
 
     *context = NULL;
 
@@ -243,17 +254,17 @@ _ebpf_process_context_create(
         goto Exit;
     }
 
-    process_context =
-        (process_md_t*)ExAllocatePoolUninitialized(NonPagedPoolNx, sizeof(process_md_t), EBPF_EXTENSION_POOL_TAG);
+    process_context = (process_notify_context_t*)ExAllocatePoolUninitialized(
+        NonPagedPoolNx, sizeof(process_notify_context_t), EBPF_EXTENSION_POOL_TAG);
     EBPF_EXT_BAIL_ON_ALLOC_FAILURE_RESULT(
         EBPF_EXT_TRACELOG_KEYWORD_PROCESS, process_context, "process_context", result);
 
     // Copy the context from the caller.
     memcpy(process_context, context_in, sizeof(process_md_t));
 
     // Replace the process_id_start and process_id_end with pointers to data_in.
-    process_context->command_start = (uint8_t*)data_in;
-    process_context->command_end = (uint8_t*)data_in + data_size_in;
+    process_context->process_md.command_start = (uint8_t*)data_in;
+    process_context->process_md.command_end = (uint8_t*)data_in + data_size_in;
 
     *context = process_context;
     process_context = NULL;
@@ -277,7 +288,7 @@ _ebpf_process_context_destroy(
 {
     EBPF_EXT_LOG_ENTRY();
 
-    process_md_t* process_context = (process_md_t*)context;
+    process_notify_context_t* process_context = (process_notify_context_t*)context;
     process_md_t* process_context_out = (process_md_t*)context_out;
 
     if (!process_context) {
@@ -286,7 +297,7 @@ _ebpf_process_context_destroy(
 
     if (context_out != NULL && *context_size_out >= sizeof(process_md_t)) {
         // Copy the context to the caller.
-        memcpy(process_context_out, process_context, sizeof(process_md_t));
+        memcpy(process_context_out, &process_context->process_md, sizeof(process_md_t));
 
         // Zero out the command_start and command_end.
         process_context_out->command_start = 0;
@@ -297,9 +308,14 @@ _ebpf_process_context_destroy(
     }
 
     // Copy the command to the data_out.
-    if (data_out != NULL && *data_size_out >= (size_t)(process_context->command_end - process_context->command_start)) {
-        memcpy(data_out, process_context->command_start, process_context->command_end - process_context->command_start);
-        *data_size_out = process_context->command_end - process_context->command_start;
+    if (data_out != NULL &&
+        *data_size_out >=
+            (size_t)(process_context->process_md.command_end - process_context->process_md.command_start)) {
+        memcpy(
+            data_out,
+            process_context->process_md.command_start,
+            process_context->process_md.command_end - process_context->process_md.command_start);
+        *data_size_out = process_context->process_md.command_end - process_context->process_md.command_start;
     } else {
         *data_size_out = 0;
     }
@@ -310,15 +326,6 @@ _ebpf_process_context_destroy(
     EBPF_EXT_LOG_EXIT();
 }
 
-typedef struct _process_notify_context
-{
-    process_md_t process_md;
-    PEPROCESS process;
-    PPS_CREATE_NOTIFY_INFO create_info;
-    UNICODE_STRING command_line;
-    UNICODE_STRING image_file_name;
-} process_notify_context_t;
-
 void
 _ebpf_process_create_process_notify_routine_ex(
     _Inout_ PEPROCESS process, _In_ HANDLE process_id, _Inout_opt_ PPS_CREATE_NOTIFY_INFO create_info)
@@ -389,7 +396,8 @@ _ebpf_process_create_process_notify_routine_ex(
 _Success_(return >= 0) static int32_t _ebpf_process_get_image_path(
     _In_ process_md_t* process_md, _Out_writes_bytes_(path_length) uint8_t* path, uint32_t path_length)
 {
-    process_notify_context_t* process_notify_context = (process_notify_context_t*)process_md;
+    process_notify_context_t* process_notify_context =
+        CONTAINING_RECORD(process_md, process_notify_context_t, process_md);
     int32_t result = 0;
     if (process_notify_context->image_file_name.Length > path_length) {
         return -EINVAL;

ebpf_extensions/ntosebpfext/sys/ntosebpfext.vcxproj

@@ -4,7 +4,7 @@
   SPDX-License-Identifier: MIT
 -->
 <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <Import Project="..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props" Condition="Exists('..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props')" />
+  <Import Project="..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props" Condition="Exists('..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props')" />
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|x64">
       <Configuration>Debug</Configuration>
@@ -162,6 +162,6 @@
     <PropertyGroup>
       <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
     </PropertyGroup>
-    <Error Condition="!Exists('..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props'))" />
+    <Error Condition="!Exists('..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props'))" />
   </Target>
 </Project>

ebpf_extensions/ntosebpfext/sys/packages.config

@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
-  <package id="eBPF-for-Windows" version="0.17.0" targetFramework="native" />
+  <package id="eBPF-for-Windows" version="0.18.0" targetFramework="native" />
 </packages>

ebpf_extensions/ntosebpfext/user/ntosebpfext_user.vcxproj

@@ -4,7 +4,7 @@
   SPDX-License-Identifier: MIT
 -->
 <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <Import Project="..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props" Condition="Exists('..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props')" />
+  <Import Project="..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props" Condition="Exists('..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props')" />
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|x64">
       <Configuration>Debug</Configuration>
@@ -122,6 +122,6 @@
     <PropertyGroup>
       <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
     </PropertyGroup>
-    <Error Condition="!Exists('..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\..\packages\eBPF-for-Windows.0.17.0\build\native\ebpf-for-windows.props'))" />
+    <Error Condition="!Exists('..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\..\packages\eBPF-for-Windows.0.18.0\build\native\ebpf-for-windows.props'))" />
   </Target>
 </Project>

ebpf_extensions/ntosebpfext/user/packages.config

@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
-  <package id="eBPF-for-Windows" version="0.17.0" targetFramework="native" />
+  <package id="eBPF-for-Windows" version="0.18.0" targetFramework="native" />
 </packages>