From 8337cf27bffa7f322fddf1604aaadbff02fa5055 Mon Sep 17 00:00:00 2001 From: Laksh Kotian Date: Tue, 21 Oct 2025 11:26:40 -0700 Subject: [PATCH 1/5] Bump ebpf version --- .github/workflows/cicd.yml | 4 ++-- CONTRIBUTING.md | 2 +- Directory.Packages.props | 2 +- ebpf_extensions/neteventebpfext/sys/packages.config | 2 +- ebpf_extensions/neteventebpfext/user/packages.config | 2 +- ebpf_extensions/ntosebpfext/sys/packages.config | 2 +- ebpf_extensions/ntosebpfext/user/packages.config | 2 +- ntosebpfext.props | 6 +++++- scripts/initialize_repo.ps1 | 2 +- scripts/setup_build/packages.config | 2 +- tests/neteventebpfext/netevent_sim/packages.config | 2 +- tests/neteventebpfext/neteventebpfext_unit/packages.config | 2 +- tests/ntosebpfext/ntosebpfext_unit/packages.config | 2 +- tools/netevent_ebpf_ext_export_program_info/packages.config | 2 +- tools/netevent_monitor/packages.config | 2 +- tools/ntos_ebpf_ext_export_program_info/packages.config | 2 +- tools/process_monitor_bpf/packages.config | 2 +- 17 files changed, 22 insertions(+), 18 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index fcc0444f..98304f56 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -88,7 +88,7 @@ jobs: uses: ./.github/workflows/reusable-test.yml with: name: process_monitor - pre_test: powershell -file .\bin\process_monitor.Tests\win-x64\Install-eBpfForWindows.ps1 0.21.0 && powershell -file .\bin\process_monitor.Tests\win-x64\Setup-ProcessMonitorTests.ps1 -ArtifactsRoot . + pre_test: powershell -file .\bin\process_monitor.Tests\win-x64\Install-eBpfForWindows.ps1 1.0.0-rc1 && powershell -file .\bin\process_monitor.Tests\win-x64\Setup-ProcessMonitorTests.ps1 -ArtifactsRoot . test_command: dotnet test .\bin\process_monitor.Tests\win-x64\process_monitor.Tests.dll build_artifact: Build-x64 environment: windows-2022 @@ -102,7 +102,7 @@ jobs: uses: ./.github/workflows/reusable-test.yml with: name: neteventebpfext unit tests - pre_test: powershell -file .\bin\process_monitor.Tests\win-x64\Install-eBpfForWindows.ps1 0.21.0 + pre_test: powershell -file .\bin\process_monitor.Tests\win-x64\Install-eBpfForWindows.ps1 1.0.0-rc1 test_command: .\neteventebpfext_unit.exe -d yes build_artifact: Build-x64 environment: windows-2022 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 4a74d9ee..f3a6e9c3 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -91,7 +91,7 @@ Do the following once: 1. Open a command prompt as admin 1. `cd ` 1. `cd x64\Debug\bin\process_monitor.Tests\win-x64` -1. `powershell -file .\Install-eBpfForWindows.ps1 0.21.0` +1. `powershell -file .\Install-eBpfForWindows.ps1 1.0.0-rc1` 1. `powershell -file .\Setup-ProcessMonitorTests.ps1` Then do this each time you want to re-run the tests: diff --git a/Directory.Packages.props b/Directory.Packages.props index 47c3aef4..232e1219 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -10,7 +10,7 @@ - + diff --git a/ebpf_extensions/neteventebpfext/sys/packages.config b/ebpf_extensions/neteventebpfext/sys/packages.config index c62f9461..7630b731 100644 --- a/ebpf_extensions/neteventebpfext/sys/packages.config +++ b/ebpf_extensions/neteventebpfext/sys/packages.config @@ -1,4 +1,4 @@  - + \ No newline at end of file diff --git a/ebpf_extensions/neteventebpfext/user/packages.config b/ebpf_extensions/neteventebpfext/user/packages.config index c62f9461..7630b731 100644 --- a/ebpf_extensions/neteventebpfext/user/packages.config +++ b/ebpf_extensions/neteventebpfext/user/packages.config @@ -1,4 +1,4 @@  - + \ No newline at end of file diff --git a/ebpf_extensions/ntosebpfext/sys/packages.config b/ebpf_extensions/ntosebpfext/sys/packages.config index c62f9461..7630b731 100644 --- a/ebpf_extensions/ntosebpfext/sys/packages.config +++ b/ebpf_extensions/ntosebpfext/sys/packages.config @@ -1,4 +1,4 @@  - + \ No newline at end of file diff --git a/ebpf_extensions/ntosebpfext/user/packages.config b/ebpf_extensions/ntosebpfext/user/packages.config index c62f9461..7630b731 100644 --- a/ebpf_extensions/ntosebpfext/user/packages.config +++ b/ebpf_extensions/ntosebpfext/user/packages.config @@ -1,4 +1,4 @@  - + \ No newline at end of file diff --git a/ntosebpfext.props b/ntosebpfext.props index ff052ca2..2ba7046c 100644 --- a/ntosebpfext.props +++ b/ntosebpfext.props @@ -1,7 +1,11 @@ + - 0.21.0 + 1.0.0-rc1 $(SolutionDir)packages\eBPF-for-Windows.x64.$(eBPFForWindowsVersion) diff --git a/scripts/initialize_repo.ps1 b/scripts/initialize_repo.ps1 index 2bd441d3..60b9bf18 100644 --- a/scripts/initialize_repo.ps1 +++ b/scripts/initialize_repo.ps1 @@ -12,7 +12,7 @@ $commands = @( "git submodule update --init --recursive", "cmake -G 'Visual Studio 17 2022' -S external\catch2 -B external\catch2\build -DBUILD_TESTING=OFF", "nuget restore ntosebpfext.sln", - ".\packages\eBPF-for-Windows.x64.0.21.0\build\native\bin\export_program_info.exe" + ".\packages\eBPF-for-Windows.x64.1.0.0-rc1\build\native\bin\export_program_info.exe" ) # Loop through each command and run them sequentially without opening a new window diff --git a/scripts/setup_build/packages.config b/scripts/setup_build/packages.config index 0d78f8cb..5ca7b32d 100644 --- a/scripts/setup_build/packages.config +++ b/scripts/setup_build/packages.config @@ -1,6 +1,6 @@  - + diff --git a/tests/neteventebpfext/netevent_sim/packages.config b/tests/neteventebpfext/netevent_sim/packages.config index c62f9461..7630b731 100644 --- a/tests/neteventebpfext/netevent_sim/packages.config +++ b/tests/neteventebpfext/netevent_sim/packages.config @@ -1,4 +1,4 @@  - + \ No newline at end of file diff --git a/tests/neteventebpfext/neteventebpfext_unit/packages.config b/tests/neteventebpfext/neteventebpfext_unit/packages.config index c62f9461..7630b731 100644 --- a/tests/neteventebpfext/neteventebpfext_unit/packages.config +++ b/tests/neteventebpfext/neteventebpfext_unit/packages.config @@ -1,4 +1,4 @@  - + \ No newline at end of file diff --git a/tests/ntosebpfext/ntosebpfext_unit/packages.config b/tests/ntosebpfext/ntosebpfext_unit/packages.config index c62f9461..7630b731 100644 --- a/tests/ntosebpfext/ntosebpfext_unit/packages.config +++ b/tests/ntosebpfext/ntosebpfext_unit/packages.config @@ -1,4 +1,4 @@  - + \ No newline at end of file diff --git a/tools/netevent_ebpf_ext_export_program_info/packages.config b/tools/netevent_ebpf_ext_export_program_info/packages.config index c62f9461..7630b731 100644 --- a/tools/netevent_ebpf_ext_export_program_info/packages.config +++ b/tools/netevent_ebpf_ext_export_program_info/packages.config @@ -1,4 +1,4 @@  - + \ No newline at end of file diff --git a/tools/netevent_monitor/packages.config b/tools/netevent_monitor/packages.config index c62f9461..7630b731 100644 --- a/tools/netevent_monitor/packages.config +++ b/tools/netevent_monitor/packages.config @@ -1,4 +1,4 @@  - + \ No newline at end of file diff --git a/tools/ntos_ebpf_ext_export_program_info/packages.config b/tools/ntos_ebpf_ext_export_program_info/packages.config index c62f9461..7630b731 100644 --- a/tools/ntos_ebpf_ext_export_program_info/packages.config +++ b/tools/ntos_ebpf_ext_export_program_info/packages.config @@ -1,4 +1,4 @@  - + \ No newline at end of file diff --git a/tools/process_monitor_bpf/packages.config b/tools/process_monitor_bpf/packages.config index c62f9461..7630b731 100644 --- a/tools/process_monitor_bpf/packages.config +++ b/tools/process_monitor_bpf/packages.config @@ -1,4 +1,4 @@  - + \ No newline at end of file From 679b0f092e55f100b12615cc53267a907ce26256 Mon Sep 17 00:00:00 2001 From: Laksh Kotian Date: Fri, 24 Oct 2025 10:11:12 -0700 Subject: [PATCH 2/5] centrallymanaged false --- Directory.Packages.props | 2 +- .../process_monitor.Tests.csproj | 12 +++++++----- .../process_monitor.Library.csproj | 4 +++- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/Directory.Packages.props b/Directory.Packages.props index 232e1219..8e0a8caa 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -4,7 +4,7 @@ --> - true + false diff --git a/tests/process_monitor.Tests/process_monitor.Tests.csproj b/tests/process_monitor.Tests/process_monitor.Tests.csproj index 77922472..4dfaaaaf 100644 --- a/tests/process_monitor.Tests/process_monitor.Tests.csproj +++ b/tests/process_monitor.Tests/process_monitor.Tests.csproj @@ -19,11 +19,13 @@ - - - - - + + + + + + + diff --git a/tools/process_monitor.Library/process_monitor.Library.csproj b/tools/process_monitor.Library/process_monitor.Library.csproj index cb153229..7263e10d 100644 --- a/tools/process_monitor.Library/process_monitor.Library.csproj +++ b/tools/process_monitor.Library/process_monitor.Library.csproj @@ -10,7 +10,9 @@ - + + + From be10c293a1d91a92947acd0fbf7a69d2ffd61fb6 Mon Sep 17 00:00:00 2001 From: Laksh Kotian Date: Fri, 24 Oct 2025 17:19:59 -0700 Subject: [PATCH 3/5] update perf/ring buffer references --- .../netevent_ebpfext_unit.cpp | 15 +++++++----- tools/process_monitor.Library/PInvokes.cs | 2 +- .../ProcessMonitorBPFLoader.cs | 24 ++++++++++++++++--- 3 files changed, 31 insertions(+), 10 deletions(-) diff --git a/tests/neteventebpfext/neteventebpfext_unit/netevent_ebpfext_unit.cpp b/tests/neteventebpfext/neteventebpfext_unit/netevent_ebpfext_unit.cpp index 6405416e..3b0245ba 100644 --- a/tests/neteventebpfext/neteventebpfext_unit/netevent_ebpfext_unit.cpp +++ b/tests/neteventebpfext/neteventebpfext_unit/netevent_ebpfext_unit.cpp @@ -145,13 +145,14 @@ TEST_CASE("netevent_attach_opt_simulation", "[neteventebpfext]") // Attach to the eBPF perf buffer event map. bpf_map* netevent_events_map = bpf_object__find_map_by_name(object, "netevent_events_map"); REQUIRE(netevent_events_map != nullptr); - auto netevent_perf_buff = perf_buffer__new( + ebpf_perf_buffer_opts perf_opts = {.sz = sizeof(ebpf_perf_buffer_opts), .flags = EBPF_PERFBUF_FLAG_AUTO_CALLBACK}; + auto netevent_perf_buff = ebpf_perf_buffer__new( bpf_map__fd(netevent_events_map), 0, netevent_monitor_event_callback, netevent_monitor_lost_event_callback, nullptr, - nullptr); + &perf_opts); REQUIRE(netevent_perf_buff != nullptr); // Test attach with no attach params - this should fail. @@ -276,13 +277,14 @@ TEST_CASE("netevent_drivers_load_unload_stress", "[neteventebpfext]") // Attach to the eBPF perf buffer event map. bpf_map* netevent_events_map = bpf_object__find_map_by_name(object, "netevent_events_map"); REQUIRE(netevent_events_map != nullptr); - auto netevent_perf_buff = perf_buffer__new( + ebpf_perf_buffer_opts perf_opts = {.sz = sizeof(ebpf_perf_buffer_opts), .flags = EBPF_PERFBUF_FLAG_AUTO_CALLBACK}; + auto netevent_perf_buff = ebpf_perf_buffer__new( bpf_map__fd(netevent_events_map), 0, netevent_monitor_event_callback, netevent_monitor_lost_event_callback, nullptr, - nullptr); + &perf_opts); REQUIRE(netevent_perf_buff != nullptr); std::cout << "\n\n********** Test netevent_sim provider load/unload while the extension is running. **********" @@ -392,13 +394,14 @@ TEST_CASE("netevent_bpf_prog_run_test", "[neteventebpfext]") // Attach to the eBPF perf buffer event map. bpf_map* netevent_events_map = bpf_object__find_map_by_name(object, "netevent_events_map"); REQUIRE(netevent_events_map != nullptr); - auto netevent_perf_buff = perf_buffer__new( + ebpf_perf_buffer_opts perf_opts = {.sz = sizeof(ebpf_perf_buffer_opts), .flags = EBPF_PERFBUF_FLAG_AUTO_CALLBACK}; + auto netevent_perf_buff = ebpf_perf_buffer__new( bpf_map__fd(netevent_events_map), 0, netevent_monitor_event_callback, netevent_monitor_lost_event_callback, nullptr, - nullptr); + &perf_opts); REQUIRE(netevent_perf_buff != nullptr); // Initialize structures required for bpf_prog_test_run_opts diff --git a/tools/process_monitor.Library/PInvokes.cs b/tools/process_monitor.Library/PInvokes.cs index caac45e4..a8870458 100644 --- a/tools/process_monitor.Library/PInvokes.cs +++ b/tools/process_monitor.Library/PInvokes.cs @@ -28,7 +28,7 @@ internal static class PInvokes internal static extern IntPtr bpf_program__attach(IntPtr bpf_program); [DllImport(ebpfApiDll, CharSet = CharSet.Ansi, PreserveSig = true, CallingConvention = CallingConvention.Cdecl)] - internal static extern unsafe IntPtr ring_buffer__new(int map_fd, delegate* unmanaged[Cdecl] sample_cb, IntPtr ctx, IntPtr opts); + internal static extern unsafe IntPtr ebpf_ring_buffer__new(int map_fd, delegate* unmanaged[Cdecl] sample_cb, IntPtr ctx, ref process_monitor.Library.ProcessMonitorBPFLoader.ebpf_ring_buffer_opts opts); [DllImport(ebpfApiDll, CharSet = CharSet.Ansi, PreserveSig = true, CallingConvention = CallingConvention.Cdecl)] internal static extern void ring_buffer__free(IntPtr ring_buffer); diff --git a/tools/process_monitor.Library/ProcessMonitorBPFLoader.cs b/tools/process_monitor.Library/ProcessMonitorBPFLoader.cs index 3889182c..f9184ebb 100644 --- a/tools/process_monitor.Library/ProcessMonitorBPFLoader.cs +++ b/tools/process_monitor.Library/ProcessMonitorBPFLoader.cs @@ -38,6 +38,17 @@ internal readonly struct process_info_t internal readonly byte operation; } + [StructLayout(LayoutKind.Sequential)] +#pragma warning disable IDE1006 // Naming Styles - this matches the native definition's name + internal struct ebpf_ring_buffer_opts +#pragma warning restore IDE1006 // Naming Styles + { + internal nuint sz; // size_t - native unsigned integer + internal UInt64 flags; // uint64_t + } + + private const UInt64 EBPF_RINGBUF_FLAG_AUTO_CALLBACK = 1; + internal static void Subscribe(ProcessMonitor pm, ILogger logger) { lock (_lock) @@ -113,14 +124,21 @@ private static void Initialize(ILogger logger) // Attach to ring buffer (_, var process_ringbuf_map_fd) = LoadMapByName("process_ringbuf", logger); - process_ringbuf = PInvokes.ring_buffer__new(process_ringbuf_map_fd, &ProcessMonitor_history_callback, IntPtr.Zero, IntPtr.Zero); + + var ring_opts = new ebpf_ring_buffer_opts + { + sz = (nuint)Marshal.SizeOf(), + flags = EBPF_RINGBUF_FLAG_AUTO_CALLBACK + }; + + process_ringbuf = PInvokes.ebpf_ring_buffer__new(process_ringbuf_map_fd, &ProcessMonitor_history_callback, IntPtr.Zero, ref ring_opts); if (process_ringbuf == IntPtr.Zero) { - throw new InvalidOperationException("ring_buffer__new(process_ringbuf) failed!"); + throw new InvalidOperationException("ebpf_ring_buffer__new(process_ringbuf) failed!"); } else { - logger.LogDebug("SUCCESS: ring_buffer__new(process_ringbuf) succeeded!"); + logger.LogDebug("SUCCESS: ebpf_ring_buffer__new(process_ringbuf) succeeded!"); } } } From ae93a04597642a699d4a807afb4ac610c2c3ff42 Mon Sep 17 00:00:00 2001 From: Laksh Kotian Date: Mon, 27 Oct 2025 08:01:27 -0700 Subject: [PATCH 4/5] add version.json --- scripts/update-product-version.ps1 | 11 +++++++++++ version.json | 1 + 2 files changed, 12 insertions(+) create mode 100644 version.json diff --git a/scripts/update-product-version.ps1 b/scripts/update-product-version.ps1 index c2e2522d..670bc6b6 100644 --- a/scripts/update-product-version.ps1 +++ b/scripts/update-product-version.ps1 @@ -28,6 +28,17 @@ if ("$majorVersion.$minorVersion.$revisionNumber" -match '^\d+\.\d+\.\d+$') { $newcontent | Set-Content $ntosebpfext_version_file -NoNewline Write-Host -ForegroundColor DarkGreen "Version number updated to '$majorVersion.$minorVersion.$revisionNumber' in $ntosebpfext_version_file" + # Set the new version number in the version.json file. + $version_json_file = "$PSScriptRoot\..\version.json" + Write-Host -ForegroundColor DarkGreen "Updating the version number in the '$version_json_file' file..." + $versionJson = @{ + major = [int]$majorVersion + minor = [int]$minorVersion + patch = [int]$revisionNumber + } + $versionJson | ConvertTo-Json | Set-Content $version_json_file -Encoding UTF8 + Write-Host -ForegroundColor DarkGreen "Version number updated to '$majorVersion.$minorVersion.$revisionNumber' in $version_json_file" + } else { Write-Host -ForegroundColor Red "'ntosebpfext.sln' not found in the current path." Write-Host -ForegroundColor DarkYellow "Please run this script from the root directory of the repository, within a Developer Poweshell for VS 2022." diff --git a/version.json b/version.json new file mode 100644 index 00000000..25fbd8ef --- /dev/null +++ b/version.json @@ -0,0 +1 @@ +{ "major": 0, "minor": 6, "patch": 0 } \ No newline at end of file From e369e3b67bc3735da2414b1ffb0971f48e0e085a Mon Sep 17 00:00:00 2001 From: Laksh Kotian Date: Mon, 27 Oct 2025 08:13:20 -0700 Subject: [PATCH 5/5] version 0.6.0 --- resource/ebpf_ext_version.h | 2 +- scripts/update-product-version.ps1 | 2 +- version.json | 6 +++++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/resource/ebpf_ext_version.h b/resource/ebpf_ext_version.h index 06ecf57f..740fd0a4 100644 --- a/resource/ebpf_ext_version.h +++ b/resource/ebpf_ext_version.h @@ -2,7 +2,7 @@ // SPDX-License-Identifier: MIT #define EBPF_VERSION_MAJOR 0 -#define EBPF_VERSION_MINOR 5 +#define EBPF_VERSION_MINOR 6 #define EBPF_VERSION_REVISION 0 #define QUOTE(str) #str diff --git a/scripts/update-product-version.ps1 b/scripts/update-product-version.ps1 index 670bc6b6..8f652d85 100644 --- a/scripts/update-product-version.ps1 +++ b/scripts/update-product-version.ps1 @@ -31,7 +31,7 @@ if ("$majorVersion.$minorVersion.$revisionNumber" -match '^\d+\.\d+\.\d+$') { # Set the new version number in the version.json file. $version_json_file = "$PSScriptRoot\..\version.json" Write-Host -ForegroundColor DarkGreen "Updating the version number in the '$version_json_file' file..." - $versionJson = @{ + $versionJson = [ordered]@{ major = [int]$majorVersion minor = [int]$minorVersion patch = [int]$revisionNumber diff --git a/version.json b/version.json index 25fbd8ef..b017f67f 100644 --- a/version.json +++ b/version.json @@ -1 +1,5 @@ -{ "major": 0, "minor": 6, "patch": 0 } \ No newline at end of file +{ + "major": 0, + "minor": 6, + "patch": 0 +}