Skip to content

Commit

Permalink
More cleanup (microsoft#91)
Browse files Browse the repository at this point in the history 
Signed-off-by: Dave Thaler <dthaler@ntdev.microsoft.com>
  • Loading branch information
@dthaler
dthaler authored Apr 26, 2021
1 parent 762e259 commit 08c116b
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 28 deletions.
2 changes: 1 addition & 1 deletion docs/GettingStarted.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ Set up 2 VMs, which we will refer to as the "attacker" machine and the "defender

On the defender machine, do the following:
1. Install and set up a DNS server
2. Make sure that either the kernel debugger (KD) is attached and running, or one of the [alternatives to running with kernel debugger attached](#alternative-to-running-with-kernel-debugger-attached) is in place
2. Make sure that either the kernel debugger (KD) is attached and running, or one of the [alternatives to running with kernel debugger attached](#alternatives-to-running-with-kernel-debugger-attached) is in place
3. Install Debug VS 2019 VC redist from TBD (or switch everything to Multi-threaded Debug (/MTd) and rebuild)
4. Copy ebpfcore.sys to %windir%\system32\drivers
5. Copy ebpfapi.dll and ebpfnetsh.dll to %windir%\system32
Expand Down
6 changes: 3 additions & 3 deletions docs/tutorial.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -289,7 +289,7 @@ Verification succeeded
The verification command succeeded because there was only one
non-empty TEXT section in bpf.o, so the verifier found it and used that
as the eBPF program to verify. If we try the same on an object file with
multiple such sections, we instead get this:
multiple such sections, we get this:

```
> netsh ebpf show verification bpf2.o
Expand Down Expand Up @@ -529,7 +529,7 @@ are safe to access start at offset 16.
With the above, our sample program will pass verification:

```
> >netsh ebpf show verification myxdp.o
> netsh ebpf show verification myxdp.o
Verification succeeded
```
Expand Down Expand Up @@ -880,7 +880,7 @@ RELOCATION RECORDS FOR [.relmyprog]:
0000000000000040 R_BPF_64_64 map
```
This record means that the actual address of map should be inserted at
This record means that the actual address of `map` should be inserted at
offset 0x40, but where is that? llvm-objdump and check both gave us
instruction numbers not offsets, but we can see the raw bytes as follows:
Expand Down
19 changes: 9 additions & 10 deletions src/ebpf/sys/ebpf_drv.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
Abstract:
WDF based driver that does the following:
1. Registers as a WFP L2 Callout
2. Opens a IOCTL surface
2. Opens an IOCTL surface
Environment:
Expand Down Expand Up @@ -71,9 +71,9 @@ static VOID
EbpfCoreEvtIoDeviceControl(
_In_ WDFQUEUE queue,
_In_ WDFREQUEST request,
_In_ size_t output_buffer_length,
_In_ size_t input_buffer_length,
_In_ ULONG io_control_code);
size_t output_buffer_length,
size_t input_buffer_length,
ULONG io_control_code);

inline NTSTATUS
ebpf_error_code_to_ntstatus(ebpf_error_code_t error)
Expand All @@ -88,8 +88,7 @@ ebpf_error_code_to_ntstatus(ebpf_error_code_t error)
case EBPF_ERROR_INVALID_PARAMETER:
return STATUS_INVALID_PARAMETER;
case EBPF_ERROR_BLOCKED_BY_POLICY:
// TODO: Find a better error code for this.
return STATUS_NOT_SUPPORTED;
return STATUS_CONTENT_BLOCKED;
case EBPF_ERROR_NO_MORE_KEYS:
return STATUS_NO_MORE_MATCHES;
case EBPF_ERROR_INVALID_HANDLE:
Expand Down Expand Up @@ -173,7 +172,7 @@ EbpfCoreInitDriverObjects(

device_create_flag = TRUE;

// create symbolic link for control object for um
// Create symbolic link for control object for user mode.
RtlInitUnicodeString(&ebpf_symbolic_device_name, EBPF_SYMBOLIC_DEVICE_NAME);
status = WdfDeviceCreateSymbolicLink(*device, &ebpf_symbolic_device_name);

Expand Down Expand Up @@ -220,9 +219,9 @@ static VOID
EbpfCoreEvtIoDeviceControl(
_In_ WDFQUEUE queue,
_In_ WDFREQUEST request,
_In_ size_t output_buffer_length,
_In_ size_t input_buffer_length,
_In_ ULONG io_control_code)
size_t output_buffer_length,
size_t input_buffer_length,
ULONG io_control_code)
{
NTSTATUS status = STATUS_SUCCESS;
WDFDEVICE device;
Expand Down
24 changes: 10 additions & 14 deletions src/ebpf/sys/ebpf_l2_hook.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ ebpf_hook_layer_2_classify(
_Inout_opt_ void* layer_data,
_In_opt_ const void* classify_context,
_In_ const FWPS_FILTER* filter,
_In_ uint64_t flow_context,
uint64_t flow_context,
_Inout_ FWPS_CLASSIFY_OUT* classify_output);

static void
Expand All @@ -130,7 +130,7 @@ ebpf_hook_resource_allocation_classify(
_Inout_opt_ void* layer_data,
_In_opt_ const void* classify_context,
_In_ const FWPS_FILTER* filter,
_In_ uint64_t flow_context,
uint64_t flow_context,
_Inout_ FWPS_CLASSIFY_OUT* classify_output);

static void
Expand All @@ -140,17 +140,15 @@ ebpf_hook_resource_release_classify(
_Inout_opt_ void* layer_data,
_In_opt_ const void* classify_context,
_In_ const FWPS_FILTER* filter,
_In_ uint64_t flow_context,
uint64_t flow_context,
_Inout_ FWPS_CLASSIFY_OUT* classify_output);

static void
ebpf_hook_no_op_flow_delete(_In_ uint16_t layer_id, _In_ uint32_t fwpm_callout_id, _In_ uint64_t flow_context);
ebpf_hook_no_op_flow_delete(uint16_t layer_id, uint32_t fwpm_callout_id, uint64_t flow_context);

static NTSTATUS
ebpf_hook_no_op_notify(
_In_ FWPS_CALLOUT_NOTIFY_TYPE callout_notification_type,
_In_ const GUID* filter_key,
_Inout_ const FWPS_FILTER* filter);
FWPS_CALLOUT_NOTIFY_TYPE callout_notification_type, _In_ const GUID* filter_key, _Inout_ const FWPS_FILTER* filter);

typedef struct _ebpf_wfp_callout_state
{
Expand Down Expand Up @@ -411,7 +409,7 @@ ebpf_hook_layer_2_classify(
_Inout_opt_ void* layer_data,
_In_opt_ const void* classify_context,
_In_ const FWPS_FILTER* filter,
_In_ uint64_t flow_context,
uint64_t flow_context,
_Inout_ FWPS_CLASSIFY_OUT* classify_output)
/* ++
Expand Down Expand Up @@ -483,7 +481,7 @@ ebpf_hook_resource_allocation_classify(
_Inout_opt_ void* layer_data,
_In_opt_ const void* classify_context,
_In_ const FWPS_FILTER* filter,
_In_ uint64_t flow_context,
uint64_t flow_context,
_Inout_ FWPS_CLASSIFY_OUT* classify_output)
/* ++
Expand Down Expand Up @@ -538,7 +536,7 @@ ebpf_hook_resource_release_classify(
_Inout_opt_ void* layer_data,
_In_opt_ const void* classify_context,
_In_ const FWPS_FILTER* filter,
_In_ uint64_t flow_context,
uint64_t flow_context,
_Inout_ FWPS_CLASSIFY_OUT* classify_output)
/* ++
Expand Down Expand Up @@ -580,9 +578,7 @@ ebpf_hook_resource_release_classify(

static NTSTATUS
ebpf_hook_no_op_notify(
_In_ FWPS_CALLOUT_NOTIFY_TYPE callout_notification_type,
_In_ const GUID* filter_key,
_Inout_ const FWPS_FILTER* filter)
FWPS_CALLOUT_NOTIFY_TYPE callout_notification_type, _In_ const GUID* filter_key, _Inout_ const FWPS_FILTER* filter)
{
UNREFERENCED_PARAMETER(callout_notification_type);
UNREFERENCED_PARAMETER(filter_key);
Expand All @@ -592,7 +588,7 @@ ebpf_hook_no_op_notify(
}

static void
ebpf_hook_no_op_flow_delete(_In_ uint16_t layer_id, _In_ uint32_t fwpm_callout_id, _In_ uint64_t flow_context)
ebpf_hook_no_op_flow_delete(uint16_t layer_id, uint32_t fwpm_callout_id, uint64_t flow_context)
/* ++
This is the flowDeleteFn function of the L2 callout.
Expand Down

0 comments on commit 08c116b

Please sign in to comment.