The Linux port of the Sysinternals Sysmon tool.

Related tags

Miscellaneous SysinternalsEBPF
Overview

SysinternalsEBPF build and install instructions

Dependencies

For Ubuntu:

sudo apt update
sudo apt install build-essential gcc g++ make cmake libelf-dev llvm clang libzstd1 git libjson-glib-dev

Build

cd
git clone https://github.com/Sysinternals/SysinternalsEBPF.git
cd SysinternalsEBPF
mkdir build
cd build
cmake ..
make

(Build from Sysmon ADO internally)

This is only required when cloning from the Sysmon ADO. Most users can ignore this.

cd
git clone <Sysmon ADO>
cd Sysmon/sysinternalsEBPF
mkdir build
cd build
cmake ..
make

Install

SysinternalsEBPF can be installed in two different ways, either directly via CMake (if just built) or by running the libsysinternalsEBPFinstaller binary. The installer binary is portable and contains all the necessary files to install sysinternalsEBPF onto a system.

Either:

sudo ./libsysinternalsEBPFinstaller

Or:

sudo make install

The shared library will be installed to /usr/lib; the header to /usr/include; the offsets database and EBPF objects to /opt/sysinternalsEBPF. The libsysinternalsEBPFinstaller binary will also be installed in /opt/sysinternalsEBPF (which can be copied to another system and run to install sysinternalsEBPF there). Note: 'sudo make install' will use the binary, include, and lib directories that cmake prefers or you have overridden, whereas the installer and the packages (see below) use the paths specified above.

Make Packages

Packages can be generated with:

make packages

The directories build/deb and build/rpm will be populated with the required files. If dpkg-deb is available, the build/deb directory will be used to create a deb package. Similarly if rpmbuild is available, the build/rpm directory will be used to create an rpm package.

Autodiscovery of Offsets

SysinternalsEBPF attempts to automatically discover the offsets of some members of some kernel structs. If this fails, please provide details of the kernel version (and config if possible) plus the error message to:

kevin.sheldrake AT microsoft.com

You can then generate a configuration file to override the autodiscovery by building the getOffsets module in the /opt/sysinternals/getOffsets directory. See the README.md in that directory for more information.

Manual Page

A man page for SysinternalsEBPF can be found in the package directory, and is installed by both deb and rpm packages.

Use 'find' on the package directory to locate it manually.

License

SysinternalsEBPF is licensed under LGPL2.1. SysinternalsEBPF includes libbpf, which is licensed under LGPL2.1. Libbpf can be located at https://github.com/libbpf/libbpf The SysinternalsEBPF library of eBPF code is licensed under GPL2.

Comments
  • Update README.md for dependencies installation.

    Update README.md for dependencies installation.

    The installation as per the current provided dependencies code snippet asks for 'Y' and 'N' during the installation process, however this option can skipped using '-y' for auto yes option that would require less manual intervention.

    I have tested it on my Ubuntu 20.4 instance and it works as expected after adding -y flag.

    opened by ashishsecdev 0
  • Build errors concerning discoverOffsets.c

    Build errors concerning discoverOffsets.c

    Trying to build SysinternalseBPF I get the following errors:

    [ 21%] Building C object CMakeFiles/sysinternalsEBPF.dir/discoverOffsets.c.o
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘memDumpEventCb’:
/path/to/SysinternalsEBPF/discoverOffsets.c:141:29: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
         memAddrs[d->type] = (uint64_t)d->addr;
                             ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘isPointer’:
/path/to/SysinternalsEBPF/discoverOffsets.c:77:30: error: left shift count >= width of type [-Werror=shift-count-overflow]
 #define MAX_POINTER_DIFF (1L << 36)
                              ^~
/path/to/SysinternalsEBPF/discoverOffsets.c:175:38: note: in expansion of macro ‘MAX_POINTER_DIFF’
     if (labs(ptr - memAddrs[task]) < MAX_POINTER_DIFF) {
                                      ^~~~~~~~~~~~~~~~
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘searchPtr’:
/path/to/SysinternalsEBPF/discoverOffsets.c:77:30: error: left shift count >= width of type [-Werror=shift-count-overflow]
 #define MAX_POINTER_DIFF (1L << 36)
                              ^~
/path/to/SysinternalsEBPF/discoverOffsets.c:432:79: note: in expansion of macro ‘MAX_POINTER_DIFF’
     return searchUint64(out, dir, type, startOffset, numElem, memAddrs[task], MAX_POINTER_DIFF);
                                                                               ^~~~~~~~~~~~~~~~
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘searchDerefUint32’:
/path/to/SysinternalsEBPF/discoverOffsets.c:619:29: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
         if (!dumpStruct(to, (void *)get64(from, off[0]), DUMP_SIZE, pb)) {
                             ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getCredsOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:848:36: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!setConfigPid(child, cred, (void *)get64(task, offsets->cred[0]), DUMP_SIZE)) {
                                    ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getPwdPathOffset’:
/path/to/SysinternalsEBPF/discoverOffsets.c:927:25: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(fs, (void *)get64(task, startOffset), DUMP_SIZE, pb)) {
                         ^
/path/to/SysinternalsEBPF/discoverOffsets.c:945:41: error: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Werror=format=]
             fprintf(stderr, "0 = 0x%016lx\n", get64(fs, offsets->pwd_path[1]));
                                    ~~~~~^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                    %016llx
/path/to/SysinternalsEBPF/discoverOffsets.c:946:41: error: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Werror=format=]
             fprintf(stderr, "1 = 0x%016lx\n", get64(fs, offsets->pwd_path[1] + sizeof(uint64_t)));
                                    ~~~~~^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                    %016llx
/path/to/SysinternalsEBPF/discoverOffsets.c:947:41: error: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Werror=format=]
             fprintf(stderr, "2 = 0x%016lx\n", get64(fs, offsets->pwd_path[1] + (2 * sizeof(uint64_t))));
                                    ~~~~~^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                    %016llx
/path/to/SysinternalsEBPF/discoverOffsets.c:948:41: error: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Werror=format=]
             fprintf(stderr, "3 = 0x%016lx\n", get64(fs, offsets->pwd_path[1] + (3 * sizeof(uint64_t))));
                                    ~~~~~^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                    %016llx
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getDentryNameOffset’:
/path/to/SysinternalsEBPF/discoverOffsets.c:981:29: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(dentry, (void *)get64(fs, offsets->pwd_path[1] + offsets->path_dentry[0]), DUMP_SIZE, pb)) {
                             ^
/path/to/SysinternalsEBPF/discoverOffsets.c:1000:34: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
             if (!dumpStruct(pwd, (void *)get64(dentry, offsets->dentry_name[0]), DUMP_SIZE, pb)) {
                                  ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getDentryInodeOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1078:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(inode, (void *)get64(dentry, offsets->dentry_inode[0]), DUMP_SIZE, pb)) {
                            ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getMountOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1162:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(mount, (void *)get64(fs, offsets->pwd_path[1] + offsets->path_vfsmount[0]) - 512,
                            ^
/path/to/SysinternalsEBPF/discoverOffsets.c:1176:39: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(dentryMountpoint, (void *)get64(mount, offsets->mount_mountpoint[0]), DUMP_SIZE, pb)) {
                                       ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getFdOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1239:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(files, (void *)get64(task, offsets->max_fds[0]), DUMP_SIZE, pb)) {
                            ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getTtyOffset’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1321:30: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(signals, (void *)get64(task, offsets->tty[0]), DUMP_SIZE, pb)) {
                              ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getMmOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1477:25: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(mm, (void *)get64(task, offsets->mm_arg_start[0]), DUMP_SIZE, pb)) {
                         ^
/path/to/SysinternalsEBPF/discoverOffsets.c:1483:71: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
     if (searchUint64(&offsets->mm_arg_start[1], forwards, mm, 0, 128, (uint64_t)argv[0], 0)) {
                                                                       ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getExePathOffset’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1573:42: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
                 if (!dumpStruct(exeFile, (void *)get64(mm, startOffset), DUMP_SIZE, pb)) {
                                          ^
/path/to/SysinternalsEBPF/discoverOffsets.c:1579:48: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
                     if (!dumpStruct(exeDentry, (void *)dentry, DUMP_SIZE, pb)) {
                                                ^
/path/to/SysinternalsEBPF/discoverOffsets.c:1584:46: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
                     if (!dumpStruct(exeName, (void *)exe_dname, DUMP_SIZE, pb)) {
                                              ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getSkbOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:77:30: error: left shift count >= width of type [-Werror=shift-count-overflow]
 #define MAX_POINTER_DIFF (1L << 36)
                              ^~
/path/to/SysinternalsEBPF/discoverOffsets.c:1663:39: note: in expansion of macro ‘MAX_POINTER_DIFF’
         if (near(addr, memAddrs[skb], MAX_POINTER_DIFF)) {
                                       ^~~~~~~~~~~~~~~~
/path/to/SysinternalsEBPF/discoverOffsets.c:1664:31: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
             setConfig(skdata, (const void *)(uint64_t)startOffset, 36);
                               ^
cc1: all warnings being treated as errors
make[2]: *** [CMakeFiles/sysinternalsEBPF.dir/build.make:91: CMakeFiles/sysinternalsEBPF.dir/discoverOffsets.c.o] error 1
make[1]: *** [CMakeFiles/Makefile2:73: CMakeFiles/sysinternalsEBPF.dir/all] error 2
make: *** [Makefile:130: all] error 2

    Guessing it has to do with autodiscovery of offsets https://github.com/Sysinternals/SysinternalsEBPF#autodiscovery-of-offsets I already built the sysinternalsEBPF_offsets.conf file as described in the README of getOffsets via make conf to /path/to/sysinternalsEBPF/sysinternalsEBPF_offsets.conf. It seems to me that the file is ignored in subsequent builds though?

    OS Debian 10 Buster

    Kernel 5.10.60 on armhf

    opened by helix-loop 0
  • Linux compiler fixes (GCC & CLANG)

    Linux compiler fixes (GCC & CLANG)

    Modify the eBPF programlet compilation to add -fno-stack-protector similar to https://github.com/Sysinternals/SysmonForLinux/pull/42

    Additionally, the compiler warnings identified two calls to labs(...) that would always evaluate to true due to them operating on an unsigned value. I modified the less-than comparison to move the subtracted value from the left-hand side to be an added value to the right-hand side, and removed the labs(...) calls.

    opened by ckane 0
  • telemetryStart should have a stop mechanism other than signals

    telemetryStart should have a stop mechanism other than signals

    Currently, teletryStart is a fully blocking call. There appears to be no way to stop tracing without sending a signal that would cause perf_buffer__poll to return <0, .e.g., SIGSTOP or SIGCONT (based on the comments). This can race with the call to perf_buffer_poll which may not be on the stack when the signal arrives.

    If you are trying to use this library in-process, it is difficult to control stopping as designed.

    An Init->Start->Stop->Fini pattern would be useful for this library.

    https://github.com/Sysinternals/SysinternalsEBPF/blob/b9035cf7780c9c733f4be06ff29f7b4fc447b395/telemetryLoader.c#L1432-L1470

    enhancement 
    opened by josalem 1
  • Is RHEL7 supported?

    Is RHEL7 supported?

    While RHEL7 rpm is posted, has anyone installed it successfully? RHEL7 bundles glibc 2.17 therefore dependencies check will fail.

    $ rpm -Uvh sysinternalsebpf-1.0.0-1.x86_64.rpm 
error: Failed dependencies:
libc.so.6(GLIBC_2.22)(64bit) is needed by sysinternalsebpf-1.0.0-1.x86_64
libc.so.6(GLIBC_2.26)(64bit) is needed by sysinternalsebpf-1.0.0-1.x86_64
libjson-glib-1.0.so.0()(64bit) is needed by sysinternalsebpf-1.0.0-1.x86_64

$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.7 (Maipo)

$ rpm -qa|grep glibc
glibc-2.17-292.el7.x86_64
glibc-common-2.17-292.el7.x86_64
glibc-devel-2.17-292.el7.x86_64
glibc-headers-2.17-292.el7.x86_64

    If it's not supported then perhaps reference to RHEL7 (and CentOS7) should be removed.

    opened by aka0 6
  • Unconditional printing to stderr

    Unconditional printing to stderr

    https://github.com/Sysinternals/SysinternalsEBPF/blob/b9035cf7780c9c733f4be06ff29f7b4fc447b395/telemetryLoader.c#L1426

    The library unconditionally prints to stderr, which can be problematic for consumption. If you have a TUI for instance, this can corrupt the TUI output if the user doesn't redirect stderr.

    You can work around this by using dup2 to point stderr at /dev/null, but it would be nice if the library used some kind of logging library or put fprintf(stderr...) behind a config flag.

    enhancement 
    opened by josalem 1
Releases(v1.0.2)
Owner
Sysinternals
Sysinternals
GitHub
Apple cctools and ld64 port for Linux, *BSD and macOS

Apple cctools and ld64 port for Linux, *BSD and macOS

Thomas Pöchtrager 642 Dec 30, 2022
Hide a process,port,self under Linux using the ld_preload

vbackdoor 中文 Hide a process,port,self under Linux using the LD_PRELOAD rootkit. compile the library git clone https://github.com/veo/vbackdoor.git cd

veo 107 Dec 31, 2022
A port of the Linux x86 IOLI crackme challenges to x86-64

This is a port of the original Linux x86 IOLI crackme binaries to x86-64. The original set of IOLI crackmes can be found here: https://github.com/Maij

Julian Daeumer 4 Mar 19, 2022
PP-Speaker is a linux kernel alsa driver (parallel port audio, covox)

// SPDX-License-Identifier: GPL-2.0-or-later PP-Speaker driver for Linux Copyright (C) 2022-2022 ariel/KotCzarny ([email protected]) Small FAQ: Q: What

null 3 May 30, 2022
Minecraft injection client, started as a UDP-CPP port for linux

Phantom Fully C++ Minecraft injection client for linux. Mapping code is based off of UDP, and Dear ImGui is used for the window, but the cheats and st

Some Pineaple 55 Dec 23, 2022
Building Netbsd's Amiga port 'loadbsd' tool.

Building Netbsd's Amiga port 'loadbsd' tool. During a netbsd install, I realized the binary Netbsd provided didn't match the functionality described i

Roc Vallès 1 Oct 5, 2021
The source for the Linux kernel used in Windows Subsystem for Linux 2 (WSL2)

Introduction The WSL2-Linux-Kernel repo contains the kernel source code and configuration files for the WSL2 kernel. Reporting Bugs If you discover an

Microsoft 6.3k Jan 8, 2023
Linux system service bug gives root on all major distros, exploit published A vulnerability in the pkexec component of Polkit identified as CVE-2021-4034 PwnKit is present in the default configuration of all major Linux distributions and can be exploited to gain privileges over the compj researchers.

CVE-2021-4034 Exploit Usage $ git clone https://github.com/Anonymous-Family/CVE-2021-4034.git $ cd CVE-2021-4034 $ make [!] CVE-2021-4034 Exploit By w

Anonymous Family 2 Jan 26, 2022
LLpatch: Userspace tool to generate Linux kernel livepatch

LLpatch: LLVM-based Kernel Livepatch Generation LLpatch generates, from a source patch, a kernel loadable module or binary package, that can update Li

Google 28 Nov 30, 2022
Serial Data Monitor is a multiplatform (Windows, Linux, Mac, ...) tool to interactively receive/edit/monitor data and send commands to an embedded system via the serial bus

See wiki for full documentation Serial Data Monitor Description Serial Data Monitor is a multiplatform (Windows, Linux, Mac, ...) tool to interactivel

monnoliv 4 Oct 29, 2021
A Linux x64 tool to trace registers and memory regions.

HellTracer Description A Linux x64 tool to trace registers and memory regions. Build the tool Clone the repository. Compile the tool with make. Add th

Aurélien Tournebise 29 Sep 8, 2022
Animated sprite editor & pixel art tool (Windows, macOS, Linux)

Aseprite Introduction Aseprite is a program to create animated sprites. Its main features are: Sprites are composed of layers & frames as separated co

Aseprite 19.7k Jan 2, 2023
6D - Pose Annotation Tool (6D-PAT) - is a tool that allows the user to load a set of images and also a set of 3D models and annotate where in the 2D image the 3D object ist placed.

6D - Pose Annotation Tool (6D-PAT) For detiled explanations checkout the WikiPage. What is it? With 6D-PAT you can create 6D annotations on images for

Florian Blume 71 Nov 20, 2022
Cross-platform, Serial Port library written in C++

Serial Communication Library (Linux and OS X) (Windows) This is a cross-platform library for interfacing with rs-232 serial like ports written in C++.

William Woodall 1.7k Dec 30, 2022
Lean4 port of Arduino balance car controller

lean4-balance-car This is a small proof-of-concept exercise to show a Lean 4 program controlling a real robotics platform which requires low latency c

Galois, Inc. 31 Jul 11, 2022
QEMU port for t8030

QEMU README QEMU is a generic and open source machine & userspace emulator and virtualizer. QEMU is capable of emulating a complete machine in softwar

null 1.7k Jan 4, 2023
C++11 port of docopt

docopt.cpp: A C++11 Port Contents docopt creates beautiful command-line interfaces Isn't it awesome how getopt (and boost::program_options for you fan

null 983 Dec 26, 2022
Trial port of the rtf_433 Library for use with OpenMQTTGateway on a ESP32 and a CC1101 Transceiver

This is an attempt at creating an Arduino library for use on ESP32 boards with a CC1101 transceiver with the device decoders from the rtl_433 package.

Northern Man 92 Jan 3, 2023
Port of my M5Stack Core 2 audio monitor project to generic ESP32s with TFT screens

ESP32 Audio Monitor This is a port of this project to work with any ESP32 device with a TFT display. You can watch a video explainer here (YouTube) wh

atomic14 47 Nov 9, 2022