eBPF for Windows
Data Structures | Macros | Typedefs | Enumerations
ebpf_windows.h File Reference
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>

Go to the source code of this file.

Data Structures

struct  _ebpf_extension_header
 Header of an eBPF extension data structure. Every eBPF extension data structure must start with this header. New fields can be added to the end of an eBPF extension data structure without breaking backward compatibility. The version field must be updated only if the new data structure is not backward compatible. More...
 

Macros

#define EBPF_OFFSET_OF(s, m)   (((size_t) & ((s*)0)->m))
 
#define EBPF_FIELD_SIZE(s, m)   (sizeof(((s*)0)->m))
 
#define EBPF_SIZE_INCLUDING_FIELD(s, m)   (EBPF_OFFSET_OF(s, m) + EBPF_FIELD_SIZE(s, m))
 
#define EBPF_ROOT_REGISTRY_PATH   L"\\Registry\\Machine\\Software\\eBPF"
 
#define EBPF_ROOT_RELATIVE_PATH   L"Software\\eBPF"
 
#define EBPF_STORE_REGISTRY_PATH   L"Software\\eBPF\\Providers"
 
#define EBPF_PROVIDERS_REGISTRY_KEY   L"Providers"
 
#define EBPF_SECTIONS_REGISTRY_KEY   L"SectionData"
 
#define EBPF_PROGRAM_DATA_REGISTRY_KEY   L"ProgramData"
 
#define EBPF_PROGRAM_TYPE_DESCRIPTOR_REGISTRY_KEY   L"TypeDescriptor"
 
#define EBPF_PROGRAM_DATA_HELPERS_REGISTRY_KEY   L"Helpers"
 
#define EBPF_GLOBAL_HELPERS_REGISTRY_KEY   L"GlobalHelpers"
 
#define EBPF_EXTENSION_HEADER_VERSION   L"Version"
 
#define EBPF_EXTENSION_HEADER_SIZE   L"Size"
 
#define EBPF_SECTION_DATA_PROGRAM_TYPE   L"ProgramType"
 
#define EBPF_SECTION_DATA_ATTACH_TYPE   L"AttachType"
 
#define EBPF_PROGRAM_DATA_NAME   L"Name"
 
#define EBPF_PROGRAM_DATA_CONTEXT_DESCRIPTOR   L"ContextDescriptor"
 
#define EBPF_PROGRAM_DATA_PLATFORM_SPECIFIC_DATA   L"PlatformSpecificData"
 
#define EBPF_PROGRAM_DATA_PRIVILEGED   L"IsPrivileged"
 
#define EBPF_PROGRAM_DATA_HELPER_COUNT   L"HelperCount"
 
#define EBPF_HELPER_DATA_PROTOTYPE   L"Prototype"
 
#define EBPF_HELPER_DATA_REALLOCATE_PACKET   L"ReallocatePacket"
 
#define EBPF_DATA_BPF_PROG_TYPE   L"BpfProgType"
 
#define EBPF_DATA_BPF_ATTACH_TYPE   L"BpfAttachType"
 
#define EBPF_MAX_GENERAL_HELPER_FUNCTION   0xFFFF
 
#define EBPF_ATTACH_CLIENT_DATA_CURRENT_VERSION   1
 
#define EBPF_PROGRAM_INFORMATION_CLIENT_DATA_CURRENT_VERSION   1
 
#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION   1
 
#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_SIZE   EBPF_SIZE_INCLUDING_FIELD(ebpf_attach_provider_data_t, link_type)
 
#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_attach_provider_data_t)
 
#define EBPF_ATTACH_PROVIDER_DATA_HEADER
 
#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION   1
 
#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_SIZE    EBPF_SIZE_INCLUDING_FIELD(ebpf_program_type_descriptor_t, is_privileged)
 
#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_program_type_descriptor_t)
 
#define EBPF_PROGRAM_TYPE_DESCRIPTOR_HEADER
 
#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION   1
 
#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_SIZE    EBPF_SIZE_INCLUDING_FIELD(ebpf_helper_function_prototype_t, implicit_context)
 
#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_helper_function_prototype_t)
 
#define EBPF_HELPER_FUNCTION_PROTOTYPE_HEADER
 
#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION   1
 
#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_SIZE    EBPF_SIZE_INCLUDING_FIELD(ebpf_program_info_t, global_helper_prototype)
 
#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_program_info_t)
 
#define EBPF_PROGRAM_INFORMATION_HEADER
 
#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION   1
 
#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_SIZE    EBPF_SIZE_INCLUDING_FIELD(ebpf_helper_function_addresses_t, helper_function_address)
 
#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_helper_function_addresses_t)
 
#define EBPF_HELPER_FUNCTION_ADDRESSES_HEADER
 
#define EBPF_PROGRAM_DATA_CURRENT_VERSION   1
 
#define EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE   EBPF_SIZE_INCLUDING_FIELD(ebpf_program_data_t, capabilities)
 
#define EBPF_PROGRAM_DATA_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_program_data_t)
 
#define EBPF_PROGRAM_DATA_HEADER
 
#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION   1
 
#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_SIZE    EBPF_SIZE_INCLUDING_FIELD(ebpf_program_section_info_t, bpf_attach_type)
 
#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_program_section_info_t)
 
#define EBPF_PROGRAM_SECTION_INFORMATION_HEADER
 

Typedefs

typedef uint8_t GUID[16]
 
typedef GUID ebpf_program_type_t
 
typedef GUID ebpf_attach_type_t
 
typedef enum _ebpf_helper_function ebpf_helper_function_t
 
typedef struct _ebpf_extension_header ebpf_extension_header_t
 Header of an eBPF extension data structure. Every eBPF extension data structure must start with this header. New fields can be added to the end of an eBPF extension data structure without breaking backward compatibility. The version field must be updated only if the new data structure is not backward compatible. More...
 

Enumerations

enum  _ebpf_helper_function { EBPF_LOOKUP_ELEMENT = 1 , EBPF_UPDATE_ELEMENT = 2 , EBPF_DELETE_ELEMENT = 3 }
 

Macro Definition Documentation

◆ EBPF_ATTACH_CLIENT_DATA_CURRENT_VERSION

#define EBPF_ATTACH_CLIENT_DATA_CURRENT_VERSION   1

◆ EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION

#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION   1

◆ EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_SIZE

#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_SIZE   EBPF_SIZE_INCLUDING_FIELD(ebpf_attach_provider_data_t, link_type)

◆ EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_TOTAL_SIZE

#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_attach_provider_data_t)

◆ EBPF_ATTACH_PROVIDER_DATA_HEADER

#define EBPF_ATTACH_PROVIDER_DATA_HEADER
Value:
{ \
EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION, EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_SIZE, \
EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_TOTAL_SIZE \
}
EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_SIZE
#define EBPF_ATTACH_PROVIDER_DATA_CURRENT_VERSION_SIZE
Definition: ebpf_windows.h:78

◆ EBPF_DATA_BPF_ATTACH_TYPE

#define EBPF_DATA_BPF_ATTACH_TYPE   L"BpfAttachType"

◆ EBPF_DATA_BPF_PROG_TYPE

#define EBPF_DATA_BPF_PROG_TYPE   L"BpfProgType"

◆ EBPF_EXTENSION_HEADER_SIZE

#define EBPF_EXTENSION_HEADER_SIZE   L"Size"

◆ EBPF_EXTENSION_HEADER_VERSION

#define EBPF_EXTENSION_HEADER_VERSION   L"Version"

◆ EBPF_FIELD_SIZE

#define EBPF_FIELD_SIZE (   s,
 
)    (sizeof(((s*)0)->m))

◆ EBPF_GLOBAL_HELPERS_REGISTRY_KEY

#define EBPF_GLOBAL_HELPERS_REGISTRY_KEY   L"GlobalHelpers"

◆ EBPF_HELPER_DATA_PROTOTYPE

#define EBPF_HELPER_DATA_PROTOTYPE   L"Prototype"

◆ EBPF_HELPER_DATA_REALLOCATE_PACKET

#define EBPF_HELPER_DATA_REALLOCATE_PACKET   L"ReallocatePacket"

◆ EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION

#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION   1

◆ EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_SIZE

#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_SIZE    EBPF_SIZE_INCLUDING_FIELD(ebpf_helper_function_addresses_t, helper_function_address)

◆ EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_TOTAL_SIZE

#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_helper_function_addresses_t)

◆ EBPF_HELPER_FUNCTION_ADDRESSES_HEADER

#define EBPF_HELPER_FUNCTION_ADDRESSES_HEADER
Value:
{ \
EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION, EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_SIZE, \
EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_TOTAL_SIZE \
}
EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_SIZE
#define EBPF_HELPER_FUNCTION_ADDRESSES_CURRENT_VERSION_SIZE
Definition: ebpf_windows.h:117

◆ EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION

#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION   1

◆ EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_SIZE

#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_SIZE    EBPF_SIZE_INCLUDING_FIELD(ebpf_helper_function_prototype_t, implicit_context)

◆ EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_TOTAL_SIZE

#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_helper_function_prototype_t)

◆ EBPF_HELPER_FUNCTION_PROTOTYPE_HEADER

#define EBPF_HELPER_FUNCTION_PROTOTYPE_HEADER
Value:
{ \
EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION, EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_SIZE, \
EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_TOTAL_SIZE \
}
EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_SIZE
#define EBPF_HELPER_FUNCTION_PROTOTYPE_CURRENT_VERSION_SIZE
Definition: ebpf_windows.h:97

◆ EBPF_MAX_GENERAL_HELPER_FUNCTION

#define EBPF_MAX_GENERAL_HELPER_FUNCTION   0xFFFF

◆ EBPF_OFFSET_OF

#define EBPF_OFFSET_OF (   s,
 
)    (((size_t) & ((s*)0)->m))

◆ EBPF_PROGRAM_DATA_CONTEXT_DESCRIPTOR

#define EBPF_PROGRAM_DATA_CONTEXT_DESCRIPTOR   L"ContextDescriptor"

◆ EBPF_PROGRAM_DATA_CURRENT_VERSION

#define EBPF_PROGRAM_DATA_CURRENT_VERSION   1

◆ EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE

#define EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE   EBPF_SIZE_INCLUDING_FIELD(ebpf_program_data_t, capabilities)

◆ EBPF_PROGRAM_DATA_CURRENT_VERSION_TOTAL_SIZE

#define EBPF_PROGRAM_DATA_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_program_data_t)

◆ EBPF_PROGRAM_DATA_HEADER

#define EBPF_PROGRAM_DATA_HEADER
Value:
{ \
EBPF_PROGRAM_DATA_CURRENT_VERSION, EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE, \
EBPF_PROGRAM_DATA_CURRENT_VERSION_TOTAL_SIZE \
}
EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE
#define EBPF_PROGRAM_DATA_CURRENT_VERSION_SIZE
Definition: ebpf_windows.h:127

◆ EBPF_PROGRAM_DATA_HELPER_COUNT

#define EBPF_PROGRAM_DATA_HELPER_COUNT   L"HelperCount"

◆ EBPF_PROGRAM_DATA_HELPERS_REGISTRY_KEY

#define EBPF_PROGRAM_DATA_HELPERS_REGISTRY_KEY   L"Helpers"

◆ EBPF_PROGRAM_DATA_NAME

#define EBPF_PROGRAM_DATA_NAME   L"Name"

◆ EBPF_PROGRAM_DATA_PLATFORM_SPECIFIC_DATA

#define EBPF_PROGRAM_DATA_PLATFORM_SPECIFIC_DATA   L"PlatformSpecificData"

◆ EBPF_PROGRAM_DATA_PRIVILEGED

#define EBPF_PROGRAM_DATA_PRIVILEGED   L"IsPrivileged"

◆ EBPF_PROGRAM_DATA_REGISTRY_KEY

#define EBPF_PROGRAM_DATA_REGISTRY_KEY   L"ProgramData"

◆ EBPF_PROGRAM_INFORMATION_CLIENT_DATA_CURRENT_VERSION

#define EBPF_PROGRAM_INFORMATION_CLIENT_DATA_CURRENT_VERSION   1

◆ EBPF_PROGRAM_INFORMATION_CURRENT_VERSION

#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION   1

◆ EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_SIZE

#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_SIZE    EBPF_SIZE_INCLUDING_FIELD(ebpf_program_info_t, global_helper_prototype)

◆ EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_TOTAL_SIZE

#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_program_info_t)

◆ EBPF_PROGRAM_INFORMATION_HEADER

#define EBPF_PROGRAM_INFORMATION_HEADER
Value:
{ \
EBPF_PROGRAM_INFORMATION_CURRENT_VERSION, EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_SIZE, \
EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_TOTAL_SIZE \
}
EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_SIZE
#define EBPF_PROGRAM_INFORMATION_CURRENT_VERSION_SIZE
Definition: ebpf_windows.h:107

◆ EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION

#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION   1

◆ EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_SIZE

#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_SIZE    EBPF_SIZE_INCLUDING_FIELD(ebpf_program_section_info_t, bpf_attach_type)

◆ EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_TOTAL_SIZE

#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_program_section_info_t)

◆ EBPF_PROGRAM_SECTION_INFORMATION_HEADER

#define EBPF_PROGRAM_SECTION_INFORMATION_HEADER
Value:
{ \
EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION, EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_SIZE, \
EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_TOTAL_SIZE \
}
EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_SIZE
#define EBPF_PROGRAM_SECTION_INFORMATION_CURRENT_VERSION_SIZE
Definition: ebpf_windows.h:136

◆ EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION

#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION   1

◆ EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_SIZE

#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_SIZE    EBPF_SIZE_INCLUDING_FIELD(ebpf_program_type_descriptor_t, is_privileged)

◆ EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_TOTAL_SIZE

#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_TOTAL_SIZE   sizeof(ebpf_program_type_descriptor_t)

◆ EBPF_PROGRAM_TYPE_DESCRIPTOR_HEADER

#define EBPF_PROGRAM_TYPE_DESCRIPTOR_HEADER
Value:
{ \
EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION, EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_SIZE, \
EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_TOTAL_SIZE \
}
EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_SIZE
#define EBPF_PROGRAM_TYPE_DESCRIPTOR_CURRENT_VERSION_SIZE
Definition: ebpf_windows.h:87

◆ EBPF_PROGRAM_TYPE_DESCRIPTOR_REGISTRY_KEY

#define EBPF_PROGRAM_TYPE_DESCRIPTOR_REGISTRY_KEY   L"TypeDescriptor"

◆ EBPF_PROVIDERS_REGISTRY_KEY

#define EBPF_PROVIDERS_REGISTRY_KEY   L"Providers"

◆ EBPF_ROOT_REGISTRY_PATH

#define EBPF_ROOT_REGISTRY_PATH   L"\\Registry\\Machine\\Software\\eBPF"

◆ EBPF_ROOT_RELATIVE_PATH

#define EBPF_ROOT_RELATIVE_PATH   L"Software\\eBPF"

◆ EBPF_SECTION_DATA_ATTACH_TYPE

#define EBPF_SECTION_DATA_ATTACH_TYPE   L"AttachType"

◆ EBPF_SECTION_DATA_PROGRAM_TYPE

#define EBPF_SECTION_DATA_PROGRAM_TYPE   L"ProgramType"

◆ EBPF_SECTIONS_REGISTRY_KEY

#define EBPF_SECTIONS_REGISTRY_KEY   L"SectionData"

◆ EBPF_SIZE_INCLUDING_FIELD

#define EBPF_SIZE_INCLUDING_FIELD (   s,
 
)    (EBPF_OFFSET_OF(s, m) + EBPF_FIELD_SIZE(s, m))

◆ EBPF_STORE_REGISTRY_PATH

#define EBPF_STORE_REGISTRY_PATH   L"Software\\eBPF\\Providers"

Typedef Documentation

◆ ebpf_attach_type_t

typedef GUID ebpf_attach_type_t

◆ ebpf_extension_header_t

typedef struct _ebpf_extension_header ebpf_extension_header_t

Header of an eBPF extension data structure. Every eBPF extension data structure must start with this header. New fields can be added to the end of an eBPF extension data structure without breaking backward compatibility. The version field must be updated only if the new data structure is not backward compatible.

◆ ebpf_helper_function_t

typedef enum _ebpf_helper_function ebpf_helper_function_t

◆ ebpf_program_type_t

typedef GUID ebpf_program_type_t

◆ GUID

typedef uint8_t GUID[16]

Enumeration Type Documentation

◆ _ebpf_helper_function

enum _ebpf_helper_function
Enumerator
EBPF_LOOKUP_ELEMENT 

Look up a map element.

EBPF_UPDATE_ELEMENT 

Update map element.

EBPF_DELETE_ELEMENT 

Delete a map element.

Generated by doxygen 1.9.1