conn_tracker.exe doesn't load conn_track.sys

microsoft / ebpf-for-windows-demo

This repository contains the demo material built on top of ebpf-for-windows platform.

MIT License

38 stars 12 forks source link

conn_tracker.exe doesn't load conn_track.sys #22

Closed jsturtevant closed 2 years ago

jsturtevant commented 2 years ago

after going through https://github.com/microsoft/ebpf-for-windows-demo/blob/main/connection_tracker/README.md#demo-steps on a windows 11 machine with eBFP-for-windows (v0.4.0) installed I get:

PS C:\Users\User\ebpf-for-windows-demo\x64\Release> .\conn_tracker.exe
Press Ctrl-C to shutdown
bpf_object__load for conn_track.sys failed: 9

jsturtevant commented 2 years ago

looks like verification of ELF file passed:

netsh ebpf show verification conn_track.o sockops level=verbose

Verification succeeded
Program terminates within 545 instructions

jsturtevant commented 2 years ago

and sys file has sections:

PS C:\Users\User\ebpf-for-windows-demo\x64\Release> netsh ebpf show sections .\conn_track.sys

                                    Size
             Section       Type  (bytes)
====================  =========  =======
             sockops    sockops     4684

                     Key  Value      Max
          Map Type  Size   Size  Entries  Name
==================  ====  =====  =======  ========
          lru_hash    56      8     1024  connection_map
           ringbuf     0      0   262144  history_map

jsturtevant commented 2 years ago

running the following shows that ebpf isn't running

sc query ebpfcore
sc query netebpfext

Starting them manually with:

net start netebpfext

net start ebpfcore

net start ebpfsvc

and the demo works!