The Linux port of the Sysinternals Sysmon tool.
License: GNU Lesser General Public License v2.1
This is the source repository for https://docs.microsoft.com/sysinternals/
Please see CONTRIBUTING.md if you wish to contribute fixes or updates.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
Hello,
Any ideas on my I would be getting permission denied when trying to create the sysinternalsEBPF_offsets.conf file. Bellow is the working directory and command I am running.
/opt/sysinternalsEBPF/getOffsets$ sudo make conf > /opt/sysinternalsEBPF/sysinternalsEBPF_offsets.conf
-bash: /opt/sysinternalsEBPF/sysinternalsEBPF_offsets.conf: Permission denied
Thanks
RA
Uname -a
Linux ubuntusrvb-vm-2004 5.4.0-139-generic #156-Ubuntu SMP Fri Jan 20 17:27:18 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
CC sharedobjs/usdt.o
CC libbpf.so.1.1.0
[ 16%] No install step for 'libbpf'
[ 19%] Completed 'libbpf'
[ 19%] Built target libbpf
[ 21%] Extracting unameOffsets.c
[ 23%] Extracting sysinternalsEBPFoffsets.h
[ 26%] Extracting unameOffsets.h
Scanning dependencies of target sysinternalsEBPF
[ 28%] Building C object CMakeFiles/sysinternalsEBPF.dir/telemetryLoader.c.o
In file included from /root/SysinternalsEBPF/telemetryLoader.c:45:
/root/SysinternalsEBPF/build/libbpf/src/libbpf/include/uapi/linux/fcntl.h:6:10: fatal error: linux/openat2.h: No such file or directory
6 | #include <linux/openat2.h>
| ^~~~~~~~~~~~~~~~~
compilation terminated.
make[2]: *** [CMakeFiles/sysinternalsEBPF.dir/build.make:78: CMakeFiles/sysinternalsEBPF.dir/telemetryLoader.c.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:135: CMakeFiles/sysinternalsEBPF.dir/all] Error 2
make: *** [Makefile:130: all] Error 2
root@ubuntusrvb-vm-2004:~/SysinternalsEBPF/build#
Hi!
I noticed EBPF doesn't correctly check the permission whether the user has root privilege or not. Instead, it relies on other functions' errors. (E.g. In libsysinternalsEBPFinstaller.c at line 279, it relies on mkdir(...) and stat(...) functions' success/errors). It would be better to just check the permission through geteuid(...) instead.
if (geteuid() != (uid_t)0) {
// Error message
}
Something like this also fixes an issue where with the -u flag (uninstall), the installer (libsysinternalsEBPFinstaller.c) doesn't check the permission at all.
Currently, teletryStart is a fully blocking call. There appears to be no way to stop tracing without sending a signal that would cause perf_buffer__poll to return <0, .e.g., SIGSTOP or SIGCONT (based on the comments). This can race with the call to perf_buffer_poll which may not be on the stack when the signal arrives.
If you are trying to use this library in-process, it is difficult to control stopping as designed.
An Init->Start->Stop->Fini pattern would be useful for this library.
SysinternalsEBPF/telemetryLoader.c
Lines 1432 to 1470 in b9035cf
SysinternalsEBPF/telemetryLoader.c
Line 1426 in b9035cf
The library unconditionally prints to stderr, which can be problematic for consumption. If you have a TUI for instance, this can corrupt the TUI output if the user doesn't redirect stderr.
You can work around this by using dup2 to point stderr at /dev/null, but it would be nice if the library used some kind of logging library or put fprintf(stderr...) behind a config flag.
sysinternalsEBPF_helpers.c - BPF_PRINTK("dname: (%s)\n", dname);
Hello, if anyone could shed some light on as to why I am experiencing this error it would be greatly appreciated. I have followed the SysinternalsEBPF installation guide and SysmonForLinux guide to a T, and have preemptively built the getOffsets configuration to prevent previously encountered issues.
This same configuration and setup has worked previously on separate machines, so I am quite confused on what could be causing this.
Apt is throwing an error when uninstalling ebpf on Ubuntu 22.04 and does not seem to be running libsysinternalsEBPFinstaller -u or ldconfig
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
sysinternalsebpf
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 21.0 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 139706 files and directories currently installed.)
Removing sysinternalsebpf (1.1.0) ...
/var/lib/dpkg/info/sysinternalsebpf.prerm: 4: [: remove: unexpected operator
Processing triggers for man-db (2.10.2-1) ...```
While RHEL7 rpm is posted, has anyone installed it successfully? RHEL7 bundles glibc 2.17 therefore dependencies check will fail.
$ rpm -Uvh sysinternalsebpf-1.0.0-1.x86_64.rpm
error: Failed dependencies:
libc.so.6(GLIBC_2.22)(64bit) is needed by sysinternalsebpf-1.0.0-1.x86_64
libc.so.6(GLIBC_2.26)(64bit) is needed by sysinternalsebpf-1.0.0-1.x86_64
libjson-glib-1.0.so.0()(64bit) is needed by sysinternalsebpf-1.0.0-1.x86_64
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.7 (Maipo)
$ rpm -qa|grep glibc
glibc-2.17-292.el7.x86_64
glibc-common-2.17-292.el7.x86_64
glibc-devel-2.17-292.el7.x86_64
glibc-headers-2.17-292.el7.x86_64
If it's not supported then perhaps reference to RHEL7 (and CentOS7) should be removed.
I want to install it on Openeuler,if supported, please update build.md. So Thanks!!!
Trying to build SysinternalseBPF I get the following errors:
[ 21%] Building C object CMakeFiles/sysinternalsEBPF.dir/discoverOffsets.c.o
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘memDumpEventCb’:
/path/to/SysinternalsEBPF/discoverOffsets.c:141:29: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
memAddrs[d->type] = (uint64_t)d->addr;
^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘isPointer’:
/path/to/SysinternalsEBPF/discoverOffsets.c:77:30: error: left shift count >= width of type [-Werror=shift-count-overflow]
#define MAX_POINTER_DIFF (1L << 36)
^~
/path/to/SysinternalsEBPF/discoverOffsets.c:175:38: note: in expansion of macro ‘MAX_POINTER_DIFF’
if (labs(ptr - memAddrs[task]) < MAX_POINTER_DIFF) {
^~~~~~~~~~~~~~~~
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘searchPtr’:
/path/to/SysinternalsEBPF/discoverOffsets.c:77:30: error: left shift count >= width of type [-Werror=shift-count-overflow]
#define MAX_POINTER_DIFF (1L << 36)
^~
/path/to/SysinternalsEBPF/discoverOffsets.c:432:79: note: in expansion of macro ‘MAX_POINTER_DIFF’
return searchUint64(out, dir, type, startOffset, numElem, memAddrs[task], MAX_POINTER_DIFF);
^~~~~~~~~~~~~~~~
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘searchDerefUint32’:
/path/to/SysinternalsEBPF/discoverOffsets.c:619:29: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(to, (void *)get64(from, off[0]), DUMP_SIZE, pb)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getCredsOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:848:36: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!setConfigPid(child, cred, (void *)get64(task, offsets->cred[0]), DUMP_SIZE)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getPwdPathOffset’:
/path/to/SysinternalsEBPF/discoverOffsets.c:927:25: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(fs, (void *)get64(task, startOffset), DUMP_SIZE, pb)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c:945:41: error: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Werror=format=]
fprintf(stderr, "0 = 0x%016lx\n", get64(fs, offsets->pwd_path[1]));
~~~~~^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
%016llx
/path/to/SysinternalsEBPF/discoverOffsets.c:946:41: error: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Werror=format=]
fprintf(stderr, "1 = 0x%016lx\n", get64(fs, offsets->pwd_path[1] + sizeof(uint64_t)));
~~~~~^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
%016llx
/path/to/SysinternalsEBPF/discoverOffsets.c:947:41: error: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Werror=format=]
fprintf(stderr, "2 = 0x%016lx\n", get64(fs, offsets->pwd_path[1] + (2 * sizeof(uint64_t))));
~~~~~^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
%016llx
/path/to/SysinternalsEBPF/discoverOffsets.c:948:41: error: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Werror=format=]
fprintf(stderr, "3 = 0x%016lx\n", get64(fs, offsets->pwd_path[1] + (3 * sizeof(uint64_t))));
~~~~~^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
%016llx
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getDentryNameOffset’:
/path/to/SysinternalsEBPF/discoverOffsets.c:981:29: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(dentry, (void *)get64(fs, offsets->pwd_path[1] + offsets->path_dentry[0]), DUMP_SIZE, pb)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c:1000:34: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(pwd, (void *)get64(dentry, offsets->dentry_name[0]), DUMP_SIZE, pb)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getDentryInodeOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1078:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(inode, (void *)get64(dentry, offsets->dentry_inode[0]), DUMP_SIZE, pb)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getMountOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1162:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(mount, (void *)get64(fs, offsets->pwd_path[1] + offsets->path_vfsmount[0]) - 512,
^
/path/to/SysinternalsEBPF/discoverOffsets.c:1176:39: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(dentryMountpoint, (void *)get64(mount, offsets->mount_mountpoint[0]), DUMP_SIZE, pb)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getFdOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1239:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(files, (void *)get64(task, offsets->max_fds[0]), DUMP_SIZE, pb)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getTtyOffset’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1321:30: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(signals, (void *)get64(task, offsets->tty[0]), DUMP_SIZE, pb)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getMmOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1477:25: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(mm, (void *)get64(task, offsets->mm_arg_start[0]), DUMP_SIZE, pb)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c:1483:71: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
if (searchUint64(&offsets->mm_arg_start[1], forwards, mm, 0, 128, (uint64_t)argv[0], 0)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getExePathOffset’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1573:42: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(exeFile, (void *)get64(mm, startOffset), DUMP_SIZE, pb)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c:1579:48: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(exeDentry, (void *)dentry, DUMP_SIZE, pb)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c:1584:46: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
if (!dumpStruct(exeName, (void *)exe_dname, DUMP_SIZE, pb)) {
^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getSkbOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:77:30: error: left shift count >= width of type [-Werror=shift-count-overflow]
#define MAX_POINTER_DIFF (1L << 36)
^~
/path/to/SysinternalsEBPF/discoverOffsets.c:1663:39: note: in expansion of macro ‘MAX_POINTER_DIFF’
if (near(addr, memAddrs[skb], MAX_POINTER_DIFF)) {
^~~~~~~~~~~~~~~~
/path/to/SysinternalsEBPF/discoverOffsets.c:1664:31: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
setConfig(skdata, (const void *)(uint64_t)startOffset, 36);
^
cc1: all warnings being treated as errors
make[2]: *** [CMakeFiles/sysinternalsEBPF.dir/build.make:91: CMakeFiles/sysinternalsEBPF.dir/discoverOffsets.c.o] error 1
make[1]: *** [CMakeFiles/Makefile2:73: CMakeFiles/sysinternalsEBPF.dir/all] error 2
make: *** [Makefile:130: all] error 2
Guessing it has to do with autodiscovery of offsets https://github.com/Sysinternals/SysinternalsEBPF#autodiscovery-of-offsets I already built the sysinternalsEBPF_offsets.conf file as described in the README of getOffsets via make conf to /path/to/sysinternalsEBPF/sysinternalsEBPF_offsets.conf. It seems to me that the file is ignored in subsequent builds though?
OS
Debian 10 Buster
Kernel
5.10.60 on armhf
I cannot build getOffsets, I'm running the 6.7.2-hardened1-1-hardened kernel on Archlinux.
Steps to reproduce;
cd getOffsetssudo makeI'm getting the following error:
make CFLAGS_MODULE="-DKERN_MAJ=6 -DKERN_MIN=7" -C /lib/modules/6.7.2-hardened1-1-hardened/build M= modules
make[1]: Entering directory '/usr/lib/modules/6.7.2-hardened1-1-hardened/build'
SYNC include/config/auto.conf
crypto/Kconfig:1508: can't open file "arch/arm/crypto/Kconfig"
make[4]: *** [scripts/kconfig/Makefile:77: syncconfig] Error 1
make[3]: *** [Makefile:685: syncconfig] Error 2
make[2]: *** [/usr/lib/modules/6.7.2-hardened1-1-hardened/build/Makefile:786: include/config/auto.conf] Error 2
make[1]: *** [Makefile:234: __sub-make] Error 2
make[1]: Leaving directory '/usr/lib/modules/6.7.2-hardened1-1-hardened/build'
make: *** [Makefile:25: all] Error 2
The error 'can't open file "arch/arm/crypto/Kconfig"' seems right, this is the result of ls /usr/lib/modules/6.7.2-hardened1-1-hardened/build/arch:
Kconfig x86
The folder 'arm' folder is indeed missing.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.