Microsoft published The implementation of the EBPF subsystem for Windows to run arbitrary handlers operating at the operating system kernel level. The EBPF provides a BajTKode interpreter built into the kernel, which makes it possible to create network operations loaded from the user space, monitor access and track system operation. EBPF is included in the Linux kernel starting from release 3.18 and allows you to handle incoming / outgoing network packets, redirect packets, control bandwidth, intercept system calls, control access and trace. Thanks to the use of JIT compilation, the bytecode on the fly is broadcast to machine instructions and is performed with the performance of the compiled code. EBPF source texts for Windows Open Under License Mit.
EBPF for Windows can be applied with already existing EBPF tools and provides a typical API used for EBPF applications in Linux. Including the project allows you to compile the EBPF software written in the SO language using the EBPF standard compiler based on Clang and run already created for Linux EBPF handlers over the Windows kernel, providing a special compatibility layer and supporting the standard API libbpf For compatibility with applications that interact with EBPF programs. This includes interlayers providing Linux-like Hook and for XDP (Express Data Path) and Socket Bind, which abstract access to the network stack and Windows network drivers. The plans noted the provision of full compatibility at the level of source texts with type EBPF-handlers Linux.
The key difference between the EBPF implementation for Windows is the use of alternative verifier bytecode, initially Suggested VMWare employees and researchers from Canadian and Israeli universities. The verifier starts in a separate isolated The process in the user space and applies before performing BPF programs to identify errors and blocking possible malicious activity.