This project provides an implementation of eBPF for Windows, enabling developers to leverage familiar Linux eBPF toolchains and APIs for kernel extensions, observability, and security on Windows. It targets developers and power users seeking to extend Windows kernel functionality with eBPF.

How It Works

The project translates eBPF bytecode into native Windows drivers via a bpf2c tool and the PREVAIL verifier. This "native mode" is preferred for security and compatibility with Hyper-V enforced Code Integrity (HVCI). Alternative modes include JIT compilation via a user-mode service (eBPFSvc.exe) and an interpreter (debug builds only), both of which are less secure and incompatible with HVCI. eBPF programs interact with the Windows kernel through a shim that wraps native APIs.

Quick Start & Requirements

• Install/Run: Follow the Getting Started Guide.
• Prerequisites: Windows 11+ or Windows Server 2022+. Requires Visual Studio toolchain for native driver builds.
• Setup Time: Not specified, but native driver compilation can be time-consuming.

Highlighted Details

• Supports native code generation for HVCI compatibility.
• Exposes Libbpf APIs for application compatibility.
• Leverages existing projects like IOVisor uBPF and PREVAIL.
• Offers Slack and GitHub Discussions for community interaction.

Maintenance & Community

• Active development by Microsoft.
• Community engagement via Slack (slack.cilium.io) and GitHub Discussions.
• Contributions are welcomed via Contributing guidelines and Good First Issues.

Licensing & Compatibility

• License: MIT.
• Compatible with commercial and closed-source applications.

Limitations & Caveats

The interpreter mode is only available in debug builds and is not suitable for production environments, especially those with HVCI enabled. Source code compatibility is focused on generic hooks and helpers, not Linux-specific internal data structures.