用，这是极其困难的事情。此时，eBPF 出现，它以较小的子系统改动，保障了系统 内核的稳定，还具备实时动态加载的特性，能将业务逻辑加载到内核，实现热更新的 动态执行。 eBPF 由 BPF 发 展 而 来，BPF 全 称 Berkeley Packet Filter，1992 年 由 Steven McCanne 和 Van Jacobson 提出，1997 年引入 Linux Kernel Storage、Network 等与内核交互之间； 2. 也可以在内核中的功能模块交互之间； 3. 又可以在内核态与用户态交互之间； 4. 更可以在用户态进程空间。 eBPF 的功能覆盖 XDP、TC、Probe、Socket 等，每个功能点都能实现内核态的 篡改行为，从而使得用户态完全致盲，哪怕是基于内核模块的 HIDS，一样无法感知 到这些行为。 基于 eBPF 的功能函数，从业 技术上，会如何实现呢？ XDP/TC 层修改 TCP 包 为了让后门隐藏的更好，最好是不开进程，不监听端口（当前部分我们只讨论网络层 隐藏）。而 eBPF 技术在 XDP、TC、Socket 等内核层的功能，能够实现流量信息修 改，这些功能常被应用在 L3、L4 的网络负载均衡上。比如 Cilium 的网络策略都是 基于 eBPF XDP 实现。eBPF hook 了 XDP 点后，更改了 TCP

2) eBPF 2.1 BPF (Berkeley Packet Filter, aka cBPF)  https://en.wikipedia.org/wiki/Berkeley_Packet_Filter  http://www.tcpdump.org/papers/bpf-usenix93.pdf  History is it https://blog.cloudflare.com/bpf-the-forgotten-bytecode/ … Source: net/brendangregg/kernel-recipes-2017-performance-analysis-with-bpf Workflow  o Source: ebpfbasics-190611051559.pdf 2.2 eBPF (extended BPF)  since Linux Kernel v3.15 and ongoing

= 0x10f BPF_A = 0x10 BPF_ABS = 0x20 BPF_ADD = 0x0 BPF_ALU = 0x4 BPF_AND = 0x50 BPF_B = 0x10 BPF_DIV = 0x30 BPF_H = 0x8 BPF_IMM = 0x0 BPF_IND = 0x40 BPF_JA = 0x0 BPF_JEQ = 0x10 BPF_JGE = 0x30 BPF_JGT = 0x20 BPF_JMP

IR Back-end x86 ARM BPF WASM LLVM Pass: rich APIs to analysis the LLVM IR Background Near Blockchains with smart contracts in Rust Rust Web Assembly Solana Rust BPF Though they are compiled

= 9 Address family Reserved for X.25 project 1234 CHAPTER 72. REFERENCE FOR UNIT ’SOCKETS’ AF_XDP = 44 EsockADDRINUSE = ESysEADDRINUSE EsockADDRINUSE is the error reported by fpBind (1265) when the Protocol family: Wanpipe API Sockets PF_X25 = AF_X25 Protocol family: Reserved for X.25 project PF_XDP = AF_XDP SCM_CREDENTIALS = $02 SCM_RIGHTS = $01 1249 CHAPTER 72. REFERENCE FOR UNIT ’SOCKETS’ SCM_SECURITY level SOL_TCP = 6 SOL_TIPC = 271 SOL_TLS = 282 SOL_UDP = 17 SOL_UDPLITE = 136 SOL_X25 = 262 SOL_XDP = 283 SOMAXCONN = 4096 Maximum queue length specifiable by listen. 1252 CHAPTER 72. REFERENCE FOR

system. Useful references: • Julia Evans blog on Linux tracing systems • LWN article on USDT and BPF • GDB support for probes • Brendan Gregg – Linux PerformanceChapter 103 Building Julia 103.1 Building

system. Useful references: • Julia Evans blog on Linux tracing systems • LWN article on USDT and BPF • GDB support for probes • Brendan Gregg – Linux PerformanceChapter 103 Building Julia 103.1 Building

system. Useful references: • Julia Evans blog on Linux tracing systems • LWN article on USDT and BPF • GDB support for probes • Brendan Gregg – Linux Performance Chapter 104 Building Julia 104.1

system. Useful references: • Julia Evans blog on Linux tracing systems • LWN article on USDT and BPF • GDB support for probes • Brendan Gregg – Linux PerformanceChapter 107 Building Julia 107.1 Building

system. Useful references: • Julia Evans blog on Linux tracing systems • LWN article on USDT and BPF • GDB support for probes • Brendan Gregg – Linux PerformanceChapter 107 Building Julia 107.1 Building