ttddbg 1.1.0 is out with new tracing feature ! Based on #IDA database, arguments and return value are pretty-printed !

Impressive works, It allows you to knock on 80 and 443 ports without drivers!

Indeed, nice works !!

I made a little fix, if you want to retry

Thanks! This happens to work for me, but the root of the problem is the same: there's no guarantee that the handle will still be in that register when the function returns; my compiler just happens to not be clobbering that register.

Anyway, this is probably good enough as a bpf demonstration and it definitely has made its impact looking at other comments here. That's probably all that matters.

Lateral movement for example

You have also https://github.com/pathtofile/bad-bpf or https://github.com/Gui774ume/ebpfkit which are good references also

You need uretprobe but also need to read an arg by ref so no I don't think so... But thanks for the tip

Thanks I will check that!

Thanks!

thanks !

Yes we also use for https://github.com/airbus-cert/dirtypipe-ebpf_detection which is a dirtypipe detection program!