https://github.com/microsoft/ebpf-for-windows interesting news in this space! Has anyone tested if the existing bpf tables for osquery work with this?

I was just going to post that! 🙂

It probably would be possible to collect similar process/socket events using this on Windows. But, the getting started guide begins with "first, load these device drivers" so that's a dead-end for osquery. If Windows starts shipping with eBPF drivers loaded already, someone could port osquery's BPF tables to windows

if it's bpf i'll do it! 😎

So if we were able to pre-load the device drivers outside of core osquery, then

maybe?

it would work? Would it be possible for Launcher or Orbit to load the drivers @seph @zwass?

Definitely something worth looking into. It is intended for Orbit to be able to handle some outside-of-osquery setup.

is this something we can already experiment with?

Seems like yes based on the github?

Launcher could, yes. Obviously it would be a patch. and we’d want to think about failure modes.