tetragon/windows: Add Multiple program attach types

ExceptionalHandler · ExceptionalHandler · commit 015f2d2b2623 · 2025-05-13T14:55:52.000-04:00
Windows Loader had the process attach type hardcoded in the attach
routine. This prevents us from loading other program types supported on
Windows like cgroup/connect4 etc. This PR adds some more attach types.

Signed-off-by: Anadi Anadi&lt;aanadi@cisco.com&gt;
diff --git a/pkg/sensors/program/loader_windows.go b/pkg/sensors/program/loader_windows.go
@@ -17,7 +17,11 @@ import (
 )
 
 var (
-	attachTypeProcessGUID = makeGUID(0x66e20687, 0x9805, 0x4458, [8]byte{0xa0, 0xdb, 0x38, 0xe2, 0x20, 0xd3, 0x16, 0x85})
+	attachTypeProcessGUID               = makeGUID(0x66e20687, 0x9805, 0x4458, [8]byte{0xa0, 0xdb, 0x38, 0xe2, 0x20, 0xd3, 0x16, 0x85})
+	attachTypeCgroupInet4ConnectGUID    = makeGUID(0xa82e37b1, 0xaee7, 0x11ec, [8]byte{0x9a, 0x30, 0x18, 0x60, 0x24, 0x89, 0xbe, 0xee})
+	attachTypeCgroupInet6ConnectGUID    = makeGUID(0xa82e37b2, 0xaee7, 0x11ec, [8]byte{0x9a, 0x30, 0x18, 0x60, 0x24, 0x89, 0xbe, 0xee})
+	attachTypeCgroupInet4RecvAcceptGUID = makeGUID(0xa82e37b3, 0xaee7, 0x11ec, [8]byte{0x9a, 0x30, 0x18, 0x60, 0x24, 0x89, 0xbe, 0xee})
+	attachTypeCgroupInet6RecvAcceptGUID = makeGUID(0xa82e37b4, 0xaee7, 0x11ec, [8]byte{0x9a, 0x30, 0x18, 0x60, 0x24, 0x89, 0xbe, 0xee})
 )
 
 func makeGUID(data1 uint32, data2 uint16, data3 uint16, data4 [8]byte) windows.GUID {
@@ -34,6 +38,27 @@ func RawAttachWithFlags(_ int, _ uint32) AttachFunc {
 	return winAttachStub
 }
 
+func getAttachTypeForAttachTarget(attachTarget string) (ebpf.AttachType, error) {
+	var attachTypeGuid string
+	switch attachTarget {
+	case "process":
+		attachTypeGuid = attachTypeProcessGUID.String()
+	case "cgroup/connect4":
+		attachTypeGuid = attachTypeCgroupInet4ConnectGUID.String()
+	case "cgroup/connect6":
+		attachTypeGuid = attachTypeCgroupInet6ConnectGUID.String()
+	case "cgroup/recv_accept4":
+		attachTypeGuid = attachTypeCgroupInet4RecvAcceptGUID.String()
+	case "cgroup/recv_accept6":
+		attachTypeGuid = attachTypeCgroupInet6RecvAcceptGUID.String()
+
+	default:
+		return ebpf.AttachNone, nil
+	}
+
+	return ebpf.WindowsAttachTypeForGUID(attachTypeGuid)
+}
+
 func windowsAttach(_ *Program, prog *ebpf.Program, _ *ebpf.ProgramSpec,
 	_ string, _ string, _ ...string) (unloader.Unloader, error) {
 
