Module ebpf_progs 

eBPF map enumeration from kernel memory.

The existing bpf.rs enumerates eBPF programs via bpf_prog_idr. This module enumerates eBPF maps via map_idr, which are separate kernel objects used for data sharing between eBPF programs and userspace. Rootkits often use PERF_EVENT_ARRAY or RINGBUF maps for stealthy data exfiltration.

Re-exports

pub use crate::heuristics::classify_ebpf_map;

Structs

EbpfMapInfo

Information about a loaded eBPF map.

Functions

map_type_name

Convert a raw map type integer to its string name.

walk_ebpf_maps

Walk map_idr and return all loaded eBPF maps.