microsoft
diff --git a/‎ebpfapi/Source.def‎
Lines changed: 1 addition & 0 deletions b/‎ebpfapi/Source.def‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎include/ebpf_api.h‎
Lines changed: 27 additions & 8 deletions b/‎include/ebpf_api.h‎
Lines changed: 27 additions & 8 deletions
diff --git a/‎libs/api/ebpf_api.cpp‎
Lines changed: 135 additions & 3 deletions b/‎libs/api/ebpf_api.cpp‎
Lines changed: 135 additions & 3 deletions
diff --git a/‎libs/ebpfnetsh/ebpfnetsh.vcxproj‎
Lines changed: 2 additions & 0 deletions b/‎libs/ebpfnetsh/ebpfnetsh.vcxproj‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎libs/ebpfnetsh/ebpfnetsh.vcxproj.filters‎
Lines changed: 6 additions & 0 deletions b/‎libs/ebpfnetsh/ebpfnetsh.vcxproj.filters‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎libs/ebpfnetsh/netsh_hash.cpp‎
Lines changed: 130 additions & 0 deletions b/‎libs/ebpfnetsh/netsh_hash.cpp‎
Lines changed: 130 additions & 0 deletions
@@ -105,6 +105,7 @@ EXPORTS
     ebpf_api_elf_verify_program_from_file
     ebpf_api_elf_verify_program_from_memory
     ebpf_api_close_handle
+    ebpf_api_get_data_section
     ebpf_api_get_pinned_map_info
     ebpf_api_map_info_free
     ebpf_canonicalize_pin_path
 
@@ -67,14 +67,14 @@ extern "C"
     } ebpf_api_program_info_t;
 
     /**
-      * @brief Get list of programs and stats in an eBPF file.
-      * @param[in] file Name of file containing eBPF programs.
-      * @param[in] verbose Obtain additional info about the programs.
-      * @param[out] infos On success points to a list of eBPF programs.
-      * The caller is responsible for freeing the list via ebpf_free_programs().
-      * @param[out] error_message On failure points to a text description of
-      *  the error.
-      */
+     * @brief Get list of programs and stats in an eBPF file.
+     * @param[in] file Name of file containing eBPF programs.
+     * @param[in] verbose Obtain additional info about the programs.
+     * @param[out] infos On success points to a list of eBPF programs.
+     * The caller is responsible for freeing the list via ebpf_free_programs().
+     * @param[out] error_message On failure points to a text description of
+     *  the error.
+     */
     _Must_inspect_result_ ebpf_result_t
     ebpf_enumerate_programs(
         _In_z_ const char* file,
@@ -798,6 +798,25 @@ extern "C"
         _In_opt_ void* ctx,
         _In_opt_ const struct ebpf_perf_buffer_opts* opts) EBPF_NO_EXCEPT;
 
+    /**
+     * @brief Extract data from a named section in a PE or ELF file.
+     * @param[in] file_path Path to the PE or ELF file.
+     * @param[in] section_name Name of the section to extract.
+     * @param[out] data Pointer to buffer to receive section data. If NULL, only the size is returned.
+     * @param[in,out] data_size On input, size of the buffer. On output, actual size of section data.
+     * @retval EBPF_SUCCESS The operation was successful.
+     * @retval EBPF_INSUFFICIENT_BUFFER The buffer is too small. data_size contains required size.
+     * @retval EBPF_INVALID_ARGUMENT Invalid parameters.
+     * @retval EBPF_OBJECT_NOT_FOUND Section not found in file.
+     * @retval EBPF_INVALID_OBJECT File format is invalid or unsupported.
+     */
+    _Must_inspect_result_ ebpf_result_t
+    ebpf_api_get_data_section(
+        _In_z_ const char* file_path,
+        _In_z_ const char* section_name,
+        _Out_writes_bytes_opt_(*data_size) uint8_t* data,
+        _Inout_ size_t* data_size) EBPF_NO_EXCEPT;
+
 #ifdef __cplusplus
 }
 #endif
@@ -15,6 +15,10 @@
 #include "ebpf_serialize.h"
 #include "ebpf_shared_framework.h"
 #include "ebpf_tracelog.h"
+// Undefine Windows min/max macros for ELFIO
+#undef max
+#undef min
+#include "elfio_wrapper.hpp"
 #include "hash.h"
 #pragma warning(push)
 #pragma warning(disable : 4200) // Zero-sized array in struct/union
@@ -564,7 +568,7 @@ _ebpf_map_lookup_element_batch_helper(
 
     while (count_returned < input_count) {
         // Fetch the next batch of entries.
-        size_t entries_to_fetch = min(input_count - count_returned, max_entries_per_batch);
+        size_t entries_to_fetch = std::min(input_count - count_returned, max_entries_per_batch);
 
         ebpf_protocol_buffer_t request_buffer(
             EBPF_OFFSET_OF(_ebpf_operation_map_get_next_key_value_batch_request, previous_key) +
@@ -772,7 +776,7 @@ _update_map_element_batch(
     try {
         for (size_t key_index = 0; key_index < input_count;) {
             // Compute the number of entries to update in this batch.
-            size_t entries_to_update = min(input_count - key_index, max_entries_per_batch);
+            size_t entries_to_update = std::min(input_count - key_index, max_entries_per_batch);
 
             request_buffer.resize(
                 EBPF_OFFSET_OF(ebpf_operation_map_update_element_batch_request_t, data) +
@@ -1102,7 +1106,7 @@ ebpf_map_delete_element_batch(fd_t map_fd, _In_ const void* keys, _Inout_ uint32
     try {
         for (size_t key_index = 0; key_index < input_count;) {
             // Compute the number of entries to update in this batch.
-            size_t entries_to_delete = min(input_count - key_index, max_entries_per_batch);
+            size_t entries_to_delete = std::min(input_count - key_index, max_entries_per_batch);
 
             request_buffer.resize(
                 EBPF_OFFSET_OF(ebpf_operation_map_delete_element_batch_request_t, keys) + key_size * entries_to_delete);
@@ -5252,6 +5256,134 @@ ebpf_map_set_wait_handle(fd_t map_fd, uint64_t index, ebpf_handle_t handle) NO_E
 }
 CATCH_NO_MEMORY_EBPF_RESULT
 
+// Context structure for section data extraction
+typedef struct _ebpf_section_data_context
+{
+    const char* section_name;
+    bool section_found;
+    size_t section_size;
+    const uint8_t* section_data;
+} ebpf_section_data_context_t;
+
+// Callback function for PE section iteration
+static int
+_ebpf_pe_find_section(
+    _Inout_ void* context,
+    _In_ const VA& va,
+    _In_ const std::string& section_name,
+    _In_ const image_section_header& section_header,
+    _In_ const bounded_buffer* buffer) NO_EXCEPT_TRY
+{
+    UNREFERENCED_PARAMETER(va);
+    UNREFERENCED_PARAMETER(section_header);
+
+    ebpf_section_data_context_t* ctx = static_cast<ebpf_section_data_context_t*>(context);
+
+    if (section_name == ctx->section_name && buffer != nullptr) {
+        ctx->section_found = true;
+        ctx->section_size = buffer->bufLen;
+        ctx->section_data = buffer->buf;
+        return 1; // Stop iteration
+    }
+    return 0; // Continue iteration
+}
+CATCH_NO_MEMORY_INT(1)
+
+_Must_inspect_result_ ebpf_result_t
+ebpf_api_get_data_section(
+    _In_z_ const char* file_path,
+    _In_z_ const char* section_name,
+    _Out_writes_bytes_opt_(*data_size) uint8_t* data,
+    _Inout_ size_t* data_size) NO_EXCEPT_TRY
+{
+    EBPF_LOG_ENTRY();
+
+    if (file_path == nullptr || section_name == nullptr || data_size == nullptr) {
+        EBPF_RETURN_RESULT(EBPF_INVALID_ARGUMENT);
+    }
+
+    // Determine file type by extension
+    std::string path(file_path);
+    bool is_pe_file = false;
+    if (path.size() > 4) {
+        std::string extension = path.substr(path.size() - 4);
+        std::transform(extension.begin(), extension.end(), extension.begin(), [](char c) {
+            return static_cast<char>(::tolower(static_cast<unsigned char>(c)));
+        });
+        is_pe_file = (extension == ".dll" || extension == ".sys" || extension == ".exe");
+    }
+
+    ebpf_result_t result = EBPF_SUCCESS;
+
+    if (is_pe_file) {
+        // Parse PE file using pe-parse library
+        std::scoped_lock pe_parse_lock(_pe_parse_mutex);
+        parsed_pe* pe = ParsePEFromFile(file_path);
+        if (pe == nullptr) {
+            EBPF_RETURN_RESULT(EBPF_INVALID_OBJECT);
+        }
+
+        // Set up context for section search
+        ebpf_section_data_context_t section_context = {
+            .section_name = section_name, .section_found = false, .section_size = 0, .section_data = nullptr};
+
+        IterSec(pe, _ebpf_pe_find_section, &section_context);
+
+        if (!section_context.section_found) {
+            DestructParsedPE(pe);
+            EBPF_RETURN_RESULT(EBPF_OBJECT_NOT_FOUND);
+        }
+
+        // Check buffer size
+        if (data == nullptr) {
+            // Just return the size
+            *data_size = section_context.section_size;
+        } else if (*data_size < section_context.section_size) {
+            // Buffer too small
+            *data_size = section_context.section_size;
+            DestructParsedPE(pe);
+            EBPF_RETURN_RESULT(EBPF_INSUFFICIENT_BUFFER);
+        } else {
+            // Copy data to buffer
+            memcpy(data, section_context.section_data, section_context.section_size);
+            *data_size = section_context.section_size;
+        }
+
+        DestructParsedPE(pe);
+    } else {
+        // Parse ELF file using ELFIO library
+        ELFIO::elfio reader;
+        if (!reader.load(file_path)) {
+            EBPF_RETURN_RESULT(EBPF_INVALID_OBJECT);
+        }
+
+        // Find the section by name
+        ELFIO::section* section = reader.sections[section_name];
+        if (section == nullptr || section->get_data() == nullptr) {
+            EBPF_RETURN_RESULT(EBPF_OBJECT_NOT_FOUND);
+        }
+
+        size_t section_size = section->get_size();
+
+        // Check buffer size
+        if (data == nullptr) {
+            // Just return the size
+            *data_size = section_size;
+        } else if (*data_size < section_size) {
+            // Buffer too small
+            *data_size = section_size;
+            EBPF_RETURN_RESULT(EBPF_INSUFFICIENT_BUFFER);
+        } else {
+            // Copy data to buffer
+            memcpy(data, section->get_data(), section_size);
+            *data_size = section_size;
+        }
+    }
+
+    EBPF_RETURN_RESULT(result);
+}
+CATCH_NO_MEMORY_EBPF_RESULT
+
 static _Must_inspect_result_ ebpf_result_t
 _ebpf_link_mark_as_legacy_mode(ebpf_handle_t link_handle) NO_EXCEPT_TRY
 {
 
@@ -101,6 +101,7 @@
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="elf.cpp" />
+    <ClCompile Include="netsh_hash.cpp" />
     <ClCompile Include="links.cpp" />
     <ClCompile Include="maps.cpp" />
     <ClCompile Include="pins.cpp" />
@@ -110,6 +111,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="elf.h" />
+    <ClInclude Include="netsh_hash.h" />
     <ClInclude Include="links.h" />
     <ClInclude Include="maps.h" />
     <ClInclude Include="pins.h" />
 
@@ -22,6 +22,9 @@
     <ClCompile Include="elf.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="netsh_hash.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
     <ClCompile Include="programs.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
@@ -45,6 +48,9 @@
     <ClInclude Include="elf.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="netsh_hash.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
     <ClInclude Include="programs.h">
       <Filter>Header Files</Filter>
     </ClInclude>
 
@@ -0,0 +1,130 @@
+// Copyright (c) eBPF for Windows contributors
+// SPDX-License-Identifier: MIT
+
+#include "ebpf_api.h"
+#include "netsh_hash.h"
+#include "platform.h"
+#include "tokens.h"
+#include "utilities.h"
+
+#include <iomanip>
+#include <iostream>
+#include <string>
+#include <vector>
+
+// The following function uses windows specific type as an input to match
+// definition of "FN_HANDLE_CMD" in public file of NetSh.h
+unsigned long
+handle_ebpf_show_hash(
+    IN LPCWSTR machine,
+    _Inout_updates_(argc) LPWSTR* argv,
+    IN DWORD current_index,
+    IN DWORD argc,
+    IN DWORD flags,
+    IN LPCVOID data,
+    OUT BOOL* done)
+{
+    UNREFERENCED_PARAMETER(machine);
+    UNREFERENCED_PARAMETER(flags);
+    UNREFERENCED_PARAMETER(data);
+    UNREFERENCED_PARAMETER(done);
+
+    TAG_TYPE tags[] = {
+        {TOKEN_FILENAME, NS_REQ_PRESENT, FALSE},
+        {TOKEN_HASHONLY, NS_REQ_ZERO, FALSE},
+    };
+    const int FILENAME_INDEX = 0;
+    const int HASHONLY_INDEX = 1;
+
+    unsigned long tag_type[_countof(tags)] = {0};
+
+    unsigned long status =
+        PreprocessCommand(nullptr, argv, current_index, argc, tags, _countof(tags), 0, _countof(tags), tag_type);
+
+    std::string filename;
+    bool hash_only = false;
+    for (int i = 0; (status == NO_ERROR) && ((i + current_index) < argc); i++) {
+        switch (tag_type[i]) {
+        case FILENAME_INDEX: {
+            filename = down_cast_from_wstring(std::wstring(argv[current_index + i]));
+            break;
+        }
+        case HASHONLY_INDEX: {
+            hash_only = true;
+            break;
+        }
+        default:
+            status = ERROR_INVALID_SYNTAX;
+            break;
+        }
+    }
+
+    if (status != NO_ERROR) {
+        return status;
+    }
+
+    // First get the size of the hash section
+    size_t hash_size = 0;
+    ebpf_result_t result = ebpf_api_get_data_section(filename.c_str(), "hash", nullptr, &hash_size);
+
+    if (result == EBPF_INVALID_OBJECT) {
+        std::cout << "error: No such file or directory opening " << filename << std::endl;
+        return ERROR_SUPPRESS_OUTPUT;
+    } else if (result == EBPF_OBJECT_NOT_FOUND) {
+        std::cout << "No hash section found in " << filename << std::endl;
+        return ERROR_SUPPRESS_OUTPUT;
+    } else if (result != EBPF_SUCCESS) {
+        std::cout << "Error reading hash from " << filename << ": " << result << std::endl;
+        return ERROR_SUPPRESS_OUTPUT;
+    }
+
+    if (hash_size == 0) {
+        std::cout << "Hash section is empty in " << filename << std::endl;
+        return ERROR_SUPPRESS_OUTPUT;
+    }
+
+    // Allocate buffer and get the hash data
+    std::vector<uint8_t> hash_data(hash_size);
+    result = ebpf_api_get_data_section(filename.c_str(), "hash", hash_data.data(), &hash_size);
+
+    if (result != EBPF_SUCCESS) {
+        std::cout << "Error reading hash data from " << filename << ": " << result << std::endl;
+        return ERROR_SUPPRESS_OUTPUT;
+    }
+
+    // Truncate hash to size of a SHA-256 hash if larger
+    if (hash_size > 32) {
+        hash_size = 32;
+    }
+
+    // Resize vector to actual hash size
+    hash_data.resize(hash_size);
+
+    if (hash_only) {
+        // Print hash in PowerShell Get-FileHash format (uppercase, no spaces)
+        for (size_t i = 0; i < hash_size; i++) {
+            std::cout << std::hex << std::uppercase << std::setw(2) << std::setfill('0')
+                      << static_cast<unsigned int>(hash_data[i]);
+        }
+        std::cout << std::dec << std::nouppercase << std::endl; // Reset formatting
+    } else {
+        // Print detailed hash information
+        std::cout << "Hash for " << filename << ":" << std::endl;
+        std::cout << "Size: " << hash_size << " bytes" << std::endl;
+        std::cout << "Data: ";
+
+        // Print hash in hexadecimal format with spaces
+        for (size_t i = 0; i < hash_size; i++) {
+            if (i > 0 && i % 16 == 0) {
+                std::cout << std::endl << "      ";
+            }
+            std::cout << std::hex << std::setw(2) << std::setfill('0') << static_cast<unsigned int>(hash_data[i]);
+            if (i < hash_size - 1) {
+                std::cout << " ";
+            }
+        }
+        std::cout << std::dec << std::endl; // Reset to decimal format
+    }
+
+    return NO_ERROR;
+}