Date and Time:
Tuesday, March 21, 14:00 – 18:00

Workshop organiser:

The extended Berkeley Packet Filter (eBPF) subsystem offers a safe and portable way to extend the Linux kernel at runtime. It is a relatively young and rapidly evolving ecosystem that sees widespread adoption in industry and kernel development, oftentimes implementing functionalities that would otherwise require a Loadable Kernel Module (LKM). In addition, Microsoft is actively working on adding eBPF support to the Windows desktop and server operating systems. However, it was demonstrated by various security researchers that malware may (ab)use eBPF to implement a number of core rootkit functionalities.

This workshop’s goal is to provide analysts with the practical skills necessary to recognize and investigate malware that is using the eBPF subsystem. We will cover live system and memory forensics techniques. Furthermore, as the forensic analysis of the eBPF subsystem is still in its very early stages, we aim to equip participants with the background knowledge and further references necessary to conduct their own research or build their own tools, if required during an investigation.

Workshop preparation:
For our workshop there are two VMs available for download at

HHTP Basic Auth:
username: dfrws
password: dfrws-eu-2023-bonn-bpf-rootkits