Porting Linux Kernel Malware to Windows for Fun and no Profit

While eBPF is primarily used for observability and performance purposes, malware exploiting eBPF on Linux such as Symbiote and BPFDoor, have been observed in recent years. These malware often consist of two layers: an eBPF program (kernel-side) and user-space components, with the user-space component being OS-dependent. This talk will begin by outlining the prerequisites for eBPF and providing an overview and setup of eBPF for Windows, the execution platform for Windows. Next, using Linux-based eBPF malware as an example, we will demonstrate a proof-of-concept (PoC) of porting from a single codebase to Windows, where the kernel-side logic is standardized while the user-space portion is implemented separately for each OS. Finally, we will share the constraints and pitfalls encountered during porting, as well as insights gained from detection and defense perspectives.

Nischay Hegde is currently a Malware Detection Researcher at SentinelOne, where he specializes in Linux malware analysis. With over five years of experience in cybersecurity, he has developed expertise in YARA rule development and eBPF-based detection techniques through his work at two companies that leverage eBPF in their Linux agents.

His journey in security began as a member of his university's CTF team. He has since presented his research at national conferences and regional security meetups, covering topics ranging from Linux keyloggers to kernel-mode evasion techniques. He is passionate about advancing open-source security tooling and regularly mentors junior researchers entering the field.

Porting Linux Kernel Malware to Windows for Fun and no Profit

Talk Abstract

About the Speaker

Nischay Hegde