Deploy Eolh

To build Eolh, you need a patched version of golang-etw. We provide the patch file as diff.patch.

git clone https://github.com/0xrawsec/golang-etw.git
cd golang-etw
patch -p1 < diff.patch

Windows OS is probably required to build Eolh containers.

docker build -f Dockerfile -t <your_repository>/monitor:<your_tag> .

Perhaps the following commands could be used to build containers on Linux.

# Reference: https://github.com/microsoft/ebpf-for-windows/blob/41e1da24f4ca4b4ca362a87c161e7e3577cb1f07/images/build-images.sh
docker buildx build --platform windows/amd64 --output=type=registry --pull -f Dockerfile -t <your_repository>/monitor:<your_tag> .

Push the image to your repository. We will refer the image as monitor.

You need to run Eolh in host process (Windows) containers with appropriate privileges.

Also, we recommend to run Eolh as a DaemonSet.

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: monitor
spec:
  selector:
    matchLabels:
      name: monitor
  template:
    metadata:
      labels:
        name: monitor
    spec:
      containers:
      - name: monitor
        image: <your_monitor_image_path>
        args:
          - ".\\eolh.exe; "
      securityContext:
        windowsOptions:
          hostProcess: true
          runAsUserName: "NT AUTHORITY\\SYSTEM"
      hostNetwork: true
      nodeSelector:
        "kubernetes.io/os": windows

Reference

https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/

Deploy Eolh

Reference​

Reference