Hi, I'm looking for guidance on what would be the easiest/best choice for implementing malware detection rules on BPF source code (also looking at what can be done on ELF and bytecode but that's a separate question). The majority of these rules will be looking at combinations of: - Hook points used - File names/paths - Kernel structs like linux_dirent64 - Helper function calls like bpf_probe_write_user(), bpf_send_signal() Both smatch and coccinelle seem to require a bit of learning curve (although the latter seem to have a more documentation/examples than the former) so your opinion would be highly appreciated. This is for a personal research project, nothing related to the company I am working for. Best regards Laurent Philippart
