diff --git a/observation/src/filelife/filelife.bpf.c b/observation/src/filelife/filelife.bpf.c
new file mode 100644
index 0000000000000000000000000000000000000000..0ed5efc0c3064f9cbbc1695ab5a39ebe22b2aeed
--- /dev/null
+++ b/observation/src/filelife/filelife.bpf.c
@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: GPL-2.0
+#include "vmlinux.h"
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_helpers.h>
+#include "filelife.h"
+#include "core_fixes.bpf.h"
+
+/* linux: include/linux/fs.h */
+#define FMODE_CREATED	0x100000
+
+const volatile pid_t target_tgid = 0;
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 8192);
+	__type(key, struct dentry *);
+	__type(value, u64);
+} start SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+	__uint(key_size, sizeof(u32));
+	__uint(value_size, sizeof(u32));
+} events SEC(".maps");