eBPF processor for Ghidra
This project was initially started as a part of Digital Security's Research Centre internship "Summer of Hack 2019".
The extension implements eBPF architecture support for Ghidra and allows for disassembly and decompilation of ELF files containing eBPF programs.
Example of eBPF program you can get here.
Example of disassembling and decompiling of eBPF:
Installation
- Download Release version of extension and install it in Ghidra
File → Install Extensions...
- Use gradle to build extension:
GHIDRA_INSTALL_DIR=${GHIDRA_HOME} gradle
and use Ghidra to install it:File → Install Extensions...
- Clone this repository to
\Ghidra\Extensions
directory.
Updates
03.09.2019 — eBPF maps implementation, custom relocation handler was implemented
19.09.2019 — stack problem is resolved
20.09.2019 — eBPF call-helpers are implemented as syscalls, added helper's signature through custom eBPFAnalyzer
23.09.2019 — bad bookmarks fixed
01.12.2020 — new eBPF-helpers added
23.06.2022 — added support for relative calls (R_BPF_64_32
relocation type). Thanks @cnwangjihe for this idea. imm
of call instruction where bpf_call->src_reg == BPF_PSEUDO_CALL
now contains the relative offset to target function.
Before:
After:
24.06.2022 — making a Pull Request to official Ghidra repository as the main supplier of the eBPF processor