eBPF processor for Ghidra

This project was initially started as a part of Digital Security's Research Centre internship "Summer of Hack 2019".

The extension implements eBPF architecture support for Ghidra and allows for disassembly and decompilation of ELF files containing eBPF programs.

Example of eBPF program you can get here.

Example of disassembling and decompiling of eBPF:

Installation

• Download Release version of extension and install it in Ghidra File → Install Extensions...
• Use gradle to build extension: GHIDRA_INSTALL_DIR=${GHIDRA_HOME} gradle and use Ghidra to install it: File → Install Extensions...
• Clone this repository to \Ghidra\Extensions directory.

Updates

03.09.2019 — eBPF maps implementation, custom relocation handler was implemented

19.09.2019 — stack problem is resolved

20.09.2019 — eBPF call-helpers are implemented as syscalls, added helper's signature through custom eBPFAnalyzer

23.09.2019 — bad bookmarks fixed

01.12.2020 — new eBPF-helpers added

23.06.2022 — added support for relative calls (R_BPF_64_32 relocation type). Thanks @cnwangjihe for this idea. imm of call instruction where bpf_call->src_reg == BPF_PSEUDO_CALL now contains the relative offset to target function.

Before:

After:

24.06.2022 — making a Pull Request to official Ghidra repository as the main supplier of the eBPF processor

Useful links

• Official kernel documentation

• Official kernel documentation - questions

• eBPF programs to test in Ghidra

• Simple eBPF disassembler in Rust

• Rust virtual machine and JIT compiler for eBPF programs

• eBPF helpers (all)

• eBPF overview