Skip to content
Please note that GitHub no longer supports Internet Explorer.

We recommend upgrading to the latest Microsoft Edge, Google Chrome, or Firefox.

Learn more
eBPF Processor for Ghidra
Java
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
data CALL insn changed Sep 19, 2019
images eBPF Helpers implemented as syscalls Sep 19, 2019
src/main/java/ghidra/app Bad bookmarks fixed Sep 23, 2019
.gitignore Add files via upload Aug 14, 2019
LICENSE Initial commit Aug 14, 2019
Module.manifest Add files via upload Aug 14, 2019
README.md Update README.md Sep 23, 2019
build.gradle Add files via upload Aug 14, 2019
extension.properties Add files via upload Aug 14, 2019

README.md

eBPF-for-Ghidra

This project was initially started as a part of Digital Security's Research Centre internship "Summer of Hack 2019".

The extension implements eBPF architecture support for Ghidra and allows for disassembly and decompilation of ELF files containing eBPF programs.

Example of eBPF program you can get here.

eBPF Extension

Installation

  • Download Release version of extension and install it in Ghidra File → Install Extensions...
  • Use gradle to build extension: GHIDRA_INSTALL_DIR=${GHIDRA_HOME} gradle and use Ghidra to install it: File → Install Extensions...
  • Clone this repository to \Ghidra\Extensions directory.

Screenshots

Example of disassembling and decompiling of eBPF

Example of decompiling

Function Graph for eBPF

Function Graph

Updates

03.09 - eBPF maps implementation (added string info of map in decompiler and disassembler by using custom relocation handler)

19.09 - stack problem is resolved. eBPF call-helpers are implemented as syscalls (added helper's signature through custom eBPFAnalyzer)

23.09 - bad bookmarks fixed

Useful links

You can’t perform that action at this time.