This project was initially started as a part of Digital Security's Research Centre internship "Summer of Hack 2019".
The extension implements eBPF architecture support for Ghidra and allows for disassembly and decompilation of ELF files containing eBPF programs.
Example of eBPF program you can get here.
- Download Release version of extension and install it in Ghidra
File → Install Extensions... - Use gradle to build extension:
GHIDRA_INSTALL_DIR=${GHIDRA_HOME} gradleand use Ghidra to install it:File → Install Extensions... - Clone this repository to
\Ghidra\Extensionsdirectory.
Example of disassembling and decompiling of eBPF
Function Graph for eBPF
03.09 - eBPF maps implementation (added string info of map in decompiler and disassembler by using custom relocation handler)
19.09 - stack problem is resolved. eBPF call-helpers are implemented as syscalls (added helper's signature through custom eBPFAnalyzer)
23.09 - bad bookmarks fixed