The extension implements eBPF architecture support for Ghidra and allows for disassembly and decompilation of eBPF programs.
Since May 2023, eBPF-for-Ghidra has been included in the official NationalSecurityAgency/Ghidra repository.
You can get the latest updates and fixes for the eBPF module directly in Ghidra.
This repo may be archived in the future.
Example of eBPF program you can get here.
Example of disassembling and decompiling of eBPF:
File → Install Extensions...
GHIDRA_INSTALL_DIR=${GHIDRA_HOME} gradle
and use Ghidra to install it: File → Install Extensions...
GhidraExtensions
directory.03.09.2019 — eBPF maps implementation, custom relocation handler was implemented
19.09.2019 — problem with stack is resolved
20.09.2019 — eBPF call-helpers are implemented as syscalls, added helper's signature through custom eBPFAnalyzer
23.09.2019 — bad bookmarks fixed
01.12.2020 — new eBPF-helpers added
23.06.2022 — added support for relative calls (R_BPF_64_32
relocation type). Thanks @cnwangjihe for this idea. imm
of call instruction where bpf_call->src_reg == BPF_PSEUDO_CALL
now contains the relative offset to target function.
Before:
After:
24.06.2022 — making the Pull Request to official Ghidra repository as the main supplier of the eBPF processor
19.12.2022 — added support for BPF_ATOMIC operations, ALU32 instructions added, BPF_JMP32 instructions added, JSET instruction fixed
03.05.2023 — eBPF processor support added to the Ghidra official repository in the commit 506ca1e
Starting from Ghidra 10.3, the eBPF module is included by default in Ghidra. There's no need to build this project and add it as a Ghidra extension anymore. For users of older versions of Ghidra, the eBPF module can still be accessed through existing Releases.
Official kernel documentation
Official kernel documentation - questions
eBPF programs to test in Ghidra
Simple eBPF disassembler in Rust
Rust virtual machine and JIT compiler for eBPF programs
eBPF helpers (all)
eBPF overview