yetangitu/ghidra
1
0
Fork 0
mirror of https://github.com/NationalSecurityAgency/ghidra.git synced 2025-10-03 17:59:46 +02:00
Code Issues Releases Wiki Activity

Add support for big endian eBPF programs

Browse source
This commit is contained in:
Nicolas Iooss 2025-05-07 15:40:24 +02:00
parent 52cb7a36e6
commit adb0eac98a
No known key found for this signature in database
GPG key ID: 3FF572B96BBFBCC7
5 changed files with 37 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Ghidra/Processors/eBPF/certification.manifest
View file

@ -7,4 +7,5 @@ data/languages/eBPF.ldefs||GHIDRA||||END|
data/languages/eBPF.opinion||GHIDRA||||END| data/languages/eBPF.opinion||GHIDRA||||END|
data/languages/eBPF.pspec||GHIDRA||||END| data/languages/eBPF.pspec||GHIDRA||||END|
data/languages/eBPF.sinc||GHIDRA||||END| data/languages/eBPF.sinc||GHIDRA||||END|
data/languages/eBPF_be.slaspec||GHIDRA||||END|
data/languages/eBPF_le.slaspec||GHIDRA||||END| data/languages/eBPF_le.slaspec||GHIDRA||||END|

12
Ghidra/Processors/eBPF/data/languages/eBPF.ldefs
View file

@ -1,5 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<language_definitions> <language_definitions>
<language processor="eBPF"
endian="big"
size="64"
variant="default"
version="1.0"
slafile="eBPF_be.sla"
processorspec="eBPF.pspec"
id="eBPF:BE:64:default">
<description>eBPF processor 64-bit big-endian</description>
<compiler name="default" spec="eBPF.cspec" id="default"/>
<external_name tool="DWARF.register.mapping.file" name="eBPF.dwarf"/>
</language>
<language processor="eBPF" <language processor="eBPF"
endian="little" endian="little"
size="64" size="64"

1
Ghidra/Processors/eBPF/data/languages/eBPF.opinion
View file

@ -1,5 +1,6 @@
<opinions> <opinions>
<constraint loader="Executable and Linking Format (ELF)" compilerSpecID="default"> <constraint loader="Executable and Linking Format (ELF)" compilerSpecID="default">
<constraint primary="247" processor="eBPF" endian="big" size="64" />
<constraint primary="247" processor="eBPF" endian="little" size="64" /> <constraint primary="247" processor="eBPF" endian="little" size="64" />
</constraint> </constraint>
</opinions> </opinions>

18
Ghidra/Processors/eBPF/data/languages/eBPF.sinc
View file

@ -15,6 +15,7 @@ define space syscall type=ram_space size=4;
define register offset=0 size=8 [ R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 PC ]; define register offset=0 size=8 [ R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 PC ];
# Instruction encoding: Insop:8, dst_reg:4, src_reg:4, off:16, imm:32 - from lsb to msb # Instruction encoding: Insop:8, dst_reg:4, src_reg:4, off:16, imm:32 - from lsb to msb
@if ENDIAN == "little"
define token instr(64) define token instr(64)
imm=(32, 63) signed imm=(32, 63) signed
off=(16, 31) signed off=(16, 31) signed
@ -31,6 +32,23 @@ define token instr(64)
define token immtoken(64) define token immtoken(64)
imm2=(32, 63) imm2=(32, 63)
; ;
@else # ENDIAN == "big"
define token instr(64)
imm=(0, 31) signed
off=(32, 47) signed
src=(48, 51)
dst=(52, 55)
op_insn_class=(56, 58)
op_ld_st_size=(59, 60)
op_ld_st_mode=(61, 63)
op_alu_jmp_source=(59, 59)
op_alu_jmp_opcode=(60, 63)
;
define token immtoken(64)
imm2=(0, 31)
;
@endif # ENDIAN = "big"
#To operate with registers #To operate with registers
attach variables [ src dst ] [ R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 _ _ _ _ _ ]; attach variables [ src dst ] [ R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 _ _ _ _ _ ];

3
Ghidra/Processors/eBPF/data/languages/eBPF_be.slaspec Normal file
View file

@ -0,0 +1,3 @@
@define ENDIAN "big"
@include "eBPF.sinc"