24d19f6e8c
In 2023, the eBPF instruction set was modified to add several instructions related to signed operations (load with sign-extension, signed division, etc.), a 32-bit jump instruction and some byte-swap instructions. This became version 4 of eBPF ISA. Here are some references about this change: - https://pchaigno.github.io/bpf/2021/10/20/ebpf-instruction-sets.html (a blog post about eBPF instruction set extensions) - https://lore.kernel.org/bpf/4bfe98be-5333-1c7e-2f6d-42486c8ec039@meta.com/ (documentation sent to Linux Kernel mailing list) - https://www.rfc-editor.org/rfc/rfc9669.html#name-sign-extension-load-operati (IETF's BPF Instruction Set Architecture standard defined the new instructions) - https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/core.c?h=v6.14#n1859 (implementation of signed division and remainder in Linux kernel. This shows that 32-bit signed DIV and signed MOD are zero-extending the result in DST) - https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/core.c?h=v6.14#n2135 (implementation of signed memory load in Linux kernel) - https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f9a1ea821ff25353a0e80d971e7958cd55b47a3 (commit which added signed memory load instructions in Linux kernel) This can be tested with a recent enough version of clang and LLVM (this works with clang 19.1.4 on Alpine 3.21). For example for signed memory load instructions: signed int sext_8bit(signed char x) { return x; } produces: $ clang -O0 -target bpf -mcpu=v4 -c test.c -o test.ebpf $ llvm-objdump -rd test.ebpf ... 0000000000000000 <sext_8bit>: 0: 73 1a ff ff 00 00 00 00 *(u8 *)(r10 - 0x1) = r1 1: 91 a1 ff ff 00 00 00 00 r1 = *(s8 *)(r10 - 0x1) 2: bc 10 00 00 00 00 00 00 w0 = w1 3: 95 00 00 00 00 00 00 00 exit (The second instruction is a signed memory load) Instruction MOVS (Sign extend register MOV) uses offset to encode the conversion (whether the source register is to be considered as signed 8-bit, 16-bit or 32-bit integer). The mnemonic for these instructions is quite unclear: - They are all named MOVS in the proposal https://lore.kernel.org/bpf/4bfe98be-5333-1c7e-2f6d-42486c8ec039@meta.com/ - LLVM and Linux disassemblers only display pseudo-code (`r0 = (s8)r1`) - RFC 9669 (https://datatracker.ietf.org/doc/rfc9669/) uses MOVSX for all instructions. - GCC uses MOVS for all instructions: https://github.com/gcc-mirror/gcc/blob/releases/gcc-14.1.0/gcc/config/bpf/bpf.md?plain=1#L326-L365 To make the disassembled code clearer, decode such instructions with a size suffix: MOVSB, MOVSH, MOVSW. The decoding of instructions 32-bit JA, BSWAP16, BSWAP32 and BSWAP64 is straightforward. |
||
|---|---|---|
| .github/ISSUE_TEMPLATE | ||
| docker | ||
| eclipse | ||
| Ghidra | ||
| GhidraBuild | ||
| GhidraDocs | ||
| GPL | ||
| gradle | ||
| licenses | ||
| .gitattributes | ||
| .gitignore | ||
| build.gradle | ||
| certification.local.manifest | ||
| CONTRIBUTING.md | ||
| DevGuide.md | ||
| DISCLAIMER.md | ||
| gradle.properties | ||
| gradlew | ||
| gradlew.bat | ||
| LICENSE | ||
| NOTICE | ||
| README.md | ||
| settings.gradle | ||
Ghidra Software Reverse Engineering Framework
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra extension components and/or scripts using Java or Python.
In support of NSA's Cybersecurity mission, Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of potential vulnerabilities in networks and systems.
If you are a U.S. citizen interested in projects like this, to develop Ghidra and other cybersecurity tools for NSA to help protect our nation and its allies, consider applying for a career with us.
Security Warning
WARNING: There are known security vulnerabilities within certain versions of Ghidra. Before proceeding, please read through Ghidra's Security Advisories for a better understanding of how you might be impacted.
Install
To install an official pre-built multi-platform Ghidra release:
- Install JDK 21 64-bit
- Download a Ghidra release file
- NOTE: The official multi-platform release file is named
ghidra_<version>_<release>_<date>.zipwhich can be found under the "Assets" drop-down. Downloading either of the files named "Source Code" is not correct for this step.
- NOTE: The official multi-platform release file is named
- Extract the Ghidra release file
- Launch Ghidra:
./ghidraRun(ghidraRun.batfor Windows)- or launch PyGhidra:
./support/pyGhidraRun(support\pyGhidraRun.batfor Windows)
- or launch PyGhidra:
For additional information and troubleshooting tips about installing and running a Ghidra release, please refer to the Getting Started document which can be found at the root of a Ghidra installation directory.
Build
To create the latest development build for your platform from this source repository:
Install build tools:
- JDK 21 64-bit
- Gradle 8.5+ (or provided Gradle wrapper if Internet connection is available)
- Python3 (version 3.9 to 3.13) with bundled pip
- make, gcc/g++ or clang (Linux/macOS-only)
- Microsoft Visual Studio 2017+ or Microsoft C++ Build Tools with the
following components installed (Windows-only):
- MSVC
- Windows SDK
- C++ ATL
Download and extract the source:
unzip ghidra-master
cd ghidra-master
NOTE: Instead of downloading the compressed source, you may instead want to clone the GitHub
repository: git clone https://github.com/NationalSecurityAgency/ghidra.git
Download additional build dependencies into source repository:
NOTE: If an Internet connection is available and you did not install Gradle, the following
gradle commands may be replaced with ./gradle(.bat).
gradle -I gradle/support/fetchDependencies.gradle
Create development build:
gradle buildGhidra
The compressed development build will be located at build/dist/.
For more detailed information on building Ghidra, please read the Developer Guide.
For issues building, please check the Known Issues section for possible solutions.
Develop
User Scripts and Extensions
Ghidra installations support users writing custom scripts and extensions via the GhidraDev plugin
for Eclipse. The plugin and its corresponding instructions can be found within a Ghidra release at
Extensions/Eclipse/GhidraDev/ or at this link. Alternatively, Visual Studio Code may
be used to edit scripts by clicking the Visual Studio Code icon in the Script Manager.
Fully-featured Visual Studio Code projects can be created from a Ghidra CodeBrowser window at
Tools -> Create VSCode Module project.
NOTE: Both the GhidraDev plugin for Eclipse and Visual Studio Code integrations only support developing against fully built Ghidra installations which can be downloaded from the Releases page.
Advanced Development
To develop the Ghidra tool itself, it is highly recommended to use Eclipse, which the Ghidra development process has been highly customized for.
Install build and development tools:
- Follow the above build instructions so the build completes without errors
- Install Eclipse IDE for Java Developers
Prepare the development environment:
gradle prepdev eclipse buildNatives
Import Ghidra projects into Eclipse:
- File -> Import...
- General | Existing Projects into Workspace
- Select root directory to be your downloaded or cloned ghidra source repository
- Check Search for nested projects
- Click Finish
When Eclipse finishes building the projects, Ghidra can be launched and debugged with the provided Ghidra Eclipse run configuration.
For more detailed information on developing Ghidra, please read the Developer Guide.
Contribute
If you would like to contribute bug fixes, improvements, and new features back to Ghidra, please take a look at our Contributor Guide to see how you can participate in this open source project.