Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/PassKeyRa/solana-ebpf-ida-processor

Solana Virtual Machine bytecode processor for IDA Pro
https://github.com/PassKeyRa/solana-ebpf-ida-processor

Last synced: 5 days ago
JSON representation

Solana Virtual Machine bytecode processor for IDA Pro

Host: GitHub
URL: https://github.com/PassKeyRa/solana-ebpf-ida-processor
Owner: PassKeyRa
Created: 2023-12-31T11:21:43.000Z (11 months ago)
Default Branch: main
Last Pushed: 2024-01-28T08:23:40.000Z (10 months ago)
Last Synced: 2024-08-02T15:34:02.950Z (3 months ago)
Language: Python
Homepage:
Size: 877 KB
Stars: 11
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# IDA Pro Solana bytecode processor

This is the processor plugin for IDA Pro that adds the ability to analyze Solana Virtual Machine bytecode. Since SVM is based on the enhanced Berkeley Packet Filter (eBPF) and mostly uses the same instruction set, [this](https://github.com/zandi/eBPF_processor) eBPF processor plugin was used as a basis.

## How to use

Copy `solana.py` to the directory `/procs` and select the processor on a Solana program file loading to IDA.

To dump a program from Solana mainnet use the following command:

```
solana program dump

```

## FLIRT signatures

Currently the last version of the signatures file is `flirt/solana.sig`. Place the file into `%IDA_DIR%/sig/solana` (create the solana folder) and load it via `File -> Load file -> FLIRT signature file...` menu.

### New signature file generation

The preprocessor `flirt/flair-preprocessor.py` generates a PAT file based on the given `.rlib` ELF eBPF library file with functions.

To generate a new signature file you need to collect various `.rlib` files that you want to process and generate the corresponding `.pat` file for each of these libraries. After that, use the `sigmake` tool from official FLAIR suite to create a single `.sig` from all `.pat` files. So, just 2 commands:

```bash
python3 flait-preprocessor.py .rlib .pat
sigmake -nSolanaEBPF *.pat solana.sig
```

## What works now

* Solana eBPF instructions disassembling, including function calls and jumps
* Strings detection
* Relocations detection
* FLAIR preprocessor to generate PAT files with libs functions signatures

## TODO

* Collect libraries and generate more signatures
* Figure out how relative imports work in solana and implement it
* Come up with more improvements for better bytecode readability

## Thanks

Thanks to Clément Berthaux (clement (dot) berthaux (at) synacktiv (dot) com) and Michael Zandi (the (dot) zandi (at) gmail (dot) com) for developing the EBPF processor plugin, which is the base for this plugin.