Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/bnbdr/ida-bpf-processor
BPF Processor for IDA Python
https://github.com/bnbdr/ida-bpf-processor
bpf disasm disassembler ida idapython-plugin processor seccomp
Last synced: 3 months ago
JSON representation
BPF Processor for IDA Python
- Host: GitHub
- URL: https://github.com/bnbdr/ida-bpf-processor
- Owner: bnbdr
- License: mit
- Created: 2017-04-18T20:25:53.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2018-08-27T19:41:55.000Z (about 6 years ago)
- Last Synced: 2024-07-09T08:41:45.220Z (4 months ago)
- Topics: bpf, disasm, disassembler, ida, idapython-plugin, processor, seccomp
- Language: Python
- Homepage:
- Size: 37.1 KB
- Stars: 50
- Watchers: 4
- Forks: 7
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# BPF Bytecode Processor for IDA (python)
![](example.png)
## Processor
Supports the old BPF bytecode only (no eBPF).The processor will display conditional branches with a 0 value true-offset as their opposite logical counterpart, e.g. `JEQ 0xFF, 0, 1` as `JNE 0xFF, 1, 0`.
## Loader
The loader accepts files that have a custom bpf header and sets up several symbolic constants for seccomp:
```c
SECCOMP_RET_KILL = 0x00000000
SECCOMP_RET_TRAP = 0x00030000
SECCOMP_RET_ERRNO = 0x00050000
SECCOMP_RET_TRACE = 0x7ff00000
SECCOMP_RET_ALLOW = 0x7fff0000
// --------------
AUDIT_ARCH_I386 = 0x40000003
AUDIT_ARCH_X86_64 = 0xC000003E
```
### File Format
The loader accepts files in the following format (see [010template](bpf.bt)):
```c
int magic;
int reserved;
struct sock_filter bpf_c[0];
```
where `magic` must be `"bpf\0"` and `reserved` must be 0.## Installation
put the processor plugin `bpf.py` in:
```xml
\procs\
```
put the file loader `bpf_loader.py` in:
```xml
\loaders\
```## Supported Versions
- IDA 7.x (tested on 7.0).
- For older IDA versions use [this](https://github.com/bnbdr/ida-bpf-processor/releases/tag/v1.0.0).## License
[MIT](https://opensource.org/licenses/MIT) 2018 [@bnbdr](https://github.com/bnbdr/)## Relevant References
- https://www.hex-rays.com/products/ida/support/idapython_docs/
- https://www.hex-rays.com/products/ida/support/sdkdoc/
- http://www.tcpdump.org/papers/bpf-usenix93.pdf
- https://www.kernel.org/doc/Documentation/networking/filter.txt
- http://man7.org/linux/man-pages/man2/seccomp.2.html
- https://github.com/seccomp/libseccomp/blob/master/tools/scmp_bpf_disasm.c
- https://github.com/ghTemp123/wiresharkplugin/blob/master/Scripts/Libnids-119_With_managedLibnids/Libnids-1.19/WIN32-Includes/NET/Bpf.h