Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/mtardy/mahebpf
(For now πΌ) an educational eBPF disassembler
https://github.com/mtardy/mahebpf
disassembler ebpf junk
Last synced: 24 days ago
JSON representation
(For now πΌ) an educational eBPF disassembler
- Host: GitHub
- URL: https://github.com/mtardy/mahebpf
- Owner: mtardy
- Created: 2023-10-13T18:44:28.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2023-11-06T00:07:50.000Z (almost 1 year ago)
- Last Synced: 2024-07-30T18:13:32.869Z (3 months ago)
- Topics: disassembler, ebpf, junk
- Language: Go
- Homepage:
- Size: 14.6 KB
- Stars: 4
- Watchers: 3
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# maheBPF
maheBPFβ’ for my asinine holistic enterprise BPF pseudocode fragmentor.
## Installation
Install it with a Golang install, the project is nice enough to not have
external dependencies (for now).
```shell-session
go install github.com/mtardy/mahebpf@latest
```
## Usage
### π§π»ββοΈ ELF π§π»ββοΈ
Let's say you have a BPF program in an ELF at the section kprobe/pizza
(little-endian only club π thanks) and you want to disassemble it with a
military-gradeβ’ dissasembler:
```shell-session
mahebpf prog.o kprobe/pizza
```
For my very useful little program, the output looks like this:
```text
0: b701000000000000 r1 = 0
1: 631afcff00000000 *(u32 *)(r10 - 4) = r1
2: 850000000e000000 call 14
3: bf06000000000000 r6 = r0
4: 636af8ff00000000 *(u32 *)(r10 - 8) = r6
5: bfa2000000000000 r2 = r10
6: 07020000fcffffff r2 += -4
7: 1801000000000000 0000000000000000 r1 = 0 ll
9: 8500000001000000 call 1
10: 5500090000000000 if r0 != 0 goto +9
11: bfa2000000000000 r2 = r10
12: 07020000fcffffff r2 += -4
13: bfa3000000000000 r3 = r10
14: 07030000f8ffffff r3 += -8
15: 1801000000000000 0000000000000000 r1 = 0 ll
17: b704000000000000 r4 = 0
18: 8500000002000000 call 2
19: 0500010000000000 goto +1
20: 6360000000000000 *(u32 *)(r0 + 0) = r6
21: b700000000000000 r0 = 0
22: 9500000000000000 exit
```
Cool no? A bit like `llvm-objdump -S prog.o` but in bad.
### πΊπΈ ASCII π¦
If you like to store your eBPF bytecode in ASCII in a text format like a person
of taste, I got you covered. Let's say you have a program in a `prog.txt` that
looks like this:
```text
b7 01 00 00 00 00 00 00
63 1a fc ff 00 00 00 00
85 00 00 00 0e 00 00 00
bf 06 00 00 00 00 00 00
63 6a f8 ff 00 00 00 00
bf a2 00 00 00 00 00 00
07 02 00 00 fc ff ff ff
18 01 00 00 00 00 00 00
00 00 00 00 00 00 00 00
85 00 00 00 01 00 00 00
55 00 09 00 00 00 00 00
bf a2 00 00 00 00 00 00
07 02 00 00 fc ff ff ff
bf a3 00 00 00 00 00 00
07 03 00 00 f8 ff ff ff
18 01 00 00 00 00 00 00
00 00 00 00 00 00 00 00
b7 04 00 00 00 00 00 00
85 00 00 00 02 00 00 00
05 00 01 00 00 00 00 00
```
To disassemble this hexabeauty:
```shell-session
mahebpf --type ascii prog.txt
```
Boom π₯π€―, same output as before!
## Contribute
Don't.