Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: contrib/bpf_inspect.py: disas bpf prog with capstone #409

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

Asphaltt
Copy link
Contributor

@Asphaltt Asphaltt commented Jun 25, 2024

I've read Add disassembler.

So, I try to disas bpf prog with capstone.

Here's an example.

$ sudo drgn ./contrib/bpf_inspect.py i
For help, type help(drgn).
>>> import drgn
>>> from drgn import NULL, Object, cast, container_of, execscript, offsetof, reinterpret, sizeof, stack_trace
>>> from drgn.helpers.common import *
>>> from drgn.helpers.linux import *
>>> list_bpf_progs()
     2: BPF_PROG_TYPE_TRACING            hid_tail_call
  2295: BPF_PROG_TYPE_EXT                entry                            tail_call_reachable
  2400: BPF_PROG_TYPE_EXT                entry                            tail_call_reachable
  3810: BPF_PROG_TYPE_CGROUP_SKB         sd_fw_egress
  3811: BPF_PROG_TYPE_CGROUP_SKB         sd_fw_ingress
  3812: BPF_PROG_TYPE_CGROUP_DEVICE      sd_devices
  3813: BPF_PROG_TYPE_CGROUP_DEVICE      sd_devices
  3814: BPF_PROG_TYPE_CGROUP_DEVICE      sd_devices
  3815: BPF_PROG_TYPE_CGROUP_DEVICE      sd_devices
  3816: BPF_PROG_TYPE_CGROUP_SKB         sd_fw_egress
  3817: BPF_PROG_TYPE_CGROUP_SKB         sd_fw_ingress
  3818: BPF_PROG_TYPE_CGROUP_DEVICE      sd_devices
  3819: BPF_PROG_TYPE_CGROUP_SKB         sd_fw_egress
  3820: BPF_PROG_TYPE_CGROUP_SKB         sd_fw_ingress
  3821: BPF_PROG_TYPE_CGROUP_DEVICE      sd_devices
  4235: BPF_PROG_TYPE_SCHED_CLS          entry1
>>> p = get_bpf_prog_by_id(4235)
>>> subprog = p.get_subprog(2)
>>> print("\n".join(subprog.disas()))
/usr/local/lib/python3.12/dist-packages/capstone/__init__.py:380: UserWarning: Module _drgn was already imported from /usr/lib/python3/dist-packages/_drgn.cpython-312-x86_64-linux-gnu.so, but /root/shares/Projects/leonhwang/drgn-bpf is being added to sys.path
  import pkg_resources
/usr/local/lib/python3.12/dist-packages/capstone/__init__.py:380: UserWarning: Module drgn was already imported from /usr/lib/python3/dist-packages/drgn/__init__.py, but /root/shares/Projects/leonhwang/drgn-bpf is being added to sys.path
  import pkg_resources
0xffffffffc009ed48:	0f 1f 44 00 00     	nop	dword ptr [rax + rax]
0xffffffffc009ed4d:	66 90              	nop
0xffffffffc009ed4f:	55                 	push	rbp
0xffffffffc009ed50:	48 89 e5           	mov	rbp, rsp
0xffffffffc009ed53:	48 bf 22 79 bc 81 01 99 ff ff	movabs	rdi, 0xffff990181bc7922
0xffffffffc009ed5d:	be 12 00 00 00     	mov	esi, 0x12
0xffffffffc009ed62:	e8 89 90 44 c4     	call	0xffffffff844e7df0
0xffffffffc009ed67:	31 c0              	xor	eax, eax
0xffffffffc009ed69:	c9                 	leave
0xffffffffc009ed6a:	c3                 	ret
0xffffffffc009ed6b:	cc                 	int3

But, if import capstone directly, it warns cyclic import.

@Asphaltt Asphaltt changed the title contrib/bpf_inspect.py: show used maps of prog Proposal: contrib/bpf_inspect.py: disas bpf prog with capstone Jun 25, 2024
@Asphaltt Asphaltt force-pushed the feature/bpf_inspect/disas branch 3 times, most recently from 1c6aade to 85d02c6 Compare June 28, 2024 15:38
It is really useful to disassemble bpf prog by drgn instead of gdb.

In this commit, it uses [capstone](https://github.com/capstone-engine/capstone)
to disassemble bpf prog, as it can get address from bpf prog's ksym.

Meanwhile, it is able to disassemble trampoline of fentry/fexit bpf prog.

Signed-off-by: Leon Hwang <[email protected]>
@Asphaltt Asphaltt force-pushed the feature/bpf_inspect/disas branch from 85d02c6 to ab9231d Compare July 13, 2024 03:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant