jitted eBPF code
I add yesterday disasm for jitted eBPF code. To put it mildly this code is very poorEvery function has 7 bytes of nops in prolog. Comment says that this is for BPF trampoline - well, okLots of code...
View Articleoverhead of eBPF JIT
Lets try to estimate overhead of JIT compilerI wrote simple perl script - it just counts redundant bytes for several cases:pair mov reg, rbp/add reg, imm (total length 7 bytes) can be replaced with lea...
View Articleplugin for Binary Ninja
due to the sad fact that IDA Pro moving to cloud (just think about confidentiality) I decided to look at some alternatives - Binary Ninja. First impression was terribletotally unknown API, guys - why...
View Articleida pro plugin for unpacking lzma compressed linux kernel
UOS linux for mips64 contains strange linux kernel which cannot be unpacked with famous extract-vmlinuxLets see what happens:zimage_start = (unsigned long)(&__image_begin);zimage_size = (unsigned...
View Articleida pro plugin to handle loongson elf relocs
It seems that you can't just go ahead and implement your own proc_def_t for processor module - bcs ida pro sdk don`t include needed symbols, you will just get something like1>reg.obj : error...
View Articlereversing of sunway sw64 ISA
It seems that Chinese are hiding information about their another homemade processor sw64 - try to find some technical details with google, baidu or gitee. At the same time they ported linux on this...
View Articleposition independent sw64 code
lets see how PIC looks like for sw64 on the example of a function from libLLVM-7.so.1 (huge shared library - size 45Mb):1000ED0 ldih GP, PV, 0x1D3PV almost always contains address of called...
View Articleepbf maps
As you can see from function bpf_map_alloc_id all bpf maps stored in balanced tree map_idr and synced on spinlock map_idr_lock. No surprise that you can`t view them in user-mode - there is bpf command...
View Articleebpf opcodes patching
I made today disasm for eBPF opcodes. Lets see how they looks like:85 00 00 00 C0 10 02 00 call 0x210C0in jitted code this is call 0xffffffffb4c14110. ffffffffb4c14110 - 210C0 = FFFFFFFFB4BF3050,...
View Articlepmu events
Some detailspmu stored in tree pmu_idr and synced with mutex pmus_lock. and as usually can be used to blind EBPF. How? Lets see:General speaking there are usually four steps involved to attach an eBPF...
View Articleverification of jitted ebpf code
There are some projects for ebpf in usermode, but for verification purposes you need the same code which was used in kernel. So I ripped out some jit code to run it in...
View Articlesize of ebpf jit code on different processors
it doesn't make much sense but bcs I have now several jit compilers - why not compare how much size have jitted code for different processors?I chose 3 ebpf programssimple BPF_PROG_TYPE_CGROUP_SKB with...
View ArticlePoC to blind pamspy
Lets disasm jit code from this spyware: [8] prog 0xffffb02dc0133000 id 160 len 46 jited_len 215 aux 0xffff8ccb58fab400 used_maps 1 used_btf 0 func_cnt 0 tag: 0F 86 19 76 BC 37 68 B3 stack_depth:...
View Articledirty secrets of ld.so
As you can know you can set library path under linux with several ways:envvar LD_LIBRARY_PATH, but it can be removed somewhere inside program so /proc/pid/environ is useless (as usually they expose via...
View ArticleBTI incompatible exported functions in kernel 5.15.0-53
if BTI is enabled, the first instruction encountered after an indirect jump must be a special BTI instructionfrom hereI downloaded Ubuntu for arm64 (jammy-desktop-arm64.iso) and decided to check if...
View Articlelinux drivers cross-compilation
Just reminder for myself how to build driver for arm64 having x64 based machine with ubuntuInstall right gccfor arm64 we need gcc-aarch64-linux-gnu:sudo apt-get install gcc-aarch64-linux-gnuBuild...
View Articletimers in linux kernel
timers are very important artifact for forensics, for example Volatility even has plugin to dump timers from windows kernel. Unfortunately Volatility cannot dump timers from linux kernel so I made such...
View ArticleClik here to view.
dwarfdump
I made pale analog of world famous pdbdump to dump types and functions from DWARF. Before introducing my tool I have several words about DWARF - it is excess, compiler-specific, inconsistent and...
View ArticleDWARF size overhead
I made today simple script to estimate size overhead due types duplication. This is hard task for C++ - bcs some types can have specialized (or partially specialized) template parameters and sure this...
View Articlecustom dwarf attributes in golang
Finally I found them0x2900DW_AT_go_kind, form DW_FORM_data1. Internal golang types kind. For example DW_TAG_structure_type can have kind Struct, Slice or String. I made script to extract statistic...
View Article