drgn
drgn copied to clipboard
Published
20 hours ago •
osandov
osandov
Proposal: contrib/bpf_inspect.py: disas bpf prog with capstone
I've read Add disassembler.
So, I try to disas bpf prog with capstone.
Here's an example.
$ sudo drgn ./contrib/bpf_inspect.py i
For help, type help(drgn).
>>> import drgn
>>> from drgn import NULL, Object, cast, container_of, execscript, offsetof, reinterpret, sizeof, stack_trace
>>> from drgn.helpers.common import *
>>> from drgn.helpers.linux import *
>>> list_bpf_progs()
2: BPF_PROG_TYPE_TRACING hid_tail_call
2295: BPF_PROG_TYPE_EXT entry tail_call_reachable
2400: BPF_PROG_TYPE_EXT entry tail_call_reachable
3810: BPF_PROG_TYPE_CGROUP_SKB sd_fw_egress
3811: BPF_PROG_TYPE_CGROUP_SKB sd_fw_ingress
3812: BPF_PROG_TYPE_CGROUP_DEVICE sd_devices
3813: BPF_PROG_TYPE_CGROUP_DEVICE sd_devices
3814: BPF_PROG_TYPE_CGROUP_DEVICE sd_devices
3815: BPF_PROG_TYPE_CGROUP_DEVICE sd_devices
3816: BPF_PROG_TYPE_CGROUP_SKB sd_fw_egress
3817: BPF_PROG_TYPE_CGROUP_SKB sd_fw_ingress
3818: BPF_PROG_TYPE_CGROUP_DEVICE sd_devices
3819: BPF_PROG_TYPE_CGROUP_SKB sd_fw_egress
3820: BPF_PROG_TYPE_CGROUP_SKB sd_fw_ingress
3821: BPF_PROG_TYPE_CGROUP_DEVICE sd_devices
4235: BPF_PROG_TYPE_SCHED_CLS entry1
>>> p = get_bpf_prog_by_id(4235)
>>> subprog = p.get_subprog(2)
>>> print("\n".join(subprog.disas()))
/usr/local/lib/python3.12/dist-packages/capstone/__init__.py:380: UserWarning: Module _drgn was already imported from /usr/lib/python3/dist-packages/_drgn.cpython-312-x86_64-linux-gnu.so, but /root/shares/Projects/leonhwang/drgn-bpf is being added to sys.path
import pkg_resources
/usr/local/lib/python3.12/dist-packages/capstone/__init__.py:380: UserWarning: Module drgn was already imported from /usr/lib/python3/dist-packages/drgn/__init__.py, but /root/shares/Projects/leonhwang/drgn-bpf is being added to sys.path
import pkg_resources
0xffffffffc009ed48: 0f 1f 44 00 00 nop dword ptr [rax + rax]
0xffffffffc009ed4d: 66 90 nop
0xffffffffc009ed4f: 55 push rbp
0xffffffffc009ed50: 48 89 e5 mov rbp, rsp
0xffffffffc009ed53: 48 bf 22 79 bc 81 01 99 ff ff movabs rdi, 0xffff990181bc7922
0xffffffffc009ed5d: be 12 00 00 00 mov esi, 0x12
0xffffffffc009ed62: e8 89 90 44 c4 call 0xffffffff844e7df0
0xffffffffc009ed67: 31 c0 xor eax, eax
0xffffffffc009ed69: c9 leave
0xffffffffc009ed6a: c3 ret
0xffffffffc009ed6b: cc int3
But, if import capstone directly, it warns cyclic import.
