capstone-engine · aquynh · Feb 18, 2019 · Feb 13, 2019 · Feb 14, 2019 · Feb 14, 2019
diff --git a/.gitignore b/.gitignore
@@ -70,6 +70,7 @@ tests/test_m680x
 tests/test_evm
 tests/test_wasm
 tests/test_mos65xx
+tests/test_bpf
 
 # regress binaries
 suite/regress/invalid_read_in_print_operand

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -28,8 +28,8 @@ option(CAPSTONE_BUILD_TESTS "Build tests" ON)
 option(CAPSTONE_BUILD_CSTOOL "Build cstool" ON)
 option(CAPSTONE_USE_DEFAULT_ALLOC "Use default memory allocation functions" ON)
 
-set(SUPPORTED_ARCHITECTURES ARM ARM64 M68K MIPS PPC SPARC SYSZ XCORE X86 TMS320C64X M680X EVM MOS65XX WASM)
-set(SUPPORTED_ARCHITECTURE_LABELS ARM ARM64 M68K MIPS PowerPC Sparc SystemZ XCore x86 TMS320C64x M680x EVM MOS65XX WASM)
+set(SUPPORTED_ARCHITECTURES ARM ARM64 M68K MIPS PPC SPARC SYSZ XCORE X86 TMS320C64X M680X EVM MOS65XX WASM BPF)
+set(SUPPORTED_ARCHITECTURE_LABELS ARM ARM64 M68K MIPS PowerPC Sparc SystemZ XCore x86 TMS320C64x M680x EVM MOS65XX WASM BPF)
 
 list(LENGTH SUPPORTED_ARCHITECTURES count)
 math(EXPR count "${count}-1")
@@ -115,6 +115,7 @@ set(HEADERS_COMMON
     include/capstone/tms320c64x.h
     include/capstone/m680x.h
     include/capstone/mos65xx.h
+    include/capstone/bpf.h
     include/capstone/platform.h
     )
 
@@ -475,6 +476,24 @@ if (NOT CAPSTONE_X86_ONLY AND CAPSTONE_MOS65XX_SUPPORT)
     set(TEST_SOURCES ${TEST_SOURCES} test_mos65xx.c)
 endif ()
 
+if (NOT CAPSTONE_X86_ONLY AND CAPSTONE_BPF_SUPPORT)
+    add_definitions(-DCAPSTONE_HAS_BPF)
+    set(SOURCES_BPF
+        arch/BPF/BPFDisassembler.c
+        arch/BPF/BPFInstPrinter.c
+        arch/BPF/BPFMapping.c
+        arch/BPF/BPFModule.c
+	)
+    set(HEADERS_BPF
+        arch/BPF/BPFConstants.h
+        arch/BPF/BPFDisassembler.h
+        arch/BPF/BPFInstPrinter.h
+        arch/BPF/BPFMapping.h
+        arch/BPF/BPFModule.h
+    )
+    set(TEST_SOURCES ${TEST_SOURCES} test_bpf.c)
+endif ()
+
 if (CAPSTONE_OSXKERNEL_SUPPORT)
     add_definitions(-DCAPSTONE_HAS_OSXKERNEL)
 endif ()
@@ -495,6 +514,7 @@ set(ALL_SOURCES
     ${SOURCES_EVM}
     ${SOURCES_WASM}
     ${SOURCES_MOS65XX}
+    ${SOURCES_BPF}
     )
 
 set(ALL_HEADERS
@@ -514,6 +534,7 @@ set(ALL_HEADERS
     ${HEADERS_EVM}
     ${HEADERS_WASM}
     ${HEADERS_MOS65XX}
+    ${HEADERS_BPF}
     )
 
 include_directories("${PROJECT_SOURCE_DIR}/include")
@@ -596,6 +617,7 @@ source_group("Source\\M680X" FILES ${SOURCES_M680X})
 source_group("Source\\EVM" FILES ${SOURCES_EVM})
 source_group("Source\\WASM" FILES ${SOURCES_WASM})
 source_group("Source\\MOS65XX" FILES ${SOURCES_MOS65XX})
+source_group("Source\\BPF" FILES ${SOURCES_BPF})
 
 source_group("Include\\Common" FILES ${HEADERS_COMMON})
 source_group("Include\\Engine" FILES ${HEADERS_ENGINE})
@@ -613,6 +635,7 @@ source_group("Include\\M680X" FILES ${HEADERS_MC680X})
 source_group("Include\\EVM" FILES ${HEADERS_EVM})
 source_group("Include\\WASM" FILES ${HEADERS_WASM})
 source_group("Include\\MOS65XX" FILES ${HEADERS_MOS65XX})
+source_group("Include\\BPF" FILES ${HEADERS_BPF})
 
 ### test library 64bit routine:
 get_property(LIB64 GLOBAL PROPERTY FIND_LIBRARY_USE_LIB64_PATHS)

diff --git a/COMPILE.TXT b/COMPILE.TXT
@@ -96,6 +96,7 @@ Capstone requires no prerequisite packages, so it is easy to compile & install.
 	/usr/include/capstone/systemz.h
 	/usr/include/capstone/tms320c64x.h
 	/usr/include/capstone/xcore.h
+	/usr/include/capstone/bpf.h
 	/usr/include/capstone/platform.h
 	/usr/lib/libcapstone.so (for Linux/*nix), or /usr/lib/libcapstone.dylib (OSX)
 	/usr/lib/libcapstone.a

diff --git a/COMPILE_CMAKE.TXT b/COMPILE_CMAKE.TXT
@@ -34,6 +34,7 @@ Get CMake for free from http://www.cmake.org.
   - CAPSTONE_X86_M680X: support M680X. Run cmake with -DCAPSTONE_M680X_SUPPORT=0 to remove M680X.
   - CAPSTONE_X86_EVM: support EVM. Run cmake with -DCAPSTONE_EVM_SUPPORT=0 to remove EVM.
   - CAPSTONE_X86_WASM: support Web Assembly. Run cmake with -DCAPSTONE_WASM_SUPPORT=0 to remove WASM.
+  - CAPSTONE_BPF_SUPPORT: support BPF. Run cmake with -DCAPSTONE_BPF_SUPPORT=0 to remove BPF.
 
   By default, all architectures are compiled in.
 

diff --git a/CREDITS.TXT b/CREDITS.TXT
@@ -81,3 +81,4 @@ Tong Yu(Spike) & Kai Jern, Lau (xwings): WASM architecture.
 Sebastian Macke: MOS65XX architecture
 Ilya Leoshkevich: SystemZ architecture improvements.
 Do Minh Tuan: Regression testing tool (cstest)
+david942j: BPF (both classic and extended) architecture.
diff --git a/HACK.TXT b/HACK.TXT
@@ -7,6 +7,7 @@ Capstone source is organized as followings.
 ├── arch            <- code handling disasm engine for each arch
 │   ├── AArch64     <- ARM64 (aka ARMv8) engine
 │   ├── ARM         <- ARM engine
+│   ├── BPF         <- Berkeley Packet Filter engine
 │   ├── EVM         <- Ethereum engine
 │   ├── M680X       <- M680X engine
 │   ├── M68K        <- M68K engine

diff --git a/Makefile b/Makefile
@@ -271,10 +271,21 @@ ifneq (,$(findstring mos65xx,$(CAPSTONE_ARCHS)))
 endif
 
 
+DEP_BPF =
+DEP_BPF += $(wildcard arch/BPF/BPF*.inc)
+
+LIBOBJ_BPF =
+ifneq (,$(findstring bpf,$(CAPSTONE_ARCHS)))
+	CFLAGS += -DCAPSTONE_HAS_BPF
+	LIBSRC_BPF += $(wildcard arch/BPF/BPF*.c)
+	LIBOBJ_BPF += $(LIBSRC_BPF:%.c=$(OBJDIR)/%.o)
+endif
+
+
 LIBOBJ =
 LIBOBJ += $(OBJDIR)/cs.o $(OBJDIR)/utils.o $(OBJDIR)/SStream.o $(OBJDIR)/MCInstrDesc.o $(OBJDIR)/MCRegisterInfo.o
 LIBOBJ += $(LIBOBJ_ARM) $(LIBOBJ_ARM64) $(LIBOBJ_M68K) $(LIBOBJ_MIPS) $(LIBOBJ_PPC) $(LIBOBJ_SPARC) $(LIBOBJ_SYSZ)
-LIBOBJ += $(LIBOBJ_X86) $(LIBOBJ_XCORE) $(LIBOBJ_TMS320C64X) $(LIBOBJ_M680X) $(LIBOBJ_EVM) $(LIBOBJ_MOS65XX) $(LIBOBJ_WASM)
+LIBOBJ += $(LIBOBJ_X86) $(LIBOBJ_XCORE) $(LIBOBJ_TMS320C64X) $(LIBOBJ_M680X) $(LIBOBJ_EVM) $(LIBOBJ_MOS65XX) $(LIBOBJ_WASM) $(LIBOBJ_BPF)
 LIBOBJ += $(OBJDIR)/MCInst.o
 
 
@@ -405,6 +416,7 @@ $(LIBOBJ_M680X): $(DEP_M680X)
 $(LIBOBJ_EVM): $(DEP_EVM)
 $(LIBOBJ_WASM): $(DEP_WASM)
 $(LIBOBJ_MOS65XX): $(DEP_MOS65XX)
+$(LIBOBJ_BPF): $(DEP_BPF)
 
 ifeq ($(CAPSTONE_STATIC),yes)
 $(ARCHIVE): $(LIBOBJ)
@@ -480,12 +492,12 @@ dist:
 
 
 TESTS = test_basic test_detail test_arm test_arm64 test_m68k test_mips test_ppc test_sparc
-TESTS += test_systemz test_x86 test_xcore test_iter test_evm test_mos65xx test_wasm
+TESTS += test_systemz test_x86 test_xcore test_iter test_evm test_mos65xx test_wasm test_bpf
 TESTS += test_basic.static test_detail.static test_arm.static test_arm64.static
 TESTS += test_m68k.static test_mips.static test_ppc.static test_sparc.static
 TESTS += test_systemz.static test_x86.static test_xcore.static test_m680x.static
 TESTS += test_skipdata test_skipdata.static test_iter.static test_evm.static
-TESTS += test_mos65xx.static test_wasm.static
+TESTS += test_mos65xx.static test_wasm.static test_bpf.static
 check: $(TESTS) fuzztest fuzzallcorp
 test_%:
 	./tests/$@ > /dev/null && echo OK || echo FAILED

diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@ disasm engine for binary analysis and reversing in the security community.
 Created by Nguyen Anh Quynh, then developed and maintained by a small community,
 Capstone offers some unparalleled features:
 
-- Support multiple hardware architectures: ARM, ARM64 (ARMv8), Ethereum VM, Webassembly, M68K,
+- Support multiple hardware architectures: ARM, ARM64 (ARMv8), BPF, Ethereum VM, Webassembly, M68K,
   Mips, MOS65XX, PPC, Sparc, SystemZ, TMS320C64X, M680X, XCore and X86 (including X86_64).
 
 - Having clean/simple/lightweight/intuitive architecture-neutral API.

diff --git a/arch/BPF/BPFConstants.h b/arch/BPF/BPFConstants.h
@@ -0,0 +1,88 @@
+/* Capstone Disassembly Engine */
+/* BPF Backend by david942j <david942j@gmail.com>, 2019 */
+
+/* This file defines constants and macros used for parsing a BPF instruction */
+
+#ifndef CS_BPF_CONSTANTS_H
+#define CS_BPF_CONSTANTS_H
+
+#define BPF_CLASS(code) ((code) & 0x7)
+
+///< Instruction classes
+#define BPF_CLASS_LD	0x00
+#define BPF_CLASS_LDX	0x01
+#define BPF_CLASS_ST	0x02
+#define BPF_CLASS_STX	0x03
+#define BPF_CLASS_ALU	0x04
+#define BPF_CLASS_JMP	0x05
+#define BPF_CLASS_RET	0x06	///< cBPF only
+#define BPF_CLASS_MISC	0x07	///< cBPF only
+#define BPF_CLASS_ALU64	0x07	///< eBPF only
+
+#define BPF_OP(code) ((code) & 0xf0)
+
+///< Types of ALU instruction
+#define BPF_ALU_ADD	0x00
+#define BPF_ALU_SUB	0x10
+#define BPF_ALU_MUL	0x20
+#define BPF_ALU_DIV	0x30
+#define BPF_ALU_OR	0x40
+#define BPF_ALU_AND	0x50
+#define BPF_ALU_LSH	0x60
+#define BPF_ALU_RSH	0x70
+#define BPF_ALU_NEG	0x80
+#define BPF_ALU_MOD	0x90
+#define BPF_ALU_XOR	0xa0
+#define BPF_ALU_MOV	0xb0  ///< eBPF only: mov reg to reg
+#define BPF_ALU_ARSH	0xc0  ///< eBPF only: sign extending shift right
+#define BPF_ALU_END	0xd0  ///< eBPF only: endianness conversion
+
+///< Types of jmp instruction
+#define BPF_JUMP_JA	0x00	///< goto
+#define BPF_JUMP_JEQ	0x10	///< '=='
+#define BPF_JUMP_JGT	0x20	///< unsigned '>'
+#define BPF_JUMP_JGE	0x30	///< unsigned '>='
+#define BPF_JUMP_JSET	0x40	///< '&'
+#define BPF_JUMP_JNE	0x50	///< eBPF only: '!=' */
+#define BPF_JUMP_JSGT	0x60	///< eBPF only: signed '>'
+#define BPF_JUMP_JSGE	0x70	///< eBPF only: signed '>='
+#define BPF_JUMP_CALL	0x80	///< eBPF only: function call
+#define BPF_JUMP_EXIT	0x90	///< eBPF only: exit
+#define BPF_JUMP_JLT	0xa0	///< eBPF only: unsigned '<'
+#define BPF_JUMP_JLE	0xb0	///< eBPF only: unsigned '<='
+#define BPF_JUMP_JSLT	0xc0	///< eBPF only: signed '<'
+#define BPF_JUMP_JSLE	0xd0	///< eBPF only: signed '<='
+
+#define BPF_SRC(code) ((code) & 0x08)
+#define BPF_RVAL(code) ((code) & 0x18) /* cBPF only: for return types */
+///< Source operand
+#define BPF_SRC_K	0x00
+#define BPF_SRC_X	0x08
+#define BPF_SRC_A	0x10 /* cBPF only */
+
+#define BPF_SRC_LITTLE	BPF_SRC_K
+#define BPF_SRC_BIG	BPF_SRC_X
+
+#define BPF_SIZE(code) ((code) & 0x18)
+///< Size modifier
+#define BPF_SIZE_W   0x00	///< word
+#define BPF_SIZE_H   0x08	///< half word
+#define BPF_SIZE_B   0x10	///< byte
+#define BPF_SIZE_DW  0x18	///< eBPF only: double word
+
+#define BPF_MODE(code) ((code) & 0xe0)
+///< Mode modifier
+#define BPF_MODE_IMM	0x00	///< used for 32-bit mov in cBPF and 64-bit in eBPF
+#define BPF_MODE_ABS	0x20
+#define BPF_MODE_IND	0x40
+#define BPF_MODE_MEM	0x60
+#define BPF_MODE_LEN	0x80	///< cBPF only, reserved in eBPF
+#define BPF_MODE_MSH	0xa0	///< cBPF only, reserved in eBPF
+#define BPF_MODE_XADD	0xc0	///< eBPF only: exclusive add
+
+#define BPF_MISCOP(code) ((code) & 0x80)
+///< Operation of misc
+#define BPF_MISCOP_TAX	0x00
+#define BPF_MISCOP_TXA	0x80
+
+#endif