ecapture cannot work on linux with boringssl

boost2020 commented 5 months ago

Describe the bug A clear and concise description of what the bug is. nginx使用了boringssl,使用0.76/0.82均无法正常捕获到key,看了一下代码应该是不支持，然后我简单修改了一下代码，但还是不能work，帮忙看看还有可能哪里的问题？

To Reproduce Steps to reproduce the behavior: 改动的代码如下：

diff --git a/Makefile b/Makefile
index efa4629..4704c25 100644
--- a/Makefile
+++ b/Makefile
@@ -148,6 +148,7 @@ $(KERN_OBJECTS_NOCORE): %.nocore: %.c \
        $(CMD_CLANG) \
                        $(EXTRA_CFLAGS_NOCORE) \
                $(BPFHEADER) \
+                        -I /usr/local/lib/gcc/x86_64-redhat-linux/9.5.0/include \
                        -I $(KERN_SRC_PATH)/arch/$(LINUX_ARCH)/include \
                        -I $(KERN_BUILD_PATH)/arch/$(LINUX_ARCH)/include/generated \
                        -I $(KERN_SRC_PATH)/include \
@@ -163,6 +164,8 @@ $(KERN_OBJECTS_NOCORE): %.nocore: %.c \
        $(CMD_CLANG) \
                        $(EXTRA_CFLAGS_NOCORE) \
                        $(BPFHEADER) \
+                        -I /usr/local/lib/gcc/x86_64-redhat-linux/9.5.0/include \
+                       -I $(KERN_SRC_PATH)/arch/$(LINUX_ARCH)/include \
                        -I $(KERN_SRC_PATH)/arch/$(LINUX_ARCH)/include \
                        -I $(KERN_BUILD_PATH)/arch/$(LINUX_ARCH)/include/generated \
                        -I $(KERN_SRC_PATH)/include \
diff --git a/user/module/probe_openssl_lib.go b/user/module/probe_openssl_lib.go
index 1b1c717..6be1583 100644
--- a/user/module/probe_openssl_lib.go
+++ b/user/module/probe_openssl_lib.go
@@ -64,6 +64,7 @@ func (m *MOpenSSLProbe) initOpensslOffset() {

                // boringssl
                "boringssl 1.1.1":      "boringssl_a_13_kern.o",
+               "boringssl na":      "boringssl_na_kern.o",
                "boringssl_a_13":       "boringssl_a_13_kern.o",
                "boringssl_a_14":       "boringssl_a_14_kern.o",
                AndroidDefauleFilename: "boringssl_a_13_kern.o",
diff --git a/utils/boringssl_non_android_offset.sh b/utils/boringssl_non_android_offset.sh
index 11294e5..b563e49 100755
--- a/utils/boringssl_non_android_offset.sh
@@ -2,6 +2,7 @@
 set -e

 # for non android boringssl , git repo : https://github.com/google/boringssl
+PROJECT_ROOT_DIR=$(pwd)
 BORINGSSL_REPO=https://github.com/google/boringssl.git
 BORINGSSL_DIR="${PROJECT_ROOT_DIR}/deps/boringssl_non_android"
 OUTPUT_DIR="${PROJECT_ROOT_DIR}/kern"
@@ -23,14 +24,16 @@ function run() {
   git fetch --tags
   cp -f ${PROJECT_ROOT_DIR}/utils/boringssl-offset.c ${BORINGSSL_DIR}/offset.c
   declare -A sslVerMap=()
-  sslVerMap["0"]="12" # android12-release
-  sslVerMap["1"]="13" # android13-release
-  sslVerMap["2"]="14" # android14-release
+  #sslVerMap["0"]="12" # android12-release
+  #sslVerMap["1"]="13" # android13-release
+  #sslVerMap["2"]="14" # android14-release
+  sslVerMap["master"]="master" # android14-release

   # shellcheck disable=SC2068
   # shellcheck disable=SC2034
   for ver in ${!sslVerMap[@]}; do
-    tag="android${ver}-release"
+    tag="master"
+    #tag="android${ver}-release"
     val=${sslVerMap[$ver]}

     header_file="${OUTPUT_DIR}/boringssl_na_kern.c"
diff --git a/variables.mk b/variables.mk
index 6af1201..8f265c7 100644
--- a/variables.mk
+++ b/variables.mk
@@ -185,6 +185,7 @@ BPF_NOCORE_TAG = $(subst .,_,$(KERN_RELEASE)).$(subst .,_,$(VERSION_NUM))
 #
 TARGETS := kern/boringssl_a_13
 TARGETS += kern/boringssl_a_14
+TARGETS += kern/boringssl_na
 TARGETS += kern/openssl_1_1_1a
 TARGETS += kern/openssl_1_1_1b
 TARGETS += kern/openssl_1_1_1d

Expected behavior 能捕获到key

Screenshots

./ecapture-v0.7.6 tls  -m key   --libssl=/usr/lib/x86_64-linux-gnu/libssl.so.1.1 tls_2024/05/25 21:05:18 ECAPTURE :: ecapture Version : linux_x86_64:v0.7.6:5.15.0-1059-azure
tls_2024/05/25 21:05:18 ECAPTURE :: Pid Info : 29987
tls_2024/05/25 21:05:18 ECAPTURE :: Kernel Info : 4.19.132
tls_2024/05/25 21:05:18 EBPFProbeOPENSSL        module initialization
tls_2024/05/25 21:05:18 EBPFProbeOPENSSL        master key keylogger: ecapture_openssl_key.og
tls_2024/05/25 21:05:18 ECAPTURE ::     Module.Run()
tls_2024/05/25 21:05:18 EBPFProbeOPENSSL        Keylog MODEL
tls_2024/05/25 21:05:18 EBPFProbeOPENSSL        origin version:OpenSSL 1.1.1d, as key:openssl 1.1.1d
tls_2024/05/25 21:05:18 EBPFProbeOPENSSL        HOOK type:2, binrayPath:/usr/lib/x86_64-linux-gnu/libssl.so.1.1
tls_2024/05/25 21:05:18 EBPFProbeOPENSSL        Hook masterKey function:[SSL_get_wbio SSL_in_before SSL_do_handshake]
tls_2024/05/25 21:05:18 EBPFProbeOPENSSL        BPF bytecode filename:user/bytecode/openssl_1_1_1d_kern_less52.o
tls_2024/05/25 21:05:18 EBPFProbeOPENSSL        perfEventReader created. mapSize:4 MB
tls_2024/05/25 21:05:18 EBPFProbeOPENSSL        module started successfully.
tls_2024/05/25 21:05:18 ECAPTURE ::     start 1 modules

./ecapture-v0.8.2 tls  -m key   --libssl=/usr/lib/x86_64-linux-gnu/libssl.so.1.1  -b 2
2024-05-25T21:07:39+08:00 INF AppName="eCapture(旁观者)"
2024-05-25T21:07:39+08:00 INF HomePage=https://ecapture.cc
2024-05-25T21:07:39+08:00 INF Repository=https://github.com/gojue/ecapture
2024-05-25T21:07:39+08:00 INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-05-25T21:07:39+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-05-25T21:07:39+08:00 INF Version=linux_amd64:v0.8.2:6.5.0-1021-azure
2024-05-25T21:07:39+08:00 INF listen=localhost:28256
2024-05-25T21:07:39+08:00 INF https server starting...You can update the configuration file via the HTTP interface.
2024-05-25T21:07:39+08:00 WRN ========== module starting. ==========
2024-05-25T21:07:39+08:00 INF Kernel Info=4.19.132 Pid=33366
2024-05-25T21:07:39+08:00 INF BTF bytecode mode: non-CORE. btfMode=2
2024-05-25T21:07:39+08:00 INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=ecapture_openssl_key.og
2024-05-25T21:07:39+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-05-25T21:07:39+08:00 INF Module.Run()
2024-05-25T21:07:39+08:00 INF OpenSSL/BoringSSL version found origin versionKey="OpenSSL 1.1.1d" versionKeyLower="openssl 1.1.1d"
2024-05-25T21:07:39+08:00 INF HOOK type:Openssl elf ElfType=2 binrayPath=/usr/lib/x86_64-linux-gnu/libssl.so.1.1 masterHookFuncs=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"]
2024-05-25T21:07:39+08:00 INF setupManagers eBPFProgramType=KeyLog
2024-05-25T21:07:39+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_1_1d_kern_noncore_less52.o
2024-05-25T21:07:39+08:00 INF perfEventReader created mapSize(MB)=4
2024-05-25T21:07:39+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

./ecapture-na-0525 tls --ssl_version="boringssl na" -m key -b 2 --libssl=/usr/lib/x86_64-linux-gnu/libssl.so.1.1
2024-05-25T21:08:36+08:00 INF AppName="eCapture(旁观者)"
2024-05-25T21:08:36+08:00 INF HomePage=https://ecapture.cc
2024-05-25T21:08:36+08:00 INF Repository=https://github.com/gojue/ecapture
2024-05-25T21:08:36+08:00 INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-05-25T21:08:36+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-05-25T21:08:36+08:00 INF Version=linux_amd64:0.8.2--43241a0:x86_64
2024-05-25T21:08:36+08:00 INF listen=localhost:28256
2024-05-25T21:08:36+08:00 INF https server starting...You can update the configuration file via the HTTP interface.
2024-05-25T21:08:36+08:00 WRN ========== module starting. ==========
2024-05-25T21:08:36+08:00 INF Kernel Info=4.19.132 Pid=33635
2024-05-25T21:08:36+08:00 INF BTF bytecode mode: non-CORE. btfMode=2
2024-05-25T21:08:36+08:00 INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=ecapture_openssl_key.og
2024-05-25T21:08:36+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-05-25T21:08:36+08:00 INF Module.Run()
2024-05-25T21:08:36+08:00 INF OpenSSL/BoringSSL version found sslVersion="boringssl na"
2024-05-25T21:08:36+08:00 INF HOOK type:Openssl elf ElfType=2 binrayPath=/usr/lib/x86_64-linux-gnu/libssl.so.1.1 masterHookFuncs=["SSL_in_init"]
2024-05-25T21:08:36+08:00 INF setupManagers eBPFProgramType=KeyLog
2024-05-25T21:08:36+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_na_kern_noncore_less52.o
2024-05-25T21:08:36+08:00 INF perfEventReader created mapSize(MB)=4
2024-05-25T21:08:36+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

shell

lsof -p 45484|grep lib
openresty 45484 root  mem       REG              254,1    113448    1707816 /usr/local/openresty/luajit/lib/lua/5.1/librestyradixtree.so
openresty 45484 root  mem       REG              254,1     37488    1310854 /usr/local/openresty/lualib/cjson.so
openresty 45484 root  mem       REG              254,1     28600    1707840 /usr/local/openresty/luajit/lib/lua/5.1/lfs.so
openresty 45484 root  mem       REG              254,1     93000     787088 /usr/lib/x86_64-linux-gnu/libresolv-2.28.so
openresty 45484 root  mem       REG              254,1     35808     787089 /usr/lib/x86_64-linux-gnu/librt-2.28.so
openresty 45484 root  mem       REG              254,1   3031904     790448 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
openresty 45484 root  mem       REG              254,1    121184     787435 /usr/lib/x86_64-linux-gnu/liblz4.so.1.8.3
openresty 45484 root  mem       REG              254,1    593696     790449 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
openresty 45484 root  mem       REG              254,1    113392     795927 /usr/lib/x86_64-linux-gnu/libsasl2.so.2.0.25
openresty 45484 root  mem       REG              254,1    100712     786453 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
openresty 45484 root  mem       REG              254,1   1824496     787069 /usr/lib/x86_64-linux-gnu/libc-2.28.so
openresty 45484 root  mem       REG              254,1   3233496     794040 /usr/lib/x86_64-linux-gnu/libperl.so.5.28.1
openresty 45484 root  mem       REG              254,1    113072    1706874 /usr/local/openresty/zlib/lib/libz.so.1.2.11
openresty 45484 root  mem       REG              254,1    469256    1706864 /usr/local/openresty/pcre/lib/libpcre.so.1.2.12
openresty 45484 root  mem       REG              254,1     55608     802878 /usr/lib/x86_64-linux-gnu/libjansson.so.4.11.1
openresty 45484 root  mem       REG              254,1    944960     802880 /usr/lib/x86_64-linux-gnu/librdkafka.so.1
openresty 45484 root  mem       REG              254,1   1579448     787072 /usr/lib/x86_64-linux-gnu/libm-2.28.so
openresty 45484 root  mem       REG              254,1    536216    1709003 /usr/local/openresty/luajit/lib/libluajit-5.1.so.2.1.0
openresty 45484 root  mem       REG              254,1     43328     787070 /usr/lib/x86_64-linux-gnu/libcrypt-2.28.so
openresty 45484 root  mem       REG              254,1    146968     787087 /usr/lib/x86_64-linux-gnu/libpthread-2.28.so
openresty 45484 root  mem       REG              254,1     14592     787071 /usr/lib/x86_64-linux-gnu/libdl-2.28.so
openresty 45484 root  mem       REG              254,1    165632     786455 /usr/lib/x86_64-linux-gnu/ld-2.28.so

root@al-h-001:~# nm -D /usr/lib/x86_64-linux-gnu/libssl.so.1.1|grep SSL_do_handshake
0000000000039ee0 T SSL_do_handshake
root@al-h-001:~# nm -D /usr/lib/x86_64-linux-gnu/libssl.so.1.1|grep SSL_init        
                 U OPENSSL_init_crypto
0000000000035950 T OPENSSL_init_ssl
root@al-h-001:~# nm -D /usr/lib/x86_64-linux-gnu/libssl.so.1.1|grep -i boring
root@al-h-001:~# nm -D /usr/lib/x86_64-linux-gnu/libssl.so.1.1|grep -i bor   
root@al-h-001:~# nm -D /usr/lib/x86_64-linux-gnu/libssl.so.1.1|grep SSL_is_init
000000000004d900 T SSL_is_init_finished

bpftool

1280: kprobe  name probe_ssl_maste  tag d52a1a4d6c8fd036  gpl
        loaded_at 2024-05-25T21:16:19+0800  uid 0
        xlated 1784B  not jited  memlock 4096B  map_ids 1346,1344,1342
1281: kprobe  name probe_entry_SSL  tag c7e0c53d149e68a5  gpl
        loaded_at 2024-05-25T21:16:19+0800  uid 0
        xlated 488B  not jited  memlock 4096B  map_ids 1350,1351
1282: sched_cls  name ingress_cls_fun  tag 1ea59d5eabc27d90  gpl
        loaded_at 2024-05-25T21:16:19+0800  uid 0
        xlated 872B  not jited  memlock 4096B  map_ids 1349,1347
1283: kprobe  name probe_ret_SSL_w  tag 89d2790d574ac29d  gpl
        loaded_at 2024-05-25T21:16:19+0800  uid 0
        xlated 656B  not jited  memlock 4096B  map_ids 1351,1348,1341
1284: kprobe  name probe_entry_SSL  tag 3f0c87fa022950b0  gpl
        loaded_at 2024-05-25T21:16:19+0800  uid 0
        xlated 488B  not jited  memlock 4096B  map_ids 1350,1343
1285: kprobe  name tcp_sendmsg  tag 2d9d182fecec1caa  gpl
        loaded_at 2024-05-25T21:16:19+0800  uid 0
        xlated 504B  not jited  memlock 4096B  map_ids 1349
1286: kprobe  name probe_ret_SSL_r  tag 175a0bc8acf0aec4  gpl
        loaded_at 2024-05-25T21:16:19+0800  uid 0
        xlated 656B  not jited  memlock 4096B  map_ids 1343,1348,1341
1287: kprobe  name probe_SSL_set_f  tag fe19080fadcef7b0  gpl
        loaded_at 2024-05-25T21:16:19+0800  uid 0
        xlated 136B  not jited  memlock 4096B  map_ids 1350
1288: sched_cls  name egress_cls_func  tag 1ea59d5eabc27d90  gpl
        loaded_at 2024-05-25T21:16:19+0800  uid 0
        xlated 872B  not jited  memlock 4096B  map_ids 1349,1347
1289: kprobe  name probe_connect  tag a76fb94c499baed3  gpl
        loaded_at 2024-05-25T21:16:19+0800  uid 0
        xlated 432B  not jited  memlock 4096B  map_ids 1345

Linux Server/Android (please complete the following information):

Env:

OS:

Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

Arch: 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
Kernel Version: 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
Version: 0.82
nginx 1.19 nginx version: nginx/1.19.3 built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
BoringSSL master

boost2020 commented 5 months ago

上面使用代码看起来很乱，我再截一些图：

使用自己修改代码后的运行截图：

使用0.82的官方版本：

使用0.76的官方版本：

nginx相关加载lib

ecapture加载的ebpf

改动的代码：

cfc4n commented 5 months ago

补丁打的没错，运行也没错。看上去是没触发相应hook点？你可以开启DEBUG模式分析。

DEBUG=1 make nocore

sudo ecapture ...

查看内核的trace日志

cat /sys/kernel/debug/tracing/trace_pipe

另外，我增加了对非android boringssl的日志，见 #555 。不过，boringssl 的版本管理是混乱的，分为 Android 版本和非 Android 版本，对应两个不同的代码仓库。同时，每次发新版，版本号不变，OPENSSL_VERSION_TEXT 的内容没有被修改过。

导致eCapture无法读取动态链接库里的符号信息，来查找这个字段，用于识别对应版本。因此，如果你希望 eCapture 更好地支持非 Android 的 boringssl，你需要自己确认版本的匹配情况。必要时，你需要自己打补丁。

boost2020 commented 5 months ago

好的，我晚点打开 debug 再看看效果。

boost2020 commented 5 months ago

@boost2020 开了debug,但貌似不work,没有找到原因

编译环境

fatal: unknown date format format:%Y%m%d
---------------------------------------
eCapture Makefile Environment:
---------------------------------------
PARALLEL                 2
----------------[ from args ]---------------
CROSS_ARCH
ANDROID                  0
DEBUG                    1
SNAPSHOT_VERSION
---------------------------------------
HOST_ARCH                x86_64
UNAME_R                  4.19.91-27.7.al7.x86_64
CLANG_VERSION            10
GO_VERSION               1.22
---------------------------------------
CMD_CLANG                clang
CMD_GIT                  git
CMD_GO                   go
CMD_INSTALL              install
CMD_LLC                  llc
CMD_MD5                  md5sum
CMD_PKGCONFIG            pkg-config
CMD_STRIP                llvm-strip
CMD_CC_PREFIX
CMD_TAR                  tar
CMD_RPMBUILD             rpmbuild
CMD_RPM_SETUP_TREE       rpmdev-setuptree
---------------------------------------
VERSION_NUM              0.8.2--8e25629
LAST_GIT_TAG             0.8.2--8e25629
BPF_NOCORE_TAG           4_19_91-27_7_al7_x86_64.0_8_2--8e25629
KERN_RELEASE             4.19.91-27.7.al7.x86_64
KERN_BUILD_PATH          /lib/modules/4.19.91-27.7.al7.x86_64/build
KERN_SRC_PATH            /lib/modules/4.19.91-27.7.al7.x86_64/source
TARGET_ARCH              x86_64
GOARCH                   amd64
LINUX_ARCH               x86
LIBPCAP_ARCH             x86_64-pc-linux-gnu
AUTOGENCMD               test -f kern/bpf/x86/vmlinux.h || bpftool btf dump file /sys/kernel/btf/vmlinux format c > kern/bpf/x86/vmlinux.h                                   
PACKAGE_VERSION          0.0.0
OUT_DEB_FILE             ./bin/ecapture_v0.0.0_linux_amd64.deb

运行环境

2024-05-26T23:01:25+08:00 INF AppName="eCapture(旁观者)"
2024-05-26T23:01:25+08:00 INF HomePage=https://ecapture.cc
2024-05-26T23:01:25+08:00 INF Repository=https://github.com/gojue/ecapture
2024-05-26T23:01:25+08:00 INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-05-26T23:01:25+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."             
2024-05-26T23:01:25+08:00 INF Version=linux_amd64:0.8.2--8e25629:x86_64
2024-05-26T23:01:25+08:00 INF listen=localhost:28256
2024-05-26T23:01:25+08:00 INF https server starting...You can update the configuration file via the HTTP interface.                                                          
2024-05-26T23:01:25+08:00 WRN ========== module starting. ==========
2024-05-26T23:01:25+08:00 INF Kernel Info=4.19.132 Pid=10485
2024-05-26T23:01:25+08:00 INF BTF bytecode mode: non-CORE. btfMode=2
2024-05-26T23:01:25+08:00 INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=ecapture_openssl_key.og                                                    
2024-05-26T23:01:25+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL                                                                              
2024-05-26T23:01:25+08:00 INF Module.Run()
2024-05-26T23:01:25+08:00 INF OpenSSL/BoringSSL version found sslVersion="boringssl na"
2024-05-26T23:01:25+08:00 INF HOOK type:Openssl elf ElfType=2 binrayPath=/usr/lib/x86_64-linux-gnu/libssl.so.1.1 masterHookFuncs=["SSL_in_init"]                             
2024-05-26T23:01:25+08:00 INF setupManagers eBPFProgramType=KeyLog
2024-05-26T23:01:25+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_na_kern_noncore_less52.o                                                     
2024-05-26T23:01:25+08:00 INF perfEventReader created mapSize(MB)=4
2024-05-26T23:01:25+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

cfc4n commented 5 months ago

strings ecapture-na-0526|grep -i "client_version" 这条命令是用来干什么的?

boost2020 commented 5 months ago

可以取出bin中所有的变量里面的字面值，

另外我这个问题真还可能是另外的问题了，我用 bpftrace -e 'uprobe:/usr/lib/x86_64-linux-gnu/libssl.so.1.1:SSL_write .....’ bpftrace -e 'uprobe:/usr/lib/x86_64-linux-gnu/libssl.so.1.1:SSL_INIT ....‘ 挨个试了，都没有捕获到任何输出，感觉这个nginx使用的ssl有点诡异，

我在同一台主机发出curl时（作为客户端随便发出一个https请求）是能hook到的，

所以确实应该还有可能是这个nginx的hook点不对，我再研究一下。

boost2020 commented 5 months ago

终于知道原因了，openresty把ssl静态编译进了nginx. bad luck！

cfc4n commented 5 months ago

可以直接把libssl参数设定为nginx路径。

boost2020 commented 5 months ago

这个issue感觉可以先关，不然会没完没了

直接指定ng的路径报下面的错：

./ecapture-na-0526 tls -m key --ssl_version="boringssl na" -b 2 --libssl="/usr/local/openresty/openssl111/lib/libssl.a"
2024-05-29T21:31:48+08:00 INF AppName="eCapture(旁观者)"
2024-05-29T21:31:48+08:00 INF HomePage=https://ecapture.cc
2024-05-29T21:31:48+08:00 INF Repository=https://github.com/gojue/ecapture
2024-05-29T21:31:48+08:00 INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-05-29T21:31:48+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-05-29T21:31:48+08:00 INF Version=linux_amd64:0.8.2--8e25629:x86_64
2024-05-29T21:31:48+08:00 WRN ========== module starting. ==========
2024-05-29T21:31:48+08:00 INF Kernel Info=4.19.132 Pid=61315
2024-05-29T21:31:48+08:00 INF BTF bytecode mode: non-CORE. btfMode=2
2024-05-29T21:31:48+08:00 INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=ecapture_openssl_key.og
2024-05-29T21:31:48+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-05-29T21:31:48+08:00 INF Module.Run()
2024-05-29T21:31:48+08:00 INF OpenSSL/BoringSSL version found sslVersion="boringssl na"
2024-05-29T21:31:48+08:00 INF HOOK type:Openssl elf ElfType=2 binrayPath=/usr/local/openresty/openssl111/lib/libssl.a masterHookFuncs=["SSL_in_init"]
2024-05-29T21:31:48+08:00 INF setupManagers eBPFProgramType=KeyLog
2024-05-29T21:31:48+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_na_kern_noncore_less52.o
2024-05-29T21:31:48+08:00 INF listen=localhost:28256
2024-05-29T21:31:48+08:00 INF https server starting...You can update the configuration file via the HTTP interface.
2024-05-29T21:31:48+08:00 FTL module run failed, skip it. error="couldn't start bootstrap manager error:1 error occurred:\n\t* error:error:parse ELF file: bad magic number '[33 60 97 114]' in record at byte 0x0 , couldn't enable uprobe probe_ssl_master_key, {UID:uprobe_smk_SSL_in_init, EbpfFuncName:probe_ssl_master_key}\n\n, probes activation validation failed ." isReload=false
root@al-001:~# ./ecapture-na-0526 tls -m key --ssl_version="boringssl na" -b 2 --libssl="/usr/local/openresty/nginx/sbin/nginx"
2024-05-29T21:32:01+08:00 INF AppName="eCapture(旁观者)"
2024-05-29T21:32:01+08:00 INF HomePage=https://ecapture.cc
2024-05-29T21:32:01+08:00 INF Repository=https://github.com/gojue/ecapture
2024-05-29T21:32:01+08:00 INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-05-29T21:32:01+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-05-29T21:32:01+08:00 INF Version=linux_amd64:0.8.2--8e25629:x86_64
2024-05-29T21:32:01+08:00 INF listen=localhost:28256
2024-05-29T21:32:01+08:00 INF https server starting...You can update the configuration file via the HTTP interface.
2024-05-29T21:32:01+08:00 WRN ========== module starting. ==========
2024-05-29T21:32:01+08:00 INF Kernel Info=4.19.132 Pid=61357
2024-05-29T21:32:01+08:00 INF BTF bytecode mode: non-CORE. btfMode=2
2024-05-29T21:32:01+08:00 INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=ecapture_openssl_key.og
2024-05-29T21:32:01+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-05-29T21:32:01+08:00 INF Module.Run()
2024-05-29T21:32:01+08:00 INF OpenSSL/BoringSSL version found sslVersion="boringssl na"
2024-05-29T21:32:01+08:00 INF HOOK type:Openssl elf ElfType=2 binrayPath=/usr/local/openresty/nginx/sbin/nginx masterHookFuncs=["SSL_in_init"]
2024-05-29T21:32:01+08:00 INF setupManagers eBPFProgramType=KeyLog
2024-05-29T21:32:01+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_na_kern_noncore_less52.o
2024-05-29T21:32:01+08:00 FTL module run failed, skip it. error="couldn't start bootstrap manager error:1 error occurred:\n\t* error:opening uprobe: symbol SSL_in_init: not found , isRet:false, opts:&{0 0 0 0 0 }, {UID:uprobe_smk_SSL_in_init, EbpfFuncName:probe_ssl_master_key}\n\n, probes activation validation failed ." isReload=false

openresty静态编译ssl的证据

使用bpftrace无法hook静态库

readelf -s /usr/local/openresty/openssl111/lib/libssl.a|grep SSL_do_handshake                      
    43: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND SSL_do_handshake
   306: 0000000000004630   218 FUNC    GLOBAL DEFAULT    1 SSL_do_handshake

bpftrace -e 'uprobe:/usr/local/openresty/openssl111/lib/libssl.a:SSL_do_handshake{printf("test is ok/n")}'
Attaching 1 probe...
Could not resolve symbol: /usr/local/openresty/openssl111/lib/libssl.a:SSL_do_handshake
root@al--001:~# bpftrace -e 'uprobe:/usr/local/openresty/nginx/sbin/nginx:SSL_do_handshake{printf("test is ok/n")}'
Attaching 1 probe...
Could not resolve symbol: /usr/local/openresty/nginx/sbin/nginx:SSL_do_handshake

gojue / ecapture

ecapture cannot work on linux with boringssl #552

shell

bpftool