小米平板在使用 pcap 与 keylog 抓 tls 包时表现非预期行为

Describe the bug 通过 -u 指定 uid，随后使用 -m 指定要导出的文件为 keylog 或者 pcap。如果选择 pcap，会得到与目标 uid 毫不相干的包，如果选择 keylog，那么 keylog 中什么内容也没有。甚至指定的 uid 并没有运行任何程序，pcap 模式下仍然有包可以被捕获。

奇怪的是只有 text 可以正常输出内容，不过偶尔还是穿插着 #596 的错误

To Reproduce Steps to reproduce the behavior:

# ./ecapture --debug -b 1 -u 99999 tls -m pcap -w s.pcap
wait...
See error

Expected behavior pcap 与 keylog 模式输出符合预期的内容（匹配目标 uid 的记录、捕获且正确匹配的 keylog）

Screenshots

2024-08-24T12:53:11Z INF AppName="eCapture(旁观者)"
2024-08-24T12:53:11Z INF HomePage=https://ecapture.cc
2024-08-24T12:53:11Z INF Repository=https://github.com/gojue/ecapture
2024-08-24T12:53:11Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-08-24T12:53:11Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-08-24T12:53:11Z INF Version=androidgki_arm64:v0.8.4:6.5.0-1023-azure
2024-08-24T12:53:11Z INF listen=localhost:28256
2024-08-24T12:53:11Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-08-24T12:53:11Z WRN ========== module starting. ==========
2024-08-24T12:53:11Z INF Kernel Info=5.15.123 Pid=27718
2024-08-24T12:53:11Z INF BTF bytecode mode: CORE. btfMode=1
2024-08-24T12:53:11Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-08-24T12:53:11Z INF Module.Run()
2024-08-24T12:53:11Z INF OpenSSL/BoringSSL version found BoringSSL Version=14
2024-08-24T12:53:11Z INF HOOK type:Golang elf ElfType=2 IFindex=16 IFname=wlan0 PcapFilter= binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2024-08-24T12:53:11Z INF Hook masterKey function Functions=["SSL_in_init"]
2024-08-24T12:53:11Z INF target all process.
2024-08-24T12:53:11Z INF target user. target UID=99999
2024-08-24T12:53:11Z INF setupManagers eBPFProgramType=PcapNG
2024-08-24T12:53:11Z INF packets saved into pcapng file. pcapng path=/data/local/tmp/now.pcap
2024-08-24T12:53:11Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-08-24T12:53:12Z INF perfEventReader created mapSize(MB)=4
2024-08-24T12:53:12Z INF perfEventReader created mapSize(MB)=4
2024-08-24T12:53:12Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-08-24T12:53:19Z INF packets saved into pcapng file. count=2
...

2024-08-24T12:56:07Z INF AppName="eCapture(旁观者)"
2024-08-24T12:56:07Z INF HomePage=https://ecapture.cc
2024-08-24T12:56:07Z INF Repository=https://github.com/gojue/ecapture
2024-08-24T12:56:07Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-08-24T12:56:07Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-08-24T12:56:07Z INF Version=androidgki_arm64:v0.8.5:6.5.0-1025-azure
2024-08-24T12:56:07Z INF Listen=localhost:28256
2024-08-24T12:56:07Z INF eCapture running logs logger=
2024-08-24T12:56:07Z INF the file handler that receives the captured event eventCollector=
2024-08-24T12:56:07Z WRN ========== module starting. ==========
2024-08-24T12:56:07Z WRN Kernel version is less than 5.2, Process filtering parameters do not take effect such as pid/uid. kernel=5.15.123
2024-08-24T12:56:07Z INF Kernel Info=5.15.123 Pid=28200
2024-08-24T12:56:07Z INF BTF bytecode mode: CORE. btfMode=1
2024-08-24T12:56:07Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-08-24T12:56:07Z INF Module.Run()
2024-08-24T12:56:07Z INF listen=localhost:28256
2024-08-24T12:56:07Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-08-24T12:56:07Z INF OpenSSL/BoringSSL version found BoringSSL Version=14
2024-08-24T12:56:07Z INF HOOK type:Golang elf ElfType=2 IFindex=16 IFname=wlan0 PcapFilter= binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2024-08-24T12:56:07Z INF Hook masterKey function Functions=["SSL_in_init"]
2024-08-24T12:56:07Z INF target all process.
2024-08-24T12:56:07Z INF target user. target UID=99999
2024-08-24T12:56:07Z INF setupManagers eBPFProgramType=PcapNG
2024-08-24T12:56:07Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-08-24T12:56:07Z INF packets saved into pcapng file. pcapng path=/data/local/tmp/now.pcap
2024-08-24T12:56:08Z INF perfEventReader created mapSize(MB)=4
2024-08-24T12:56:08Z INF perfEventReader created mapSize(MB)=4
2024-08-24T12:56:08Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-08-24T12:56:09Z INF packets saved into pcapng file. count=81
2024-08-24T12:56:11Z INF packets saved into pcapng file. count=141
2024-08-24T12:56:13Z INF packets saved into pcapng file. count=116

Linux Server/Android (please complete the following information):

Env: [run make env to get the environment variables]
OS: HyperOS
Arch: arm_aarch64
Kernel Version: 5.15.123-android13-8-00008-g3ca6a2912c7e-ab11087001
Version: androidgki_arm64:v0.8.5:6.5.0-1025-azure

# ./ecapture.bugly --debug -b 1 -u 99999 tls -m pcap -w save.pcap
2024-08-24T13:31:27Z INF AppName="eCapture(旁观者)"
2024-08-24T13:31:27Z INF HomePage=https://ecapture.cc
2024-08-24T13:31:27Z INF Repository=https://github.com/gojue/ecapture
2024-08-24T13:31:27Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-08-24T13:31:27Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-08-24T13:31:27Z INF Version=androidgki_arm64:v0.8.5:6.5.0-1025-azure
2024-08-24T13:31:27Z INF Listen=localhost:28256
2024-08-24T13:31:27Z INF eCapture running logs logger=
2024-08-24T13:31:27Z INF the file handler that receives the captured event eventCollector=
2024-08-24T13:31:27Z WRN ========== module starting. ==========
2024-08-24T13:31:27Z WRN Kernel version is less than 5.2, Process filtering parameters do not take effect such as pid/uid. kernel=5.15.123
2024-08-24T13:31:27Z INF Kernel Info=5.15.123 Pid=1510
2024-08-24T13:31:27Z INF BTF bytecode mode: CORE. btfMode=1
2024-08-24T13:31:27Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-08-24T13:31:27Z INF Module.Run()
2024-08-24T13:31:27Z INF listen=localhost:28256
2024-08-24T13:31:27Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-08-24T13:31:27Z INF OpenSSL/BoringSSL version found BoringSSL Version=14
2024-08-24T13:31:27Z INF HOOK type:Golang elf ElfType=2 IFindex=16 IFname=wlan0 PcapFilter= binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2024-08-24T13:31:27Z INF Hook masterKey function Functions=["SSL_in_init"]
2024-08-24T13:31:27Z INF target all process.
2024-08-24T13:31:27Z INF target user. target UID=99999
2024-08-24T13:31:27Z INF setupManagers eBPFProgramType=PcapNG
2024-08-24T13:31:27Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-08-24T13:31:27Z INF packets saved into pcapng file. pcapng path=/data/local/tmp/save.pcap
2024-08-24T13:31:27Z INF perfEventReader created mapSize(MB)=4
2024-08-24T13:31:27Z INF perfEventReader created mapSize(MB)=4
2024-08-24T13:31:27Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-08-24T13:31:29Z INF packets saved into pcapng file. count=61

# ./ecapture.bugly --debug -b 1 -u 99999 tls -m keylog -k ecapture_openssl_key.og
2024-08-24T13:32:58Z INF AppName="eCapture(旁观者)"
2024-08-24T13:32:58Z INF HomePage=https://ecapture.cc
2024-08-24T13:32:58Z INF Repository=https://github.com/gojue/ecapture
2024-08-24T13:32:58Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-08-24T13:32:58Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-08-24T13:32:58Z INF Version=androidgki_arm64:v0.8.5:6.5.0-1025-azure
2024-08-24T13:32:58Z INF Listen=localhost:28256
2024-08-24T13:32:58Z INF eCapture running logs logger=
2024-08-24T13:32:58Z INF the file handler that receives the captured event eventCollector=
2024-08-24T13:32:58Z WRN ========== module starting. ==========
2024-08-24T13:32:58Z WRN Kernel version is less than 5.2, Process filtering parameters do not take effect such as pid/uid. kernel=5.15.123
2024-08-24T13:32:58Z INF Kernel Info=5.15.123 Pid=2304
2024-08-24T13:32:58Z INF BTF bytecode mode: CORE. btfMode=1
2024-08-24T13:32:58Z INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=ecapture_openssl_key.og
2024-08-24T13:32:58Z INF listen=localhost:28256
2024-08-24T13:32:58Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-08-24T13:32:58Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-08-24T13:32:58Z INF Module.Run()
2024-08-24T13:32:58Z INF OpenSSL/BoringSSL version found BoringSSL Version=14
2024-08-24T13:32:58Z INF HOOK type:Openssl elf ElfType=2 binrayPath=/apex/com.android.conscrypt/lib64/libssl.so masterHookFuncs=["SSL_in_init"]
2024-08-24T13:32:58Z INF target all process.
2024-08-24T13:32:58Z INF target user. target UID=99999
2024-08-24T13:32:58Z INF setupManagers eBPFProgramType=KeyLog
2024-08-24T13:32:58Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-08-24T13:32:58Z INF perfEventReader created mapSize(MB)=4
2024-08-24T13:32:58Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

# ./ecapture.bugly --debug -b 1 -u 99999 tls -m text
2024-08-24T13:36:51Z INF AppName="eCapture(旁观者)"
2024-08-24T13:36:51Z INF HomePage=https://ecapture.cc
2024-08-24T13:36:51Z INF Repository=https://github.com/gojue/ecapture
2024-08-24T13:36:51Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-08-24T13:36:51Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-08-24T13:36:51Z INF Version=androidgki_arm64:v0.8.5:6.5.0-1025-azure
2024-08-24T13:36:51Z INF Listen=localhost:28256
2024-08-24T13:36:51Z INF eCapture running logs logger=
2024-08-24T13:36:51Z INF the file handler that receives the captured event eventCollector=
2024-08-24T13:36:51Z WRN ========== module starting. ==========
2024-08-24T13:36:51Z WRN Kernel version is less than 5.2, Process filtering parameters do not take effect such as pid/uid. kernel=5.15.123
2024-08-24T13:36:51Z INF Kernel Info=5.15.123 Pid=3646
2024-08-24T13:36:51Z INF BTF bytecode mode: CORE. btfMode=1
2024-08-24T13:36:51Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-08-24T13:36:51Z INF listen=localhost:28256
2024-08-24T13:36:51Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-08-24T13:36:51Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-08-24T13:36:51Z INF Module.Run()
2024-08-24T13:36:51Z INF OpenSSL/BoringSSL version found BoringSSL Version=14
2024-08-24T13:36:51Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2024-08-24T13:36:51Z INF target all process.
2024-08-24T13:36:51Z INF target user. target UID=99999
2024-08-24T13:36:51Z INF setupManagers eBPFProgramType=Text
2024-08-24T13:36:51Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-08-24T13:36:52Z INF perfEventReader created mapSize(MB)=4
2024-08-24T13:36:52Z INF perfEventReader created mapSize(MB)=4
2024-08-24T13:36:52Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-08-24T13:37:30Z DBG AddConn success address=1.1.1.1:443 fd=5 pid=3771
2024-08-24T13:40:43Z DBG AddConn success address=1.1.1.1:443 fd=5 pid=4378

@cfc4n 三个模式对应三个 hook 类型？这是预期行为吗？那个 pcap 模式为什么选了 golang 的hook 类型

gojue / ecapture

小米平板在使用 pcap 与 keylog 抓 tls 包时表现非预期行为 #602