search

gojue / ecapture

Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64.
https://ecapture.cc
Apache License 2.0
12.4k stars 1.29k forks source link

Failed to capture HTTPS traffic #622

Closed NPC2000 closed 1 day ago

NPC2000 commented 4 days ago

Describe the bug 使用命令“./ecapture tls”后只显示http流量,https流量不显示。

To Reproduce Steps to reproduce the behavior:

  1. 使用su运行ecapture 
OP5CFBL1:/data/local/tmp # ./ecapture tls
2024-09-14T02:45:31Z INF AppName="eCapture(旁观者)"
2024-09-14T02:45:31Z INF HomePage=https://ecapture.cc
2024-09-14T02:45:31Z INF Repository=https://github.com/gojue/ecapture
2024-09-14T02:45:31Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-09-14T02:45:31Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-09-14T02:45:31Z INF Version=androidgki_arm64:v0.8.6:6.5.0-1025-azure
2024-09-14T02:45:31Z INF Listen=localhost:28256
2024-09-14T02:45:31Z INF eCapture running logs logger=
2024-09-14T02:45:31Z INF the file handler that receives the captured event eventCollector=
2024-09-14T02:45:31Z WRN ========== module starting. ==========
2024-09-14T02:45:31Z INF Kernel Info=6.1.57 Pid=29901
2024-09-14T02:45:31Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2024-09-14T02:45:31Z INF BTF bytecode mode: CORE. btfMode=0
2024-09-14T02:45:31Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-09-14T02:45:31Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-14T02:45:31Z INF Module.Run()
2024-09-14T02:45:31Z INF listen=localhost:28256
2024-09-14T02:45:31Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-09-14T02:45:31Z INF OpenSSL/BoringSSL version found BoringSSL Version=14
2024-09-14T02:45:31Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2024-09-14T02:45:31Z INF target all process.
2024-09-14T02:45:31Z INF target all users.
2024-09-14T02:45:31Z INF setupManagers eBPFProgramType=Text
2024-09-14T02:45:31Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-09-14T02:45:33Z INF perfEventReader created mapSize(MB)=4
2024-09-14T02:45:33Z INF perfEventReader created mapSize(MB)=4
2024-09-14T02:45:33Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

3.打开任意app(MT管理器,酷安,雨见浏览器...) 控制台界面无任何变化 1

4.打开app(闲鱼) 可以抓捕http,但是会有这种报错

ERR SSLDataEvent's fd is 0 address= fd=0 pid=354

OP5CFBL1:/data/local/tmp # ./ecapture tls
2024-09-14T02:49:15Z INF AppName="eCapture(旁观者)"
2024-09-14T02:49:15Z INF HomePage=https://ecapture.cc
2024-09-14T02:49:15Z INF Repository=https://github.com/gojue/ecapture
2024-09-14T02:49:15Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-09-14T02:49:15Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-09-14T02:49:15Z INF Version=androidgki_arm64:v0.8.6:6.5.0-1025-azure
2024-09-14T02:49:15Z INF Listen=localhost:28256
2024-09-14T02:49:15Z INF eCapture running logs logger=
2024-09-14T02:49:15Z INF the file handler that receives the captured event eventCollector=
2024-09-14T02:49:15Z WRN ========== module starting. ==========
2024-09-14T02:49:15Z INF listen=localhost:28256
2024-09-14T02:49:15Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-09-14T02:49:15Z INF Kernel Info=6.1.57 Pid=32762
2024-09-14T02:49:15Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2024-09-14T02:49:15Z INF BTF bytecode mode: CORE. btfMode=0
2024-09-14T02:49:15Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-09-14T02:49:15Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-14T02:49:15Z INF Module.Run()
2024-09-14T02:49:15Z INF OpenSSL/BoringSSL version found BoringSSL Version=14
2024-09-14T02:49:15Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2024-09-14T02:49:15Z INF target all process.
2024-09-14T02:49:15Z INF target all users.
2024-09-14T02:49:15Z INF setupManagers eBPFProgramType=Text
2024-09-14T02:49:15Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-09-14T02:49:16Z INF perfEventReader created mapSize(MB)=4
2024-09-14T02:49:16Z INF perfEventReader created mapSize(MB)=4
2024-09-14T02:49:16Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-14T02:49:17Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=354
2024-09-14T02:49:17Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=354
2024-09-14T02:49:17Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=354
2024-09-14T02:49:17Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=354
2024-09-14T02:49:17Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=354
2024-09-14T02:49:18Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=354
2024-09-14T02:49:18Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=354
2024-09-14T02:49:18Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=354
2024-09-14T02:49:18Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=354
2024-09-14T02:49:18Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=354
2024-09-14T02:49:18Z ??? UUID:354_662_nirvana_base_ex_0_1_0.0.0.0, Name:HTTPRequest, Type:1, Length:1408
POST / HTTP/1.1
Host: dypnsapi.aliyuncs.com
Accept: application/json
Accept-Encoding: gzip
Connection: Keep-Alive
Content-Length: 955
Content-Type: application/x-www-form-urlencoded
Traceparent: 865f2162-c3b2-4597-aa8f-196392914af0
User-Agent: AlibabaCloud (Linux; amd64) Java/1.8.0_152-b187 Core/4.5.26 HTTPClient/ApacheHttpClient
X-Acs-Action: QuerySdkConfig
X-Acs-Version: 2017-05-25
X-Sdk-Client: Java/2.0.0
X-Sdk-Invoke-Type: common

&AccessKeyId=STS.NTHz7JviJVajSxYAaf5sg3MWJ&Action=QuerySdkConfig&AppKey=25331768&Format=JSON&SecurityToken=AwjWFG7H1UdQa4UZwjgBUJU4y6My3Ppx3DV7UVbkrq8T&SignatureMethod=HMAC-SHA1&SignatureNonce=0592bbaa-c9a3-42f9-a143-ad4d6e05c932&SignatureVersion=1.0&TerminalInfo=%7B%22c%22%3A%22%7B%5C%22appVersion%5C%22%3A%5C%227.17.50%5C%22%2C%5C%22deviceBrand%5C%22%3A%5C%22Huawei%5C%22%2C%5C%22deviceName%5C%22%3A%5C%22PJF110%5C%22%2C%5C%22networkType%5C%22%3A%5C%22wifi%2Bmobile%5C%22%2C%5C%22operatorCode%5C%22%3A%5C%2246003%5C%22%2C%5C%22osType%5C%22%3A%5C%22Android%5C%22%2C%5C%22osVersion%5C%22%3A%5C%2214%5C%22%2C%5C%22packageName%5C%22%3A%5C%22com.taobao.idlefish%5C%22%2C%5C%22sdkVersion%5C%22%3A%5C%229.6.2.2%5C%22%2C%5C%22sign%5C%22%3A%5C%2297ec6f1007e71b11234488b2cd790638%5C%22%2C%5C%22vendorKey%5C%22%3A%5C%22ct_sjl%5C%22%7D%22%2C%22o%22%3A%22Android%22%7D&Timestamp=2024-09-14T02%3A49%3A17Z&Version=2017-05-25&Signature=0ZvbyWOW515Q1oKziHAvyYhbn%2Bw%3D
2024-09-14T02:49:18Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=354
2024-09-14T02:49:19Z ??? UUID:354_1163_IOLogThread#1_0_1_0.0.0.0, Name:HTTPRequest, Type:1, Length:248
GET /config/loggw/logConfig.do?productVersion=7.17.50&productId=alipaysdk_android&configVersion=2&templateId=2.0 HTTP/1.1
Host: gw.alipayobjects.com:443
Accept-Encoding: gzip
Connection: Keep-Alive
Content-Type: text/xml
User-Agent: alipay
  1. 使用su运行命令“./ecapture tls -d” 会显示“DBG AddConn success address=8.8.8.8:0 fd=49 pid=1511”
OP5CFBL1:/data/local/tmp # ./ecapture tls -d
2024-09-14T02:51:36Z INF AppName="eCapture(旁观者)"
2024-09-14T02:51:36Z INF HomePage=https://ecapture.cc
2024-09-14T02:51:36Z INF Repository=https://github.com/gojue/ecapture
2024-09-14T02:51:36Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-09-14T02:51:36Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-09-14T02:51:36Z INF Version=androidgki_arm64:v0.8.6:6.5.0-1025-azure
2024-09-14T02:51:36Z INF Listen=localhost:28256
2024-09-14T02:51:36Z INF eCapture running logs logger=
2024-09-14T02:51:36Z INF the file handler that receives the captured event eventCollector=
2024-09-14T02:51:36Z WRN ========== module starting. ==========
2024-09-14T02:51:36Z INF listen=localhost:28256
2024-09-14T02:51:36Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-09-14T02:51:36Z INF Kernel Info=6.1.57 Pid=1641
2024-09-14T02:51:36Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2024-09-14T02:51:36Z INF BTF bytecode mode: CORE. btfMode=0
2024-09-14T02:51:36Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-09-14T02:51:36Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-14T02:51:36Z INF Module.Run()
2024-09-14T02:51:36Z INF OpenSSL/BoringSSL version found BoringSSL Version=14
2024-09-14T02:51:36Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2024-09-14T02:51:36Z INF target all process.
2024-09-14T02:51:36Z INF target all users.
2024-09-14T02:51:36Z INF setupManagers eBPFProgramType=Text
2024-09-14T02:51:36Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-09-14T02:51:36Z INF perfEventReader created mapSize(MB)=4
2024-09-14T02:51:36Z INF perfEventReader created mapSize(MB)=4
2024-09-14T02:51:36Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-14T02:51:37Z DBG AddConn success address=8.8.8.8:0 fd=49 pid=1511
2024-09-14T02:51:38Z DBG AddConn success address=8.8.8.8:0 fd=49 pid=1511
2024-09-14T02:51:38Z DBG AddConn success address=192.168.1.1:53 fd=49 pid=1511
2024-09-14T02:51:38Z DBG AddConn success address=192.168.1.1:53 fd=49 pid=1511
2024-09-14T02:51:38Z DBG AddConn success address=8.8.8.8:0 fd=49 pid=1511
2024-09-14T02:51:38Z DBG AddConn success address=8.8.8.8:0 fd=49 pid=1511
2024-09-14T02:51:38Z DBG AddConn success address=192.168.1.1:53 fd=49 pid=1511
2024-09-14T02:51:38Z DBG AddConn success address=8.8.8.8:0 fd=70 pid=1511
2024-09-14T02:51:38Z DBG AddConn success address=192.168.1.1:53 fd=70 pid=1511
2024-09-14T02:51:39Z DBG AddConn success address=8.8.8.8:0 fd=70 pid=1511
2024-09-14T02:51:39Z DBG AddConn success address=8.8.8.8:0 fd=70 pid=1511
2024-09-14T02:51:39Z DBG AddConn success address=8.8.8.8:0 fd=70 pid=1511
2024-09-14T02:51:39Z DBG AddConn success address=192.168.1.1:53 fd=70 pid=1511
2024-09-14T02:51:39Z DBG AddConn success address=192.168.1.1:53 fd=74 pid=1511
2024-09-14T02:51:39Z DBG AddConn success address=192.168.1.1:53 fd=76 pid=1511
2024-09-14T02:51:39Z DBG AddConn success address=8.8.8.8:0 fd=129 pid=4832
2024-09-14T02:51:39Z DBG AddConn success address=8.8.8.8:0 fd=126 pid=4832
2024-09-14T02:51:39Z DBG AddConn success address=8.8.8.8:0 fd=81 pid=4832
2024-09-14T02:51:39Z DBG AddConn success address=8.8.8.8:0 fd=130 pid=4832
2024-09-14T02:51:39Z DBG AddConn success address=8.8.8.8:0 fd=5 pid=4832
2024-09-14T02:51:39Z DBG AddConn success address=192.168.1.1:53 fd=79 pid=1511
2024-09-14T02:51:39Z DBG AddConn success address=192.168.1.1:53 fd=80 pid=1511
2024-09-14T02:51:39Z DBG AddConn success address=192.168.1.1:53 fd=82 pid=1511
2024-09-14T02:51:39Z DBG AddConn success address=192.168.1.1:53 fd=81 pid=1511
2024-09-14T02:51:39Z DBG AddConn success address=192.168.1.1:53 fd=83 pid=1511
  1. 查看app使用的哪个libssl.so
OP5CFBL1:/data/local/tmp # ps -e | grep "bin.mt.plus"
u0_a334       2802  1512    8259480 239816 __arm64_sys_epoll_pwait 0 S bin.mt.plus
OP5CFBL1:/data/local/tmp # cat proc/2802/maps | grep "libssl"
cat: proc/2802/maps: No such file or directory
1|OP5CFBL1:/data/local/tmp # cat /proc/2802/maps | grep "libssl"
79c2f40000-79c2f5f000 r--p 00000000 07:68 166                            /apex/com.android.conscrypt/lib64/libssl.so
79c2f5f000-79c2f9d000 r-xp 0001f000 07:68 166                            /apex/com.android.conscrypt/lib64/libssl.so
79c2f9d000-79c2fa0000 r--p 0005d000 07:68 166                            /apex/com.android.conscrypt/lib64/libssl.so
79c2fa0000-79c2fa1000 rw-p 0005f000 07:68 166                            /apex/com.android.conscrypt/lib64/libssl.so
OP5CFBL1:/data/local/tmp # lsof -p 2802 | grep ssl
bin.mt.plus  2802    u0_a334  mem       REG              7,104    401632        166 /apex/com.android.conscrypt/lib64/libssl.so

7.指定libssl,再打开任意app(MT管理器,酷安,雨见浏览器...)

OP5CFBL1:/data/local/tmp # ./ecapture tls -d --libssl "/apex/com.android.conscrypt/lib64/libssl.so"
2024-09-14T02:57:58Z INF AppName="eCapture(旁观者)"
2024-09-14T02:57:58Z INF HomePage=https://ecapture.cc
2024-09-14T02:57:58Z INF Repository=https://github.com/gojue/ecapture
2024-09-14T02:57:58Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-09-14T02:57:58Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-09-14T02:57:58Z INF Version=androidgki_arm64:v0.8.6:6.5.0-1025-azure
2024-09-14T02:57:58Z INF Listen=localhost:28256
2024-09-14T02:57:58Z INF eCapture running logs logger=
2024-09-14T02:57:58Z INF the file handler that receives the captured event eventCollector=
2024-09-14T02:57:58Z WRN ========== module starting. ==========
2024-09-14T02:57:58Z INF listen=localhost:28256
2024-09-14T02:57:58Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-09-14T02:57:58Z INF Kernel Info=6.1.57 Pid=4472
2024-09-14T02:57:58Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2024-09-14T02:57:58Z INF BTF bytecode mode: CORE. btfMode=0
2024-09-14T02:57:58Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-09-14T02:57:58Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-14T02:57:58Z INF Module.Run()
2024-09-14T02:57:58Z INF OpenSSL/BoringSSL version found BoringSSL Version=14
2024-09-14T02:57:58Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2024-09-14T02:57:58Z INF target all process.
2024-09-14T02:57:58Z INF target all users.
2024-09-14T02:57:58Z INF setupManagers eBPFProgramType=Text
2024-09-14T02:57:58Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-09-14T02:57:59Z INF perfEventReader created mapSize(MB)=4
2024-09-14T02:57:59Z INF perfEventReader created mapSize(MB)=4
2024-09-14T02:57:59Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-14T02:58:03Z DBG AddConn success address=8.8.8.8:0 fd=49 pid=1511
2024-09-14T02:58:03Z DBG AddConn success address=192.168.1.1:53 fd=49 pid=1511
2024-09-14T02:58:03Z DBG AddConn success address=8.8.8.8:0 fd=49 pid=1511
2024-09-14T02:58:03Z DBG AddConn success address=8.8.8.8:0 fd=49 pid=1511
2024-09-14T02:58:03Z DBG AddConn success address=192.168.1.1:53 fd=49 pid=1511
2024-09-14T02:58:03Z DBG AddConn success address=8.8.8.8:0 fd=49 pid=1511
2024-09-14T02:58:03Z DBG AddConn success address=192.168.1.1:53 fd=49 pid=1511
2024-09-14T02:58:10Z DBG AddConn success address=8.8.8.8:0 fd=67 pid=1511
2024-09-14T02:58:10Z DBG AddConn success address=192.168.1.1:53 fd=70 pid=1511
2024-09-14T02:58:10Z DBG AddConn success address=8.8.8.8:0 fd=67 pid=1511
2024-09-14T02:58:10Z DBG AddConn success address=192.168.1.1:53 fd=67 pid=1511
2024-09-14T02:58:10Z DBG AddConn success address=8.8.8.8:0 fd=73 pid=1511
2024-09-14T02:58:10Z DBG AddConn success address=192.168.1.1:53 fd=73 pid=1511
2024-09-14T02:58:10Z DBG AddConn success address=8.8.8.8:0 fd=49 pid=1511
2024-09-14T02:58:10Z DBG AddConn success address=192.168.1.1:53 fd=49 pid=1511

Expected behavior 显示https流量

Screenshots If applicable, add screenshots to help explain your problem.

Linux Server/Android (please complete the following information):

Additional context Add any other context about the problem here.

cfc4n commented 3 days ago

ERR SSLDataEvent's fd is 0 address= fd=0 pid=354

这个报错不影响使用,只是无法匹配到当前网络包对应的IP、PORT信息。

或者你可以使用pcapng模式

This error does not affect usage; it simply means that the IP and PORT information corresponding to the current network packet cannot be matched. Alternatively, you can use the pcapng mode.

NPC2000 commented 3 days ago

ERR SSLDataEvent's fd is 0 address= fd=0 pid=354

这个报错不影响使用,只是无法匹配到当前网络包对应的IP、PORT信息。

或者你可以使用pcapng模式

This error does not affect usage; it simply means that the IP and PORT information corresponding to the current network packet cannot be matched. Alternatively, you can use the pcapng mode.此错误不会影响使用;它仅仅意味着当前网络数据包对应的 IP 和 PORT 信息无法匹配。或者,您可以使用 pcapng 模式。

大佬,高版本内核是没法用ecapture 抓 https了吗?

cfc4n commented 3 days ago

请提供无法抓包的例子。

NPC2000 commented 3 days ago

请提供无法抓包的例子。

在一加ace3v( 6.1.57-android14-11-o-g1e5dcecb337f)手机上运行./ecapture tls,打开任意一个app都不会显示https的数据包

NPC2000 commented 3 days ago

请提供无法抓包的例子。

就和这个情况一样,只不过我是所有app都这样

https://github.com/gojue/ecapture/issues/595

cfc4n commented 3 days ago

确认一下 hook的链接库是不是你app使用的吧。

确定后,通过libssl参数指定,再试试。

NPC2000 commented 3 days ago

确认一下 hook的链接库是不是你app使用的吧。

确定后,通过libssl参数指定,再试试。

大佬我这样尝试还是没有

OP5CFBL1:/data/local/tmp # ps -e | grep "bin.mt.plus"
u0_a334      32285  1540    7981764 311976 __arm64_sys_epoll_pwait 0 S bin.mt.plus
OP5CFBL1:/data/local/tmp # cat /proc/32285/maps | grep "libssl"
7461440000-746145f000 r--p 00000000 07:130 166                           /apex/com.android.conscrypt/lib64/libssl.so
746145f000-746149d000 r-xp 0001f000 07:130 166                           /apex/com.android.conscrypt/lib64/libssl.so
746149d000-74614a0000 r--p 0005d000 07:130 166                           /apex/com.android.conscrypt/lib64/libssl.so
74614a0000-74614a1000 rw-p 0005f000 07:130 166                           /apex/com.android.conscrypt/lib64/libssl.so
OP5CFBL1:/data/local/tmp # lsof -p 32285 | grep ssl
bin.mt.plus 32285    u0_a334  mem       REG              7,304    401632        166 /apex/com.android.conscrypt/lib64/libssl.so
OP5CFBL1:/data/local/tmp # ./ecapture tls -p 32285 --libssl /apex/com.android.conscrypt/lib64/libssl.so
2024-09-15T04:35:50Z INF AppName="eCapture(旁观者)"
2024-09-15T04:35:50Z INF HomePage=https://ecapture.cc
2024-09-15T04:35:50Z INF Repository=https://github.com/gojue/ecapture
2024-09-15T04:35:50Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-09-15T04:35:50Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-09-15T04:35:50Z INF Version=androidgki_arm64:v0.8.6:6.5.0-1025-azure
2024-09-15T04:35:50Z INF Listen=localhost:28256
2024-09-15T04:35:50Z INF eCapture running logs logger=
2024-09-15T04:35:50Z INF the file handler that receives the captured event eventCollector=
2024-09-15T04:35:50Z WRN ========== module starting. ==========
2024-09-15T04:35:50Z INF Kernel Info=6.1.57 Pid=1128
2024-09-15T04:35:50Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2024-09-15T04:35:50Z INF listen=localhost:28256
2024-09-15T04:35:50Z INF BTF bytecode mode: CORE. btfMode=0
2024-09-15T04:35:50Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-09-15T04:35:50Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-09-15T04:35:50Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-15T04:35:50Z INF Module.Run()
2024-09-15T04:35:50Z INF OpenSSL/BoringSSL version found BoringSSL Version=14
2024-09-15T04:35:50Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2024-09-15T04:35:50Z INF target process. target PID=32285
2024-09-15T04:35:50Z INF target all users.
2024-09-15T04:35:50Z INF setupManagers eBPFProgramType=Text
2024-09-15T04:35:50Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2024-09-15T04:35:51Z INF perfEventReader created mapSize(MB)=4
2024-09-15T04:35:51Z INF perfEventReader created mapSize(MB)=4
2024-09-15T04:35:51Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL

不管怎么操作app,点检测更新,刷新用户,下载插件等操作,都不显示https的流量

cfc4n commented 3 days ago

我的猜测是“这些app大概没有使用系统的so进行加密,只是引入了他们,可能有另外一个在使用的类库”,你可以换个手机验证一下吗?最好是别的型号、别的内核版本。

NPC2000 commented 3 days ago

我的猜测是“这些app大概没有使用系统的so进行加密,只是引入了他们,可能有另外一个在使用的类库”,你可以换个手机验证一下吗?最好是别的型号」别的内核版本。

好的,感谢大佬,我找其他手机试试

NPC2000 commented 1 day ago

我的猜测是“这些app大概没有使用系统的so进行加密,只是引入了他们,可能有另外一个在使用的类库”,你可以换个手机验证一下吗?最好是别的型号、别的内核版本。

大佬,我朋友用pixel 6 可以抓mt的https, 他挂起ecapture,所有app都可以抓。可能是一加的系统或者内核改了些什么东西导致的

NPC2000 commented 1 day ago

1

cfc4n commented 1 day ago

这就需要你自己来排查分析了,我暂时没法定制化排查这种小众问题。

NPC2000 commented 1 day ago

这就需要你自己来排查分析了,我暂时没法定制化排查这种小众问题。

好吧, 感谢大佬