ecapture v0.7 releases: capture SSL/TLS text content without CA cert

ecapture

capture SSL/TLS text content without CA cert by eBPF. eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.

uprobe HOOK

openssl hook

eCapture hookSSL_write \ SSL_read function of shared library /lib/x86_64-linux-gnu/libssl.so.1.1. get text context, and send message to userspace by eBPM map.

Probes: []*manager.Probe{

    {

        Section:          "uprobe/SSL_write",

        EbpfFuncName:     "probe_entry_SSL_write",

        AttachToFuncName: "SSL_write",

        //UprobeOffset:     0x386B0,

        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",

    },

    {

        Section:          "uretprobe/SSL_write",

        EbpfFuncName:     "probe_ret_SSL_write",

        AttachToFuncName: "SSL_write",

        //UprobeOffset:     0x386B0,

        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",

    },

    {

        Section:          "uprobe/SSL_read",

        EbpfFuncName:     "probe_entry_SSL_read",

        AttachToFuncName: "SSL_read",

        //UprobeOffset:     0x38380,

        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",

    },

    {

        Section:          "uretprobe/SSL_read",

        EbpfFuncName:     "probe_ret_SSL_read",

        AttachToFuncName: "SSL_read",

        //UprobeOffset:     0x38380,

        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",

    },

    /**/

},

bash readline.so hook

hook /bin/bash readline symbol name.

Changelog v0.7

🚀 Breaking Changes

• Split nss/gnutls/openssl into three separate submodules. Corresponding to the ./ecapture nss, ./ecapture gnutls, ecapture tls commands.
• Support keylog mode, equivalent to the functionality of the SSLKEYLOGFILE environment variable. Captures SSL/TLS communication keys directly without the need for changes in the target process.
• Refactor the mode parameters supported by the openssl(aka tls) module using the -mparameter, with values text, pcap,keylog.
  • pcap mode: Set with -m pcap or -m pcapng parameters. When using this mode, it is necessary to specify --pcapfile and -i parameters. The default value for the --pcapfile parameter is ecapture_openssl.pcapng.
  • keylog mode: Set with -m keylog or -m key parameters. When using this mode, it is necessary to specify --keylogfile, defaulting to ecapture_masterkey.log.
  • text mode: Default mode when -m parameter is unspecified. Outputs all plaintext packets in text form. (As of v0.7.0, no longer captures communication keys, please use keylog mode instead.)
• Refactor the mode parameters supported by the gotls module, similar to the openssl module, without further details.
• Optimize the memory size of eBPF Map, specify with the --mapsize parameter, defaulting to 5120 KB.
• Remove the -w parameter, use --pcapfile parameter instead.
• Change log-addr parameter to logaddr, with unchanged functionality.

How to compile

Linux Kernel: >= 4.18.

Tools

• golang 1.16
• gcc 10.3.0
• clang 12.0.0
• cmake 3.18.4
• clang backend: llvm 12.0.0
• pahole >= v1.13
• kernel config:CONFIG_DEBUG_INFO_BTF=y

Install

git clone git@github.com:ehids/ecapture.git
cd ecapture
make
bin/ecapture

bash readline.so hook

hook /bin/bash readline symbol name.

Use

Copyright (C) 2022 cfc4n