ecapture v0.5 releases: capture SSL/TLS text content without CA cert

by do son · Published · Updated

ecapture

capture SSL/TLS text content without CA cert by eBPF. eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.

uprobe HOOK

openssl hook

eCapture hookSSL_write \ SSL_read function of shared library /lib/x86_64-linux-gnu/libssl.so.1.1. get text context, and send message to userspace by eBPM map.

Probes: []*manager.Probe{

    {

        Section:          "uprobe/SSL_write",

        EbpfFuncName:     "probe_entry_SSL_write",

        AttachToFuncName: "SSL_write",

        //UprobeOffset:     0x386B0,

        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",

    },

    {

        Section:          "uretprobe/SSL_write",

        EbpfFuncName:     "probe_ret_SSL_write",

        AttachToFuncName: "SSL_write",

        //UprobeOffset:     0x386B0,

        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",

    },

    {

        Section:          "uprobe/SSL_read",

        EbpfFuncName:     "probe_entry_SSL_read",

        AttachToFuncName: "SSL_read",

        //UprobeOffset:     0x38380,

        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",

    },

    {

        Section:          "uretprobe/SSL_read",

        EbpfFuncName:     "probe_ret_SSL_read",

        AttachToFuncName: "SSL_read",

        //UprobeOffset:     0x38380,

        BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",

    },

    /**/

},

 

 

 

bash readline.so hook

hook /bin/bash readline symbol name.

How eCapture works

  • SSL/TLS text context capture, support openssl\gnutls\nspr(nss) libraries.
  • bash audit, capture bash command for Host Security Aduot.
  • mysql query SQL audit, support mysqld 5.6\5.7\8.0, and MariaDB.

eCapture Architecture

Changelog v0.5

Breaking Changes

  1. Support for capturing plaintext communication of TLS/HTTPS encrypted programs written in Golang.
  2. Refactored the way parameters are obtained from Golang ABI (supports two types of ABI on registers-based and stack-based).

use command ./ecapture gotls -h for more detail.

What’s Changed

  • fix: typo in the section name by @spacewander in #311
  • user : increase buffer size of ebpf map. (improve #291 , #314) by @cfc4n in #315
  • build(deps): bump golang.org/x/net from 0.0.0-20211112202133-69e39bad7dc2 to 0.7.0 by @dependabot in #320
  • refactor : rename Golang TLS module name to gotls from gossl . by @cfc4n in #319
  • refactor: Use camel case instead of snake case. by @cfc4n in #321
  • kern: fix typo in bpf_tracing.h by @eltociear in #323
  • Add JA readme by @eltociear in #324
  • Gotls crash : incorrect variable used. (fixes:#322) by @cfc4n in #325
  • kern: refactor golang ABI by register and stack. by @cfc4n in #326
  • feat: add Gotls master secrets module. by @cfc4n in #329

How to compile

Linux Kernel: >= 4.18.

Tools

  • golang 1.16
  • gcc 10.3.0
  • clang 12.0.0
  • cmake 3.18.4
  • clang backend: llvm 12.0.0
  • pahole >= v1.13
  • kernel config:CONFIG_DEBUG_INFO_BTF=y

Install

git clone git@github.com:ehids/ecapture.git
cd ecapture
make
bin/ecapture

bash readline.so hook

hook /bin/bash readline symbol name.

Use

Copyright (C) 2022 cfc4n

Tags: capture SSL/TLSecapture