Comments (11)
Yes, my test code also used this link.
from ecapture.
Please give more detailed error information.
from ecapture.
I'm using tls-client lib with Python (a wrapper around GO shared object)
tls-client library link (.so file)
Python code example here link
The above Python code loads the .so file compiled from the GO code into the memory and then is used to execute the requests at the GO side
what I'm doing with ecapture is:
- Start capturing using the shared object file.
./ecapture gotls --elfpath="tls-client-x86.so" --hex
- Start the Python script as normal (load tls-client-x86.so in memory)
- Make TLS/HTTPS requests through the compiled .so file, commands are passed from the Python code, but requests are made at the GO side.
After all the above processes there is no traffic being intercepted by ecapture. (I'm not sure if .so also needs linking with the Python or maybe some extra stuff is also required)
from ecapture.
eCapture can correctly analyze this dynamic link library and correctly find the offset address of the symbol crypto/tls.(*Conn).Read
.
However, it did not capture this communication. I am unable to determine where the issue lies, and I also do not have the time to analyze this library. I suggest you debug it yourself to confirm whether the crypto/tls
functions are not being used.
sudo bin/ecapture gotls -m text --elfpath=/home/cfc4n/project/python-test/tls-client-linux-arm64-1.7.5.so
[sudo] password for cfc4n:
2024-05-22T14:44:45Z INF AppName="eCapture(旁观者)"
2024-05-22T14:44:45Z INF HomePage=https://ecapture.cc
2024-05-22T14:44:45Z INF Repository=https://github.com/gojue/ecapture
2024-05-22T14:44:45Z INF Author="CFC4N <[email protected]>"
2024-05-22T14:44:45Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-05-22T14:44:45Z INF Version=linux_arm64:0.7.7-20240303-bfb4a8c:5.15.0-105-generic
2024-05-22T14:44:45Z INF listen=localhost:28256
2024-05-22T14:44:45Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-05-22T14:44:45Z WRN ========== module starting. ==========
2024-05-22T14:44:45Z INF Kernel Info=5.15.148 Pid=231170
2024-05-22T14:44:45Z INF BTF bytecode mode: CORE. btfMode=0
2024-05-22T14:44:45Z INF GoTlsProbe init keylogFile= model=Text
2024-05-22T14:44:45Z INF module initialization. isReload=false moduleName=EBPFProbeGoTLS
2024-05-22T14:44:45Z INF Module.Run()
2024-05-22T14:44:45Z INF HOOK type:Golang elf GoVersion=go1.20 binrayPath=/home/cfc4n/project/python-test/tls-client-linux-arm64-1.7.5.so buildInfo=" -buildmode=c-shared -compiler=gc CGO_ENABLED=1 GOARCH=arm64 GOOS=linux vcs=git vcs.revision=a0890ed4f1cd67d5e33ffcb2985c7620c3432eb9 vcs.time=2024-05-01T17:59:26Z vcs.modified=true" isRegisterABI=true
2024-05-22T14:44:45Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=286848
2024-05-22T14:44:45Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=286870
2024-05-22T14:44:45Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=2868D4
2024-05-22T14:44:45Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=2869F0
2024-05-22T14:44:45Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=286A20
2024-05-22T14:44:45Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=286A80
2024-05-22T14:44:45Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=286A9C
2024-05-22T14:44:45Z INF target all process.
2024-05-22T14:44:45Z INF target all users.
2024-05-22T14:44:45Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/gotls_kern_core.o
2024-05-22T14:44:45Z INF perfEventReader created mapSize(MB)=4
2024-05-22T14:44:45Z INF module started successfully. isReload=false moduleName=EBPFProbeGoTLS
from ecapture.
Thanks for the update, I'll debug the library this weekend,
can you also confirm if you tested the Python side of the code using this link or if there is any other example code you used please refer me the link.
Thanks
from ecapture.
I did debug the library and I can confirm the crypto/tls
is being used in the lib.
There are multiple methods for crypto/tls being used when we submit a request to the client, but ecapture is not able to intercept any.
I'm also not sure why you marked this issue as completed and closed this but the issue is probably somewhere with ecapture not being able to capture the communication.
from ecapture.
I think this may not be related to eCapture; if you need it, you can open it. Feel free to share your new findings.
from ecapture.
I tied all possible ways I could have thought of, but ecapture doesn't seem to hook into the dynamic lib properly though it does find the offset addresses correctly, something doesn't seem to be right while the shared lib is loaded into the memory, and does perform all the crypto/tls
operations.
I'm closing this for now because I have managed to directly hook into crypto/tls
methods to fetch the SSLKEYLOGFILE
from the dynamically loaded lib without ecapture, will probably open it again if I find more on this in the future.
from ecapture.
In the source code of the library, it can be seen that it uses a custom TLS handshake packet, instead of the official implementation by golang.
conn := tls.UClient(rawConn, tlsConfig, rt.clientHelloId, rt.withRandomTlsExtensionOrder, rt.forceHttp1)
if err = conn.HandshakeContext(ctx); err != nil {
_ = conn.Close()
return nil, err
}
err = rt.certificatePinner.Pin(conn, host)
if err != nil {
return nil, err
}
About tls.UClient
tls.UClient
used package bogdanfinn/utls , As project introduction
uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance, low-level access to handshake, fake session tickets and some other features. Handshake is still performed by "crypto/tls", this library merely changes ClientHello part of it and provides low-level access.
So, this is not a flaw of eCapture; you need to study the project and find the appropriate HOOK symbol.
Solution
You can change the hook symbol crypto/tls.(*Config).writeKeyLog
to github.com/bogdanfinn/utls.(*Config).writeKeyLog
, which may solve your problem.
ecapture/user/config/config_gotls.go
Lines 31 to 35 in 8e25629
![image](https://private-user-images.githubusercontent.com/709947/334119875-ecbf8699-3ee3-4f9a-9d80-526d6d34a130.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTg2NDI3MDksIm5iZiI6MTcxODY0MjQwOSwicGF0aCI6Ii83MDk5NDcvMzM0MTE5ODc1LWVjYmY4Njk5LTNlZTMtNGY5YS05ZDgwLTUyNmQ2ZDM0YTEzMC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjE3JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYxN1QxNjQwMDlaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1kZGIyOGY3MTI4MjViZmM4NzRjYjBhOTJjNjhhZGMzNDNiMGM0NzEwNDc1YTE1YTBhZjVlNWZkN2UwYjQ5YjBkJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.MQ-6hvF2IU0E0cx1e2oWOX6TAhJbAkkSdrdGndR4e0w)
from ecapture.
from ecapture.
Thanks for looking into it, this works :)
from ecapture.
Related Issues (20)
- SSL_in_before hook点在openssl 1.0.2k的系统上找不到符号表 HOT 4
- 执行时报Permission denied HOT 4
- 数据抓不全的问题 HOT 8
- 获取https request response header+ body HOT 5
- BoringSSL is not supported on linux HOT 4
- Keylog capture not working with OpenSSL 1.1.0 HOT 3
- support updated versions of OpenSSL such as 1.1.1u, v, w, etc.
- masterKey被多次写入pcapng文件中 HOT 3
- load bpf failed on kernel 4.18.0
- android version compilation has failed. HOT 1
- FTL module run failed, skip it. error="couldn't init manager xxx error:program probe_entry_SSL_read HOT 3
- unsupported arch library HOT 2
- ecapture cannot work on linux with boringssl HOT 9
- panic on pixel 6 pro(android13) HOT 1
- tls module couldn't find binPath stat /usr/lib/firefox/libnspr4.so: no such file or directory HOT 5
- the handshake State judgment is not completely accurate on boringssl with the branch main-with-bazel HOT 8
- 使用-l参数时出现WRN failed to create multiLogger error="open : no such file or directory" HOT 1
- master secret length is too long for every connection HOT 2
- can not open /apex/com.android.conscrypt/lib64/libssl.so HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ecapture.