Ecapture – Capture SSL/TLS Text Content Without CA Cert By eBPF
How eCapture works
- SSL/TLS text context capture, support opensslgnutlsnspr(nss) libraries.
- bash audit,
eCapture User Manual
Getting started
use ELF binary file
Download ELF zip file release , unzip and use by command
./ecapture --help
.- Linux kernel version >= 4.18
- Enable BTF BPF Type Format (BTF) (Optional, 2022-04-17)
check your server BTF config:
grep CONFIG_DEBUG_INFO_BTF CONFIG_DEBUG_INFO_BTF=y”>cfc4n@vm-server:~$# uname -r
4.18.0-305.3.1.el8.x86_64
cfc4n@vm-server:~$# cat /boot/config-`uname -r` | grep CONFIG_DEBUG_INFO_BTF
CONFIG_DEBUG_INFO_BTF=ytls command
capture tls text context. Step 1:
./ecapture tls --hex
Step 2:
curl https://github.com
bash command
capture bash command.
ps -ef | grep foo
What’s eBPF
eBPF
uprobe HOOK
openssl hook
eCapture hook
SSL_write
SSL_read
function of shared library/lib/x86_64-linux-gnu/libssl.so.1.1
. get text context, and send message to user space by eBPM map.Probes: []*manager.Probe{
{
Section: "uprobe/SSL_write",
EbpfFuncName: "probe_entry_SSL_write",
AttachToFuncName: "SSL_write",
//UprobeOffset: 0x386B0,
BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
},
{
Section: "uretprobe/SSL_write",
EbpfFuncName: "probe_ret_SSL_write",
AttachToFuncName: "SSL_write",
//UprobeOffset: 0x386B0,
BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
},
{
Section: "uprobe/SSL_read",
EbpfFuncName: "probe_entry_SSL_read",
AttachToFuncName: "SSL_read",
//UprobeOffset: 0x38380,
BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
},
{
Section: "uretprobe/SSL_read",
EbpfFuncName: "probe_ret_SSL_read",
AttachToFuncNa me: "SSL_read",
//UprobeOffset: 0x38380,
BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
},
/**/
},bash readline.so hook
hook
/bin/bash
readline
symbol name.How to compile
Linux Kernel: >= 4.18.
Tools
- golang 1.16
- gcc 10.3.0
- clang 9.0.0
- cmake 3.18.4
- clang backend: llvm 9.0.0
- pahole >= v1.13
- kernel config:CONFIG_DEBUG_INFO_BTF=y (Optional, 2022-04-17)
command
git clone [email protected]:ehids/ecapture.git
cd ecapture
make
bin/ecapture --helpcompile without BTF
eCapture support NO BTF with command
make nocore
to compile on 2022/04/17.make nocore
bin/ecapture --helpContributing
See CONTRIBUTING for details on submitting patches and the contribution workflow.
Download Ecapture
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.