Download ELF zip file release , unzip and use by command ./ecapture --help
.
cfc4n@vm-server:~$# uname -r
4.18.0-305.3.1.el8.x86_64
cfc4n@vm-server:~$# cat /boot/config-uname -r
| grep CONFIG_DEBUG_INFO_BTF
CONFIG_DEBUG_INFO_BTF=y
capture tls text context. Step 1:
./ecapture tls –hex
Step 2:
curl https://github.com
for installed libressl, libssl.so.52 is the dynamic ssl lib
vm@vm-server:~$ ldd /usr/local/bin/openssl
linux-vdso.so.1 (0x00007ffc82985000)
libssl.so.52 => /usr/local/lib/libssl.so.52 (0x00007f1730f9f000)
libcrypto.so.49 => /usr/local/lib/libcrypto.so.49 (0x00007f1730d8a000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1730b62000)
/lib64/ld-linux-x86-64.so.2 (0x00007f17310b2000)
use the libssl to config the libssl.so path
vm@vm-server:~$ sudo ./ecapture tls –libssl=”/usr/local/lib/libssl.so.52″ –hex
in another terminal, use the command, then type some string, watch the output of ecapture
vm@vm-server:~$ /usr/local/bin/openssl s_client -connect github.com:443
for installed boringssl, usage is the same
/path/to/bin/bssl s_client -connect github.com:443
capture bash command.
ps -ef | grep foo
eCapture hookSSL_write
\ SSL_read
function of shared library /lib/x86_64-linux-gnu/libssl.so.1.1
. get text context, and send message to user space by eBPF maps.
Probes: []manager.Probe{ { Section: “uprobe/SSL_write”, EbpfFuncName: “probe_entry_SSL_write”, AttachToFuncName: “SSL_write”, //UprobeOffset: 0x386B0, BinaryPath: “/lib/x86_64-linux-gnu/libssl.so.1.1”, }, { Section: “uretprobe/SSL_write”, EbpfFuncName: “probe_ret_SSL_write”, AttachToFuncName: “SSL_write”, //UprobeOffset: 0x386B0, BinaryPath: “/lib/x86_64-linux-gnu/libssl.so.1.1”, }, { Section: “uprobe/SSL_read”, EbpfFuncName: “probe_entry_SSL_read”, AttachToFuncName: “SSL_read”, //UprobeOffset: 0x38380, BinaryPath: “/lib/x86_64-linux-gnu/libssl.so.1.1”, }, { Section: “uretprobe/SSL_read”, EbpfFuncName: “probe_ret_SSL_read”, AttachToFuncName: “SSL_read”, //UprobeOffset: 0x38380, BinaryPath: “/lib/x86_64-linux-gnu/libssl.so.1.1”, }, /*/
},
hook /bin/bash
symbol name readline
.
Linux Kernel: >= 4.18.
git clone git@github.com:ehids/ecapture.git
cd ecapture
make
bin/ecapture –help
eCapture support NO BTF with command make nocore
to compile on 2022/04/17.
make nocore
bin/ecapture –help
The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…
Introduction In digital investigations, images often hold more information than meets the eye. With the…
The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…
What is a Port? A port in networking acts like a gateway that directs data…
The ls command is fundamental for anyone working with Linux. It’s used to display the files and…
The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…