Download ELF zip file release , unzip and use by command ./ecapture --help
.
cfc4n@vm-server:~$# uname -r
4.18.0-305.3.1.el8.x86_64
cfc4n@vm-server:~$# cat /boot/config-uname -r
| grep CONFIG_DEBUG_INFO_BTF
CONFIG_DEBUG_INFO_BTF=y
capture tls text context. Step 1:
./ecapture tls –hex
Step 2:
curl https://github.com
for installed libressl, libssl.so.52 is the dynamic ssl lib
vm@vm-server:~$ ldd /usr/local/bin/openssl
linux-vdso.so.1 (0x00007ffc82985000)
libssl.so.52 => /usr/local/lib/libssl.so.52 (0x00007f1730f9f000)
libcrypto.so.49 => /usr/local/lib/libcrypto.so.49 (0x00007f1730d8a000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1730b62000)
/lib64/ld-linux-x86-64.so.2 (0x00007f17310b2000)
use the libssl to config the libssl.so path
vm@vm-server:~$ sudo ./ecapture tls –libssl=”/usr/local/lib/libssl.so.52″ –hex
in another terminal, use the command, then type some string, watch the output of ecapture
vm@vm-server:~$ /usr/local/bin/openssl s_client -connect github.com:443
for installed boringssl, usage is the same
/path/to/bin/bssl s_client -connect github.com:443
capture bash command.
ps -ef | grep foo
eCapture hookSSL_write
\ SSL_read
function of shared library /lib/x86_64-linux-gnu/libssl.so.1.1
. get text context, and send message to user space by eBPF maps.
Probes: []manager.Probe{ { Section: “uprobe/SSL_write”, EbpfFuncName: “probe_entry_SSL_write”, AttachToFuncName: “SSL_write”, //UprobeOffset: 0x386B0, BinaryPath: “/lib/x86_64-linux-gnu/libssl.so.1.1”, }, { Section: “uretprobe/SSL_write”, EbpfFuncName: “probe_ret_SSL_write”, AttachToFuncName: “SSL_write”, //UprobeOffset: 0x386B0, BinaryPath: “/lib/x86_64-linux-gnu/libssl.so.1.1”, }, { Section: “uprobe/SSL_read”, EbpfFuncName: “probe_entry_SSL_read”, AttachToFuncName: “SSL_read”, //UprobeOffset: 0x38380, BinaryPath: “/lib/x86_64-linux-gnu/libssl.so.1.1”, }, { Section: “uretprobe/SSL_read”, EbpfFuncName: “probe_ret_SSL_read”, AttachToFuncName: “SSL_read”, //UprobeOffset: 0x38380, BinaryPath: “/lib/x86_64-linux-gnu/libssl.so.1.1”, }, /*/
},
hook /bin/bash
symbol name readline
.
Linux Kernel: >= 4.18.
git clone git@github.com:ehids/ecapture.git
cd ecapture
make
bin/ecapture –help
eCapture support NO BTF with command make nocore
to compile on 2022/04/17.
make nocore
bin/ecapture –help
Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club.…
Simple golang webserver that listens for basic auth or post requests and sends a notification…
Nutek Security Platform for macOS and Linux operating systems. Tools for hackers, bug hunters and…
Welcome to SecureSphere Labs, your go-to destination for a curated collection of powerful hacking tools…
All in one Docker-based workstation with hacking tools for Pentesting and offsec Labs by maintained…
Got it! Below is the updated README.md file with instructions for downloading the project on…