Giters

gojue / ecapture

Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64.

Home Page:https://ecapture.cc

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

In v0.7.6, the gotls module works exceptionally in pie mode on x64 platform.

sancppp opened this issue · comments

commented

Describe the bug
In v0.7.6, the gotls module works exceptionally in pie mode on x64 platform.
In v0.7.5, gotls works fine with this example.

Screenshots
v0.7.6:
image

v0.7.5:
CleanShot_2024-03-31_at_00 56 53@2x

Linux Server/Android (please complete the following information):

  • Env:
---------------------------------------
eCapture Makefile Environment:
---------------------------------------
PARALLEL                 16
----------------[ from args ]---------------
CROSS_ARCH               
ANDROID                  0
DEBUG                    0
---------------------------------------
UNAME_M                  x86_64
UNAME_R                  6.5.0-26-generic
CLANG_VERSION            12
GO_VERSION               1.21
---------------------------------------
CMD_CLANG                clang
CMD_GIT                  git
CMD_GO                   go
CMD_INSTALL              install
CMD_LLC                  llc
CMD_MD5                  md5sum
CMD_PKGCONFIG            pkg-config
CMD_STRIP                llvm-strip
---------------------------------------
VERSION                  0.7.6-20240330-3486f5b
LAST_GIT_TAG             0.7.6-20240330-3486f5b
BPF_NOCORE_TAG           6_5_0-26-generic.0_7_6-20240330-3486f5b
CROSS_COMPILE            
KERN_RELEASE             6.5.0-26-generic
KERN_BUILD_PATH          /lib/modules/6.5.0-26-generic/build
KERN_SRC_PATH            /lib/modules/6.5.0-26-generic/build
TARGET_ARCH              x86_64
GOARCH                   amd64
LINUX_ARCH               x86
LIBPCAP_ARCH             x86_64-unknown-linux-gnu
AUTOGENCMD               test -f kern/bpf/x86/vmlinux.h || bpftool btf dump file /sys/kernel/btf/vmlinux format c > kern/bpf/x86/vmlinux.h
---------------------------------------
rpmdev-setuptree         rpmdev-setuptree
tar                      tar
rpmbuild                 rpmbuild
---------------------------------------
  • OS: Ubuntu 22.04
  • Arch: x86_64
  • Kernel Version: 6.5.0
  • Version: 0.7.6

Additional context
Add any other context about the problem here.

commented

fixed by #516

commented

I did a simple test of v0.7.6 and PR#516 in an x64 Ubuntu 22.04 environment.

The test was to execute the command sudo . /bin/ecapture gotls --elfpath=/usr/bin/dockerd --hex while executing docker login in another terminal.

The result shows that eCapture was able to correctly find the crypto/tls.(*Conn).Read symbol entry, but was unable to locate the RET command:
image

At the same time, docker login returns a connect error:
CleanShot_2024-04-08_at_22 34 06@2x

I think the connect error issue probably has nothing to do with the hook position. The hook here is looking for the RET instruction to hook, so it shouldn't affect network communication. There must be another reason, maybe it's just a sporadic network failure.

It looks like eCpture is indeed affecting docker's network communication.

Normally docker login should return Error response from daemon: Get "https://registry-1.docker.io/v2/": unauthorized: incorrect username or password, however eCapture intervenes and returns an EOF error, while docker pull also returns an EOF error.

The test is relatively simple. I'm not sure if eCapture hooking other golang projects (buildmode=pie) would cause the same thing.

CleanShot_2024-04-09_at_21 33 03

commented

fixed at #516 and #517