Undecrypted traffic from the gotls module

Question

Undecrypted traffic from the gotls module

Closed this issue 6 months ago · 3 comments

平台 x86_64
ecapture版本 0.8.6-20240906-a335b44
内核版本 4.18.0
golang版本 1.22.0
使用方式 ./ecapture gotls --elfpath /data1/test/gotls/main --hex

Answer 1 · 2024-09-13T11:26:44.000Z

HTTP request header都看到了，已经是非加密的内容了。只是http层面被zip压缩了。你可以使用pcapng模式。

还有，贴日志信息时，最好补个文本的，有时候图片加载不了。

Answer 2 · 2024-09-14T06:08:50.000Z

前面一部分是发送的HTTP header，后面这部分开头应该是接收的header，但是这部分没有获取到。我调试排查了一下应该是获取ret_len有问题，我的go版本是通过寄存器传递的返回值。我提一个patch修复一下

Answer 3 · 2024-09-28T01:31:52.000Z

我本地做了测试，无法重现这个问题。是哪里不对吗？

2024-09-28T01:30:15Z INF AppName="eCapture(旁观者)"
2024-09-28T01:30:15Z INF HomePage=https://ecapture.cc
2024-09-28T01:30:15Z INF Repository=https://github.com/gojue/ecapture
2024-09-28T01:30:15Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-09-28T01:30:15Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-09-28T01:30:15Z INF Version=linux_arm64:0.8.6-20240915-136069e:5.15.0-113-generic
2024-09-28T01:30:15Z INF Listen=localhost:28256
2024-09-28T01:30:15Z INF eCapture running logs logger=
2024-09-28T01:30:15Z INF the file handler that receives the captured event eventCollector=
2024-09-28T01:30:15Z INF listen=localhost:28256
2024-09-28T01:30:15Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-09-28T01:30:15Z INF Kernel Info=5.15.163 Pid=8756
2024-09-28T01:30:15Z INF BTF bytecode mode: CORE. btfMode=0
2024-09-28T01:30:15Z INF GoTlsProbe init keylogFile= model=Text
2024-09-28T01:30:15Z INF module initialization. isReload=false moduleName=EBPFProbeGoTLS
2024-09-28T01:30:15Z INF HOOK type:Golang elf GoVersion=go1.21.6 binrayPath=./tests/golang_https buildInfo=" -buildmode=exe -compiler=gc CGO_ENABLED=1 GOARCH=arm64 GOOS=linux" isRegisterABI=true
2024-09-28T01:30:15Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=164CD0
2024-09-28T01:30:15Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=164CF8
2024-09-28T01:30:15Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=164D5C
2024-09-28T01:30:15Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=164E78
2024-09-28T01:30:15Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=164EA8
2024-09-28T01:30:15Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=164F08
2024-09-28T01:30:15Z INF golang uretprobe added. function=crypto/tls.(*Conn).Read offset=164F24
2024-09-28T01:30:15Z INF target all process.
2024-09-28T01:30:15Z INF target all users.
2024-09-28T01:30:15Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/gotls_kern_core.o
2024-09-28T01:30:15Z INF perfEventReader created mapSize(MB)=4
2024-09-28T01:30:15Z INF module started successfully. isReload=false moduleName=EBPFProbeGoTLS