Ecapture - Capture SSL/TLS Text Content Without CA Cert By eBPF

SSL/TLS text context capture, support openssl\gnutls\nspr(nss) libraries. bash audit, capture bash command for Host Security Audit. mysql query SQL audit, support mysqld 5.6\5.7\8.0, and mariadDB.

use ELF binary file

Download ELF zip file release , unzip and use by command ./ecapture --help.

Linux kernel version >= 4.18 Enable BTF BPF Type Format (BTF) (Optional, 2022-04-17)

check your server BTF config：

grep CONFIG_DEBUG_INFO_BTF CONFIG_DEBUG_INFO_BTF=y">

[email protected]:~$# uname -r
4.18.0-305.3.1.el8.x86_64
[email protected]:~$# cat /boot/config-`uname -r` | grep CONFIG_DEBUG_INFO_BTF
CONFIG_DEBUG_INFO_BTF=y

tls command

capture tls text context. Step 1:

Step 2:

bash command

capture bash command.

eBPF

uprobe HOOK

openssl hook

eCapture hookSSL_write \ SSL_read function of shared library /lib/x86_64-linux-gnu/libssl.so.1.1. get text context, and send message to user space by eBPM map.

Probes: []*manager.Probe{
{
Section: "uprobe/SSL_write",
EbpfFuncName: "probe_entry_SSL_write",
AttachToFuncName: "SSL_write",
//UprobeOffset: 0x386B0,
BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
},
{
Section: "uretprobe/SSL_write",
EbpfFuncName: "probe_ret_SSL_write",
AttachToFuncName: "SSL_write",
//UprobeOffset: 0x386B0,
BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
},
{
Section: "uprobe/SSL_read",
EbpfFuncName: "probe_entry_SSL_read",
AttachToFuncName: "SSL_read",
//UprobeOffset: 0x38380,
BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
},
{
Section: "uretprobe/SSL_read",
EbpfFuncName: "probe_ret_SSL_read",
AttachToFuncNa me: "SSL_read",
//UprobeOffset: 0x38380,
BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
},
/**/
},

bash readline.so hook

hook /bin/bash readline symbol name.

Linux Kernel: >= 4.18.

Tools

golang 1.16 gcc 10.3.0 clang 9.0.0 cmake 3.18.4 clang backend: llvm 9.0.0 pahole >= v1.13 kernel config:CONFIG_DEBUG_INFO_BTF=y (Optional, 2022-04-17)