- builder: fix typos (#285) by @cfc4n in gojue#286
- Tls 13 masterkey is taken wrong (fixes #283) by @cfc4n in gojue#284
- fix(gossl): invalid memory address or nil pointer by @luckymrwang in gojue#288
Full Changelog: https://github.com/gojue/ecapture/compare/v0.4.10...v0.4.11
- builder: add curl shell to install develop environment. by @cfc4n in gojue#272
- docs : update minimal kernel version as 4.18 (#274) by @cfc4n in gojue#275
- kern: capture https plaintext failed with boringssl TLS 1.3 on android #271 by @cfc4n in gojue#279
Full Changelog: https://github.com/gojue/ecapture/compare/v0.4.9...v0.4.10
- constant value has to be of type uint64 (#261) by @cfc4n in gojue#264
- builder: rename android non-core archive file name by @cfc4n in gojue#266
- chore(openssl/boringssl): remove redundant calculation by @blaisewang in gojue#267
- makefile : support make parallel (#265) by @cfc4n in gojue#268
- disable gnutls/nss modules on Android. by @cfc4n in gojue#269
Full Changelog: https://github.com/ehids/ecapture/compare/v0.4.8...v0.4.9
- Changed license to Apache License 2.0 from AGPL 3.0.
- Supported versions of openssl are 1.1.0* , 1.0.2* .
- Supported minimum version of Clang is 9.0.
- Added GitHub release action of Android X86_64 binaries(default: non-CORE version).
- user : Tolower openssl version strings. by @cfc4n in gojue#250
- cli : remove other modules on android. by @cfc4n in gojue#251
- utils: add eCapture lua script for wireshark plugin. by @cfc4n in gojue#248
- feat: updated new openssl version by @cfc4n in gojue#255
- feat : support openssl 1.1.0* and 1.0.2* by @cfc4n in gojue#257
- fix: Build failed on clang10 (#256) by @cfc4n in gojue#258
- docs : Change license to Apache License 2.0 by @cfc4n in gojue#259
- workflows : release Android x86_64 use nocore model. by @cfc4n in gojue#260
Full Changelog: https://github.com/ehids/ecapture/compare/v0.4.7...v0.4.8
add --ssl_version flag to set the SSL libraries version
supported ssl libraries version lists:
- openssl 1.1.1* , (1.1.1a - 1.1.1r)
- openssl 3.0.* , (3.0.0 - 3.0.6)
- boringssl 1.1.1
ecapture tls
ecapture tls --hex --pid=3423
ecapture tls -l save.log --pid=3423
ecapture tls --libssl=/lib/x86_64-linux-gnu/libssl.so.1.1
ecapture tls -w save_3_0_5.pcapng --ssl_version="openssl 3.0.5" --libssl=/lib/x86_64-linux-gnu/libssl.so.3
ecapture tls -w save_android.pcapng -i wlan0 --libssl=/apex/com.android.conscrypt/lib64/libssl.so --ssl_version="boringssl 1.1.1" --port 443- feat : support openssl 3.0 @cfc4n in gojue#244
- feat: automate openssl offset header file generation @blaisewang in gojue#241
- user/module : compatiable Linux kernel less or more than 5.2 @cfc4n in gojue#238
- kern: capture master secrets for tls 1.3 @cfc4n in gojue#232
- feat: add support TLSv1.3 decryption by @blaisewang in gojue#209
- user/module : hex model output. by @cfc4n in gojue#220
- user/module : use const for SSL masterKey function hook. by @cfc4n in gojue#217
- kern: rodata map not supported on kernel 4.19 or older by @cfc4n in gojue#223
- kern: http2 response packet decode failed. by @cfc4n in gojue#225
- fix: use cipher id to derive secret by @blaisewang in gojue#192
- kern: get ssl_session in the
*SSL_get_session()order . by @cfc4n in gojue#193
- refactor user package. by @cfc4n in gojue#183
- pkg/event_processor: DefaultParser init(). by @cfc4n in gojue#186
- Fix: correct ssl_st member offsets by @blaisewang in gojue#184
- Boringssl decrypt failed by @cfc4n in gojue#188
- kern : define variable target_port always. by @cfc4n in gojue#157
- workflows : build nocore version for Android default. by @cfc4n in gojue#159
- pkg : Ifname default value. by @cfc4n in gojue#161
- user : skip loopback network interface by @cfc4n in gojue#163
- user : tls models exit gracefully. by @cfc4n in gojue#165
- git: ignore .check* files by @blaisewang in gojue#168
- pkg : fix config file parse failed, when as gzip format. by @cfc4n in gojue#169
- fix gzip read err by @4ft35t in gojue#175
- pkg/util/ebpf : add unit testing for kernel CONFIG reader by @cfc4n in gojue#176
- user : fix incorrect TimeStamp by @cfc4n in gojue#179
- cli/cmd : print version info by @cfc4n in gojue#177
- kern : support boringssl offset for Android 12. by @cfc4n in gojue#181
Support : capture plaintext packet as pcapng files for openssl TLS encryption.
Note:
Support
Wiresharkto open directly. Do not need to setting upMaster Secretsfiles.Capture
raw packetby Traffic Control eBPF filter. AddedMaster Secretsinformation into pcapng withDecryption Secrets Block(DSB).
Warning
change
loggerFileflag as-lfrom-w, because-wis reserved forWireshark, and keep same as-wfortcpdump. useecapture -hfor help. changemaster secretsfilename fromecapture_masterkey_[pid].logtoecapture_masterkey.log.
- new feature: capture TLS 1.3 master secret by @cfc4n in gojue#143
- user : echo String() or StringHex() by CLI argument. by @cfc4n in gojue#149
- cli/cmd : clean up all probe while process exit. (#150) by @cfc4n in gojue#151
- save as Pcapng files #145 by @cfc4n in gojue#148
- user : Support writing pcapng files with Decryption Secrets Block (DSB). by @cfc4n in gojue#153
Capture TLS master_key ,save to file. Support openssl 1.1.1.X . TLS 1.2 .
Quick Guide:
- use
ecaptureto capture TLS master_key, will save master secret toecapture_masterkey_[pid].log. - use
tcpdumpto capture and save packets toxxx.pcapngfile. - open
xxx.pcapngfile withwireshark. - Setting :
Wireshark-->Preferences-->Protocols-->TLS-->(Pre)-Master-Secret log filename, selectecapture_masterkey_[pid].log. - Using : right click packet item, select
follow->HTTP Stream/HTTP/2 Stream
- all : refactor event_processor EventType. by @cfc4n in gojue#134
- fixed #138 : You have an error in your yaml syntax on line 79 by @cfc4n in gojue#139
- New feature: capture openssl masterkey #27 by @cfc4n in gojue#140
Full Changelog: https://github.com/ehids/ecapture/compare/v0.2.2...v0.3.0
- workflows: build failed on aarch 64 ubuntu : 'linux/kconfig.h' file not found #125 by @cfc4n in gojue#126
- Makefile: shell running,with a unexcepted result: lost DKERNEL_LESS_5_2 on kernel 4.15 #129 by @cfc4n in gojue#132
- ebpf: remove detection of BPF config when running at container #127 by @cfc4n in gojue#128
Full Changelog: https://github.com/ehids/ecapture/compare/v0.2.1...v0.2.2
- pkg : fix Kernel config read failed, error:Config not found #117 by @cfc4n in gojue#123
- user : Clean up unnecessary information. fix #122 by @cfc4n in gojue#124
Full Changelog: https://github.com/ehids/ecapture/compare/v0.2.0...v0.2.1
- Directly search so in search path when /usr/bin/curl is not exist by @tiann in gojue#97
- Add GitHub Action :Golangci lint by @cfc4n in gojue#99
- Add Chinese name 旁观者. by @cfc4n in gojue#103
- build: change tar.gz file path in checksum.txt by @cfc4n in gojue#104
- Support Golang HTTPS introspection by @chenhengqi in gojue#100
- New Feature: support Android without GKI (kernel version > 4.18) by @cfc4n in gojue#107
- fixed :#108 tls module cannot to capture payload on Aarch64 kernel 4.18 by @huzai9527 in gojue#109
- fixed #108: ip address lost on aarch64 kernel 4.18 by @cfc4n in gojue#111
- New feature: add payload parser. by @cfc4n in gojue#113
- document: message friendly by @cfc4n in gojue#119
- @tiann made their first contribution in gojue#97
- @chenhengqi made their first contribution in gojue#100
Full Changelog: https://github.com/ehids/ecapture/compare/v0.1.10...v0.2.0
- user : fixed bug. #76 libpthread.so not found. by @cfc4n in gojue#77
- Support for ARM64 architecture by @cfc4n in gojue#75
- fixed: outputing blank text on linux 4.18 #81 by @cfc4n in gojue#82
- New feature: update ebpfmanager package to 0.3.0 by @cfc4n in gojue#83
- New feature: #80 event filter by uid by @cfc4n in gojue#84
- New feature: #85 event filter by uid for module tls by @cfc4n in gojue#86
- New feature: #87 support Android GKI by @cfc4n in gojue#88
- fixed: #92 github checkout error while a PR sent. by @cfc4n in gojue#93
- New Feature: #79 Auto release for android gki by @cfc4n in gojue#94
Full Changelog: https://github.com/ehids/ecapture/compare/v0.1.9...v0.1.10
-
code refactoring: event dispatcher
- PR: #58
-
add notes for how to use ecapture in other libs
- PR: #60
-
- : add TLS/SSL Version info (openssl).
- PR: #62
- Add nosearch argument to skip auto search lib path
- PR: #70
- code refactoring: event dispatcher by @cfc4n in gojue#58
- add notes for how to use ecapture in other libs by @xjas in gojue#60
- add TLS/SSL Version info (openssl). by @cfc4n in gojue#62
- Update README.md by @nfsec in gojue#63
- fix some typos by @cuishuang in gojue#68
- Add nosearch argument to skip auto search lib path by @vincentmli in gojue#70
- @xjas made their first contribution in gojue#60
- @nfsec made their first contribution in gojue#63
- @cuishuang made their first contribution in gojue#68
- @vincentmli made their first contribution in gojue#70
Full Changelog: https://github.com/ehids/ecapture/compare/v0.1.8...v0.1.9
- ADD mysqld dispatch_command return value. by @cfc4n in gojue#44
- autogen vmlinux header file to compatible current OS by @cfc4n in gojue#50
- feat: support postgres query hook by @yihong0618 in gojue#51
- added return value of bash module. by @huzai9527 in gojue#52
- change bash line size to 256 bytes by @yindex in gojue#55
- add errnumber flag for command bash by @huzai9527 in gojue#56
- @huzai9527 made their first contribution in gojue#52
- @yindex made their first contribution in gojue#55
Full Changelog: https://github.com/ehids/ecapture/compare/v0.1.7...v0.1.8
- user: fix #29 ubuntu21.10 error :connect symbol cant found by @cfc4n in gojue#30
- support no co-re version on linux kernel >= 5.2 by @cfc4n in gojue#32
- merge two Makefile files. by @cfc4n in gojue#33
- images : fix #34 Inaccurate/Confusing Diagrams by @cfc4n in gojue#36
- Fix #37 Shared object dependence by @cfc4n in gojue#38
- README grammar fix by @chriskaliX in gojue#35
- Fix #39 .rodata: map create: read- and write-only maps not supported (requires >= v5.2) by @cfc4n in gojue#40
- set clang version lower to 9 from 12 by @cfc4n in gojue#41
- @cfc4n made their first contribution in gojue#30
Full Changelog: https://github.com/ehids/ecapture/compare/v0.1.6...v0.1.7
- 更新mysqld数据库审计模块
- 更新tls网络捕获模块
- 支持mysql5.7/8.0, MariadDB 10.5+的Mysqld数据库的查询审计。
- 自动识别mysqld版本 。
- 自动查找hook的sql 查询函数。
- 支持openssl的IP地址关联
- 支持网络IP地址的存储、关联到网络数据中。
- 支持自定义libpthread.so路径指定(定位connect函数)。
- 增加mysqld数据库审计模块
- 支持mysql5.6的mariaDB数据库的查询审计
- 默认path目录为/usr/sbin/mariadb 。
- 支持function name、offset两个参数自定义。
- 调整运行环境检测方式
- 判断BTF支持的方法,改为优先判断
/sys/kernel/btf/vmlinux文件,以及其他BTF特征的vmlinux-*目录等 。 - 增加运行原理图。
- 判断BTF支持的方法,改为优先判断
- 支持gnutls 、 nspr 两个类库的数据捕获
- 重命名子命令,由
openssl改为tls
- 增加运行环境检测
- 检测linux kernel必须大于4.18 。
- 检测kernel config中CONFIG_DEBUG_INFO_BTF必须有,且值为y。
- 去除编译生成的文件(./bin/、./assets/、./user/bytecode/)
- 整理go mod依赖文件
- 模块拆分,启用子命令模式
- 增加全局可选PID参数,针对特定PID进行数据捕获
- 增加hexdump打印模式
- 支持自定义openssl的so路径。
- 支持hex进制的数据输出
- 支持自定义bash路径参数
- 支持自定义readline.so路径参数
- 支持hex进制的数据输出
- 增加openssl的libssl.so的SSL/TLS数据抓包功能。
- 根据wget路径,自动选择libssl.so路径。
- 自动根据ENV查找bash
- 根据bash自动查找
readline.so,并进行bash命令捕获