From c6fda4ddaa0a33beef0fcada091575b398486876 Mon Sep 17 00:00:00 2001 From: CFC4N Date: Sat, 1 Jun 2024 00:08:58 +0800 Subject: [PATCH] kern: use `kprobe/__sys_connect` instead `user/connect`. Signed-off-by: CFC4N --- cli/cmd/tls.go | 1 - user/config/config_openssl.go | 1 - user/config/config_openssl_androidgki.go | 9 --- user/config/config_openssl_linux.go | 87 ++---------------------- user/event/event_openssl.go | 2 +- user/module/probe_openssl_text.go | 25 +------ 6 files changed, 7 insertions(+), 118 deletions(-) diff --git a/cli/cmd/tls.go b/cli/cmd/tls.go index 4bb12a319..7c9f5ae6d 100644 --- a/cli/cmd/tls.go +++ b/cli/cmd/tls.go @@ -49,7 +49,6 @@ func init() { // opensslCmd.PersistentFlags().StringVar(&oc.Curlpath, "curl", "", "curl or wget file path, use to dectet openssl.so path, default:/usr/bin/curl. (Deprecated)") opensslCmd.PersistentFlags().StringVar(&oc.Openssl, "libssl", "", "libssl.so file path, will automatically find it from curl default.") opensslCmd.PersistentFlags().StringVar(&oc.CGroupPath, "cgroup_path", "/sys/fs/cgroup", "cgroup path, default: /sys/fs/cgroup.") - opensslCmd.PersistentFlags().StringVar(&oc.Pthread, "pthread", "", "libpthread.so file path, use to hook connect to capture socket FD.will automatically find it from curl.") opensslCmd.PersistentFlags().StringVarP(&oc.Model, "model", "m", "text", "capture model, such as : text, pcap/pcapng, key/keylog") opensslCmd.PersistentFlags().StringVarP(&oc.KeylogFile, "keylogfile", "k", "ecapture_openssl_key.og", "The file stores SSL/TLS keys, and eCapture captures these keys during encrypted traffic communication and saves them to the file.") opensslCmd.PersistentFlags().StringVarP(&oc.PcapFile, "pcapfile", "w", "save.pcapng", "write the raw packets to file as pcapng format.") diff --git a/user/config/config_openssl.go b/user/config/config_openssl.go index 1a6be3943..9bea58ad4 100644 --- a/user/config/config_openssl.go +++ b/user/config/config_openssl.go @@ -40,7 +40,6 @@ type OpensslConfig struct { BaseConfig // Curlpath string `json:"curlPath"` //curl的文件路径 Openssl string `json:"openssl"` - Pthread string `json:"pthread"` // /lib/x86_64-linux-gnu/libpthread.so.0 Model string `json:"model"` // eCapture Openssl capture model. text:pcap:keylog PcapFile string `json:"pcapfile"` // pcapFile the raw packets to file rather than parsing and printing them out. KeylogFile string `json:"keylog"` // Keylog The file stores SSL/TLS keys, and eCapture captures these keys during encrypted traffic communication and saves them to the file. diff --git a/user/config/config_openssl_androidgki.go b/user/config/config_openssl_androidgki.go index dae1db014..a385eeb90 100644 --- a/user/config/config_openssl_androidgki.go +++ b/user/config/config_openssl_androidgki.go @@ -46,15 +46,6 @@ func (oc *OpensslConfig) Check() error { oc.Openssl = DefaultOpensslPath } - if oc.Pthread != "" || len(strings.TrimSpace(oc.Pthread)) > 0 { - _, e := os.Stat(oc.Pthread) - if e != nil { - return e - } - } else { - oc.Pthread = DefaultLibcPath - } - if oc.Ifname == "" || len(strings.TrimSpace(oc.Ifname)) == 0 { oc.Ifname = DefaultIfname } diff --git a/user/config/config_openssl_linux.go b/user/config/config_openssl_linux.go index aece9afa8..dd6128b2b 100644 --- a/user/config/config_openssl_linux.go +++ b/user/config/config_openssl_linux.go @@ -18,9 +18,7 @@ package config import ( - "debug/elf" "errors" - "fmt" "os" "path/filepath" "strings" @@ -35,11 +33,6 @@ var ( "libssl.so.3", // ubuntu server 22.04 "libssl.so.1.1", // ubuntu server 21.04 } - connectSharedObjects = []string{ - "libpthread.so.0", // ubuntu 21.04 server - "libc.so.6", // ubuntu 21.10 server - "libc.so", // Android - } ) func (oc *OpensslConfig) checkOpenssl() error { @@ -73,73 +66,9 @@ func (oc *OpensslConfig) checkOpenssl() error { return nil } -func (oc *OpensslConfig) checkConnect() error { - - var funcName = "" - var found bool - var e error - for _, so := range connectSharedObjects { - var prefix string - var soLoadPaths = GetDynLibDirs() - for _, soPath := range soLoadPaths { - - _, e = os.Stat(soPath) - if e != nil { - continue - } - prefix = soPath - break - } - if prefix == "" { - continue - } - oc.Pthread = filepath.Join(prefix, so) - _, e = os.Stat(oc.Pthread) - if e != nil { - // search all of connectSharedObjects - //return e - continue - } - - _elf, e := elf.Open(oc.Pthread) - if e != nil { - //return e - continue - } - - dynamicSymbols, err := _elf.DynamicSymbols() - if err != nil { - //return err - continue - } - - // - for _, sym := range dynamicSymbols { - if sym.Name != "connect" { - continue - } - funcName = sym.Name - found = true - break - } - - // if found - if found && funcName != "" { - break - } - } - - //如果没找到,则报错。 - if !found || funcName == "" { - oc.Pthread = "" - return errors.New(fmt.Sprintf("cant found 'connect' function to hook in files::%v", connectSharedObjects)) - } - return nil -} - func (oc *OpensslConfig) Check() error { oc.IsAndroid = false - var checkedOpenssl, checkedConnect bool + var checkedOpenssl bool // 如果readline 配置,且存在,则直接返回。 if oc.Openssl != "" || len(strings.TrimSpace(oc.Openssl)) > 0 { _, e := os.Stat(oc.Openssl) @@ -154,21 +83,15 @@ func (oc *OpensslConfig) Check() error { oc.Ifname = DefaultIfname } - if checkedConnect && checkedOpenssl { + if checkedOpenssl { return nil } - if !checkedOpenssl { - e := oc.checkOpenssl() - if e != nil { - return e - } + e := oc.checkOpenssl() + if e != nil { + return e } - if !checkedConnect { - // Optional check - _ = oc.checkConnect() - } s, e := checkCgroupPath(oc.CGroupPath) if e != nil { return e diff --git a/user/event/event_openssl.go b/user/event/event_openssl.go index 14bb31e61..f6c898bb0 100644 --- a/user/event/event_openssl.go +++ b/user/event/event_openssl.go @@ -178,7 +178,7 @@ func (se *SSLDataEvent) String() string { func (se *SSLDataEvent) Clone() IEventStruct { event := new(SSLDataEvent) - event.eventType = EventTypeEventProcessor + event.eventType = EventTypeEventProcessor //EventTypeEventProcessor return event } diff --git a/user/module/probe_openssl_text.go b/user/module/probe_openssl_text.go index 3af3391d7..f13ee6e8f 100644 --- a/user/module/probe_openssl_text.go +++ b/user/module/probe_openssl_text.go @@ -14,7 +14,7 @@ import ( ) func (m *MOpenSSLProbe) setupManagersText() error { - var libPthread, binaryPath, sslVersion string + var binaryPath, sslVersion string sslVersion = m.conf.(*config.OpensslConfig).SslVersion sslVersion = strings.ToLower(sslVersion) switch m.conf.(*config.OpensslConfig).ElfType { @@ -35,12 +35,6 @@ func (m *MOpenSSLProbe) setupManagersText() error { } } - libPthread = m.conf.(*config.OpensslConfig).Pthread - if libPthread == "" { - //libPthread = "/lib/x86_64-linux-gnu/libpthread.so.0" - m.logger.Warn().Msg("libPthread path not found, IP info lost.") - } - _, err := os.Stat(binaryPath) if err != nil { return err @@ -137,23 +131,6 @@ func (m *MOpenSSLProbe) setupManagersText() error { }, } - // TODO disable - libPthread = "" - if libPthread != "" { - // detect libpthread.so path - _, err = os.Stat(libPthread) - if err == nil { - m.logger.Info().Str("libPthread", libPthread).Msg("libPthread path found") - m.bpfManager.Probes = append(m.bpfManager.Probes, &manager.Probe{ - Section: "uprobe/connect", - EbpfFuncName: "probe_connect", - AttachToFuncName: "connect", - BinaryPath: libPthread, - UID: "uprobe_connect", - }) - } - } - m.bpfManagerOptions = manager.Options{ DefaultKProbeMaxActive: 512,