gojue · cfc4n · Jun 1, 2024 · May 31, 2024 · Jun 1, 2024
diff --git a/cli/cmd/tls.go b/cli/cmd/tls.go
@@ -49,7 +49,6 @@ func init() {
 	// opensslCmd.PersistentFlags().StringVar(&oc.Curlpath, "curl", "", "curl or wget file path, use to dectet openssl.so path, default:/usr/bin/curl. (Deprecated)")
 	opensslCmd.PersistentFlags().StringVar(&oc.Openssl, "libssl", "", "libssl.so file path, will automatically find it from curl default.")
 	opensslCmd.PersistentFlags().StringVar(&oc.CGroupPath, "cgroup_path", "/sys/fs/cgroup", "cgroup path, default: /sys/fs/cgroup.")
-	opensslCmd.PersistentFlags().StringVar(&oc.Pthread, "pthread", "", "libpthread.so file path, use to hook connect to capture socket FD.will automatically find it from curl.")
 	opensslCmd.PersistentFlags().StringVarP(&oc.Model, "model", "m", "text", "capture model, such as : text, pcap/pcapng, key/keylog")
 	opensslCmd.PersistentFlags().StringVarP(&oc.KeylogFile, "keylogfile", "k", "ecapture_openssl_key.og", "The file stores SSL/TLS keys, and eCapture captures these keys during encrypted traffic communication and saves them to the file.")
 	opensslCmd.PersistentFlags().StringVarP(&oc.PcapFile, "pcapfile", "w", "save.pcapng", "write the raw packets to file as pcapng format.")

diff --git a/kern/openssl.h b/kern/openssl.h
@@ -391,9 +391,9 @@ int probe_ret_SSL_read(struct pt_regs* ctx) {
     return 0;
 }
 
-// https://github.com/lattera/glibc/blob/895ef79e04a953cac1493863bcae29ad85657ee1/socket/connect.c
-// int __connect (int fd, __CONST_SOCKADDR_ARG addr, socklen_t len)
-SEC("uprobe/connect")
+// libc : int __connect (int fd, __CONST_SOCKADDR_ARG addr, socklen_t len)
+// kernel : int __sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
+SEC("kprobe/sys_connect")
 int probe_connect(struct pt_regs* ctx) {
     u64 current_pid_tgid = bpf_get_current_pid_tgid();
     u32 pid = current_pid_tgid >> 32;

diff --git a/kern/tc.h b/kern/tc.h
@@ -281,10 +281,7 @@ int tcp_sendmsg(struct pt_regs *ctx){
     struct net_ctx_t net_ctx;
     net_ctx.pid = pid;
     bpf_get_current_comm(&net_ctx.comm, sizeof(net_ctx.comm));
-    //
-//    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
-//    get_proc_cmdline(task, net_ctx.cmdline, sizeof(net_ctx.cmdline));
-//
+
     debug_bpf_printk("tcp_sendmsg pid : %d, comm :%s\n", net_ctx.pid, net_ctx.comm);
     bpf_map_update_elem(&network_map, &conn_id, &net_ctx, BPF_ANY);
     return 0;

diff --git a/user/config/config_openssl.go b/user/config/config_openssl.go
@@ -40,7 +40,6 @@ type OpensslConfig struct {
 	BaseConfig
 	// Curlpath   string `json:"curlPath"` //curl的文件路径
 	Openssl    string `json:"openssl"`
-	Pthread    string `json:"pthread"`    // /lib/x86_64-linux-gnu/libpthread.so.0
 	Model      string `json:"model"`      // eCapture Openssl capture model. text:pcap:keylog
 	PcapFile   string `json:"pcapfile"`   // pcapFile  the  raw  packets  to file rather than parsing and printing them out.
 	KeylogFile string `json:"keylog"`     // Keylog  The file stores SSL/TLS keys, and eCapture captures these keys during encrypted traffic communication and saves them to the file.

diff --git a/user/config/config_openssl_androidgki.go b/user/config/config_openssl_androidgki.go
@@ -46,15 +46,6 @@ func (oc *OpensslConfig) Check() error {
 		oc.Openssl = DefaultOpensslPath
 	}
 
-	if oc.Pthread != "" || len(strings.TrimSpace(oc.Pthread)) > 0 {
-		_, e := os.Stat(oc.Pthread)
-		if e != nil {
-			return e
-		}
-	} else {
-		oc.Pthread = DefaultLibcPath
-	}
-
 	if oc.Ifname == "" || len(strings.TrimSpace(oc.Ifname)) == 0 {
 		oc.Ifname = DefaultIfname
 	}

diff --git a/user/config/config_openssl_linux.go b/user/config/config_openssl_linux.go
@@ -18,9 +18,7 @@
 package config
 
 import (
-	"debug/elf"
 	"errors"
-	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
@@ -35,11 +33,6 @@ var (
 		"libssl.so.3",   // ubuntu server 22.04
 		"libssl.so.1.1", // ubuntu server 21.04
 	}
-	connectSharedObjects = []string{
-		"libpthread.so.0", // ubuntu 21.04 server
-		"libc.so.6",       // ubuntu 21.10 server
-		"libc.so",         // Android
-	}
 )
 
 func (oc *OpensslConfig) checkOpenssl() error {
@@ -73,73 +66,9 @@ func (oc *OpensslConfig) checkOpenssl() error {
 	return nil
 }
 
-func (oc *OpensslConfig) checkConnect() error {
-
-	var funcName = ""
-	var found bool
-	var e error
-	for _, so := range connectSharedObjects {
-		var prefix string
-		var soLoadPaths = GetDynLibDirs()
-		for _, soPath := range soLoadPaths {
-
-			_, e = os.Stat(soPath)
-			if e != nil {
-				continue
-			}
-			prefix = soPath
-			break
-		}
-		if prefix == "" {
-			continue
-		}
-		oc.Pthread = filepath.Join(prefix, so)
-		_, e = os.Stat(oc.Pthread)
-		if e != nil {
-			// search all of connectSharedObjects
-			//return e
-			continue
-		}
-
-		_elf, e := elf.Open(oc.Pthread)
-		if e != nil {
-			//return e
-			continue
-		}
-
-		dynamicSymbols, err := _elf.DynamicSymbols()
-		if err != nil {
-			//return err
-			continue
-		}
-
-		//
-		for _, sym := range dynamicSymbols {
-			if sym.Name != "connect" {
-				continue
-			}
-			funcName = sym.Name
-			found = true
-			break
-		}
-
-		// if found
-		if found && funcName != "" {
-			break
-		}
-	}
-
-	//如果没找到，则报错。
-	if !found || funcName == "" {
-		oc.Pthread = ""
-		return errors.New(fmt.Sprintf("cant found 'connect' function to hook in files::%v", connectSharedObjects))
-	}
-	return nil
-}
-
 func (oc *OpensslConfig) Check() error {
 	oc.IsAndroid = false
-	var checkedOpenssl, checkedConnect bool
+	var checkedOpenssl bool
 	// 如果readline 配置，且存在，则直接返回。
 	if oc.Openssl != "" || len(strings.TrimSpace(oc.Openssl)) > 0 {
 		_, e := os.Stat(oc.Openssl)
@@ -154,21 +83,15 @@ func (oc *OpensslConfig) Check() error {
 		oc.Ifname = DefaultIfname
 	}
 
-	if checkedConnect && checkedOpenssl {
+	if checkedOpenssl {
 		return nil
 	}
 
-	if !checkedOpenssl {
-		e := oc.checkOpenssl()
-		if e != nil {
-			return e
-		}
+	e := oc.checkOpenssl()
+	if e != nil {
+		return e
 	}
 
-	if !checkedConnect {
-		// Optional check
-		_ = oc.checkConnect()
-	}
 	s, e := checkCgroupPath(oc.CGroupPath)
 	if e != nil {
 		return e

diff --git a/user/event/event_openssl.go b/user/event/event_openssl.go
@@ -120,7 +120,7 @@ func (se *SSLDataEvent) Decode(payload []byte) (err error) {
 }
 
 func (se *SSLDataEvent) GetUUID() string {
-	return fmt.Sprintf("%d_%d_%s_%d_%d", se.Pid, se.Tid, CToGoString(se.Comm[:]), se.Fd, se.DataType)
+	return fmt.Sprintf("%d_%d_%s_%d_%d_%s", se.Pid, se.Tid, CToGoString(se.Comm[:]), se.Fd, se.DataType, se.Addr)
 }
 
 func (se *SSLDataEvent) Payload() []byte {
@@ -178,7 +178,7 @@ func (se *SSLDataEvent) String() string {
 
 func (se *SSLDataEvent) Clone() IEventStruct {
 	event := new(SSLDataEvent)
-	event.eventType = EventTypeEventProcessor
+	event.eventType = EventTypeModuleData //EventTypeEventProcessor
 	return event
 }
 

diff --git a/user/module/probe_openssl.go b/user/module/probe_openssl.go
@@ -656,11 +656,12 @@ func (m *MOpenSSLProbe) dumpSslData(eventStruct *event.SSLDataEvent) {
 		eventStruct.Addr = addr
 	}
 	// m.processor.PcapFile(eventStruct)
-	if m.conf.GetHex() {
-		m.logger.Println(eventStruct.StringHex())
-	} else {
-		m.logger.Println(eventStruct.String())
-	}
+	//if m.conf.GetHex() {
+	//	m.logger.Println(eventStruct.StringHex())
+	//} else {
+	//	m.logger.Println(eventStruct.String())
+	//}
+	m.processor.Write(eventStruct)
 }
 
 func init() {

diff --git a/user/module/probe_openssl_text.go b/user/module/probe_openssl_text.go
@@ -14,7 +14,7 @@ import (
 )
 
 func (m *MOpenSSLProbe) setupManagersText() error {
-	var libPthread, binaryPath, sslVersion string
+	var binaryPath, sslVersion string
 	sslVersion = m.conf.(*config.OpensslConfig).SslVersion
 	sslVersion = strings.ToLower(sslVersion)
 	switch m.conf.(*config.OpensslConfig).ElfType {
@@ -35,12 +35,6 @@ func (m *MOpenSSLProbe) setupManagersText() error {
 		}
 	}
 
-	libPthread = m.conf.(*config.OpensslConfig).Pthread
-	if libPthread == "" {
-		//libPthread = "/lib/x86_64-linux-gnu/libpthread.so.0"
-		m.logger.Warn().Msg("libPthread path not found, IP info lost.")
-	}
-
 	_, err := os.Stat(binaryPath)
 	if err != nil {
 		return err
@@ -76,12 +70,18 @@ func (m *MOpenSSLProbe) setupManagersText() error {
 			},
 
 			// --------------------------------------------------
-			//{
-			//	Section:          "uprobe/connect",
-			//	EbpfFuncName:     "probe_connect",
-			//	AttachToFuncName: "connect",
-			//	BinaryPath:       libPthread,
-			//},
+			{
+				Section:          "kprobe/sys_connect",
+				EbpfFuncName:     "probe_connect",
+				AttachToFuncName: "__sys_connect",
+				UID:              "kprobe_sys_connect",
+			},
+			{
+				Section:          "kprobe/sys_connect",
+				EbpfFuncName:     "probe_connect",
+				AttachToFuncName: "__sys_accept4",
+				UID:              "kprobe_sys_accept4",
+			},
 
 			// --------------------------------------------------
 
@@ -131,21 +131,6 @@ func (m *MOpenSSLProbe) setupManagersText() error {
 		},
 	}
 
-	if libPthread != "" {
-		// detect libpthread.so path
-		_, err = os.Stat(libPthread)
-		if err == nil {
-			m.logger.Info().Str("libPthread", libPthread).Msg("libPthread path found")
-			m.bpfManager.Probes = append(m.bpfManager.Probes, &manager.Probe{
-				Section:          "uprobe/connect",
-				EbpfFuncName:     "probe_connect",
-				AttachToFuncName: "connect",
-				BinaryPath:       libPthread,
-				UID:              "uprobe_connect",
-			})
-		}
-	}
-
 	m.bpfManagerOptions = manager.Options{
 		DefaultKProbeMaxActive: 512,