ecapture: capture SSL/TLS text content without CA cert

ecapture

capture SSL/TLS text content without CA cert by eBPF. eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.

uprobe HOOK

openssl hook

eCapture hookSSL_write \ SSL_read function of shared library /lib/x86_64-linux-gnu/libssl.so.1.1. get text context, and send message to userspace by eBPM map.

Probes: []*manager.Probe{
{
Section: "uprobe/SSL_write",
EbpfFuncName: "probe_entry_SSL_write",
AttachToFuncName: "SSL_write",
//UprobeOffset: 0x386B0,
BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
},
{
Section: "uretprobe/SSL_write",
EbpfFuncName: "probe_ret_SSL_write",
AttachToFuncName: "SSL_write",
//UprobeOffset: 0x386B0,
BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
},
{
Section: "uprobe/SSL_read",
EbpfFuncName: "probe_entry_SSL_read",
AttachToFuncName: "SSL_read",
//UprobeOffset: 0x38380,
BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
},
{
Section: "uretprobe/SSL_read",
EbpfFuncName: "probe_ret_SSL_read",
AttachToFuncName: "SSL_read",
//UprobeOffset: 0x38380,
BinaryPath: "/lib/x86_64-linux-gnu/libssl.so.1.1",
},
/**/
},

bash readline.so hook

hook /bin/bash readline symbol name.

How eCapture works

  • SSL/TLS text context capture, support openssl\gnutls\nspr(nss) libraries.
  • bash audit, capture bash command for Host Security Aduot.
  • mysql query SQL audit, support mysqld 5.6\5.7\8.0, and MariaDB.

eCapture Architecture

 

How to compile

Linux Kernel: >= 4.18.

Tools

  • golang 1.16
  • gcc 10.3.0
  • clang 12.0.0
  • cmake 3.18.4
  • clang backend: llvm 12.0.0
  • pahole >= v1.13
  • kernel config:CONFIG_DEBUG_INFO_BTF=y

Install

git clone git@github.com:ehids/ecapture.git
cd ecapture
make
bin/ecapture

bash readline.so hook

hook /bin/bash readline symbol name.

Use

Copyright (C) 2022 cfc4n