ecapture: capture SSL/TLS text content without CA cert
ecapture
capture SSL/TLS text content without CA cert by eBPF. eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.
uprobe HOOK
openssl hook
eCapture hookSSL_write \ SSL_read function of shared library /lib/x86_64-linux-gnu/libssl.so.1.1. get text context, and send message to userspace by eBPM map.
bash readline.so hook
hook /bin/bash readline symbol name.
How eCapture works
- SSL/TLS text context capture, support openssl\gnutls\nspr(nss) libraries.
- bash audit, capture bash command for Host Security Aduot.
- mysql query SQL audit, support mysqld 5.6\5.7\8.0, and MariaDB.
eCapture Architecture
How to compile
Linux Kernel: >= 4.18.
Tools
- golang 1.16
- gcc 10.3.0
- clang 12.0.0
- cmake 3.18.4
- clang backend: llvm 12.0.0
- pahole >= v1.13
- kernel config:CONFIG_DEBUG_INFO_BTF=y
Install
git clone git@github.com:ehids/ecapture.git
cd ecapture
make
bin/ecapture
bash readline.so hook
hook /bin/bash readline symbol name.
Use
Copyright (C) 2022 cfc4n
