eCapture 一個(gè)神奇的開(kāi)源工具

一 前言

前段時(shí)間,一直對(duì)eBPF感興趣,也寫(xiě)了一些eBPF的入門介紹文章,朋友就發(fā)來(lái)個(gè)連接說(shuō)這是一個(gè)好東西,我看,是利用eBPF來(lái)實(shí)現(xiàn)的,剛好最近在研究,所以就有了這篇的介紹文章。

二 eCapture 是什么

官方介紹如下:

eBPF HOOK uprobe實(shí)現(xiàn)的各種用戶態(tài)進(jìn)程的數(shù)據(jù)捕獲,無(wú)需改動(dòng)原程序。
SSL/HTTPS數(shù)據(jù)導(dǎo)出功能,針對(duì)HTTPS的數(shù)據(jù)包抓取,不需要導(dǎo)入CA證書(shū)。
bash的命令捕獲,HIDS的bash命令監(jiān)控解決方案。
mysql query等數(shù)據(jù)庫(kù)的數(shù)據(jù)庫(kù)審計(jì)解決方案。

地址:ecapture/README_CN.md at master · ehids/ecapture (github.com)

eBPF程序可以對(duì)內(nèi)核的靜態(tài)跟蹤點(diǎn),動(dòng)態(tài)跟蹤點(diǎn),設(shè)置鉤子,然后當(dāng)內(nèi)核執(zhí)行到這些點(diǎn)的時(shí)候,會(huì)自動(dòng)調(diào)用我們?cè)O(shè)置好的鉤子,這樣我們就可以對(duì)一些數(shù)據(jù)進(jìn)行監(jiān)控,網(wǎng)絡(luò)流量也可以進(jìn)行轉(zhuǎn)發(fā),甚至對(duì)數(shù)據(jù)包進(jìn)行修改,簡(jiǎn)直是黑魔法;不光可以對(duì)內(nèi)核的進(jìn)行動(dòng)態(tài)追蹤,對(duì)用戶態(tài)進(jìn)程也可以,我記得我上篇文章就介紹對(duì)簡(jiǎn)單的c程序的代碼的hook。

eCapture就是這個(gè)原理,對(duì)用戶態(tài)程序的具體追蹤,具體原理如下:

eCapture系統(tǒng)用戶態(tài)程序使用Golang語(yǔ)言開(kāi)發(fā),具有良好的系統(tǒng)兼容性,無(wú)依賴快速部署,更適合云原生場(chǎng)景。 內(nèi)核態(tài)代碼使用C編寫(xiě),使用clang/llvm編譯,生產(chǎn)bpf字節(jié)碼后,采用go-bindata轉(zhuǎn)化為golang語(yǔ)法文件,之后采用ehids/ebpfmanager類庫(kù),調(diào)用bpf syscall進(jìn)行加載、HOOK、map讀取。 golang編譯后,無(wú)其他任何依賴即可運(yùn)行,兼容linux kernel 4.18以上所有版本。

架構(gòu)圖如下:


ecapture架構(gòu)圖

三 安裝和使用

我曾經(jīng)想在centos 8.x 上嘗試,發(fā)現(xiàn)充滿了挫折,真不建議用這個(gè)系統(tǒng)作為ebpf的實(shí)驗(yàn)環(huán)境,又發(fā)現(xiàn)不少朋友采用 ubuntu服務(wù)器,遂下載 ubuntu-21.10-live-server-amd64.iso安裝體驗(yàn)了一把,可以說(shuō)是非常順利,幾乎使用到的安裝命令都是一把過(guò),強(qiáng)烈推薦,而且沒(méi)有的命令,會(huì)直接提供安裝命令,非常的人性化;
當(dāng)然如果你就喜歡挑戰(zhàn)困難,可以試試centos 8.x上編譯內(nèi)核,打開(kāi)一些選項(xiàng)后,編譯起來(lái)常常報(bào)錯(cuò),安裝相關(guān)依賴又困難重重,我遇到錯(cuò)誤如下,如果有大神對(duì)這方便比較精通可以指點(diǎn)下:

vim .config
# 添加: CONFIG_DEBUG_INFO_BTF=y

# 編譯
make  -j4
LD [M]  kernel/bpf/preload/bpf_preload.o
ld: kernel/bpf/preload/bpf_preload_kern.o: unable to initialize decompress status for section .debug_addr
ld: kernel/bpf/preload/bpf_preload_kern.o: unable to initialize decompress status for section .debug_addr
ld: kernel/bpf/preload/bpf_preload_kern.o: unable to initialize decompress status for section .debug_addr
ld: kernel/bpf/preload/bpf_preload_kern.o: unable to initialize decompress status for section .debug_addr
kernel/bpf/preload/bpf_preload_kern.o: file not recognized: 不可識(shí)別的文件格式
make[3]: *** [scripts/Makefile.build:483:kernel/bpf/preload/bpf_preload.o] 錯(cuò)誤 1
make[2]: *** [scripts/Makefile.build:549:kernel/bpf/preload] 錯(cuò)誤 2
make[1]: *** [scripts/Makefile.build:549:kernel/bpf] 錯(cuò)誤 2
make: *** [Makefile:1846:kernel] 錯(cuò)誤 2
make: *** 正在等待未完成的任務(wù)....

3.1 ubuntu下環(huán)境準(zhǔn)備

3.1.1 安裝編譯和依賴頭文件工具等

sudo apt-get install -y  make clang llvm libelf-dev libbpf-dev bpfcc-tools libbpfcc-dev linux-tools-$(uname -r) linux-headers-$(uname -r)

3.1.2 安裝git和golang

sudo apt-get git
sudo apt-get golang

指定golang使用代理,不然下載不了github上的庫(kù):

go env -w GO111MODULE=on
go env -w GOPROXY=https://goproxy.io,direct

3.1.3 編譯eCapture

非常順利的一氣呵成的編譯:

git clone https://github.com/ehids/ecapture.git
cd ecapture
make

3.2 運(yùn)行使用

root@ubuntu-lab:/home/miao/ecapture-master# ./bin/ecapture 
NAME:
    ecapture - capture text SSL content without CA cert by ebpf hook.

USAGE:
    ecapture [flags]

VERSION:
    --

COMMANDS:
    bash    capture bash command
    help    Help about any command
    mysqld  capture sql queries from mysqld 5.6/5.7/8.0 .
    tls alias name:openssl , use to capture tls/ssl text content without CA cert.

DESCRIPTION:
    eCapture is a tool that can capture plaintext packets 
    such as HTTPS and TLS without installing a CA certificate.
    It can also capture bash commands, which is suitable for 
    security auditing scenarios, such as database auditing of mysqld, etc.
    
    Repository: https://github.com/ehids/ecapture

OPTIONS:
  -d, --debug[=false]   enable debug logging
  -h, --help[=false]    help for ecapture
      --hex[=false] print byte strings as hex encoded strings
  -p, --pid=0       if target_pid is 0 then we target all pids

通過(guò)命令來(lái)看,核心的三個(gè)功能,一個(gè)是bash的輸入內(nèi)容的記錄,一個(gè)是對(duì)mysql的sql命令的記錄,一個(gè)是對(duì)tls 明文數(shù)據(jù)捕獲。

  1. bash記錄,可以用在入侵檢測(cè),或者我們打開(kāi)功能后可以監(jiān)看黑客的入侵過(guò)程;
  2. mysql的sql命令記錄,可以用在數(shù)據(jù)庫(kù)審計(jì),數(shù)據(jù)防泄露等場(chǎng)景;
  3. tls明文數(shù)據(jù)捕獲,可以用在比較機(jī)器被入侵了,通信是加密的,我們可以通過(guò)這些命令查看傳遞的是什么內(nèi)容,這點(diǎn)真的很酷。

好了,下面進(jìn)入演示環(huán)節(jié):

3.2.1 bash命令記錄

root@ubuntu-lab:/home/miao/ecapture-master# ./bin/ecapture  bash
2022/04/09 04:45:48 start to run EBPFProbeBash module
2022/04/09 04:45:48 pid info :8130
2022/04/09 04:45:48 HOOK binrayPath:/bin/bash, FunctionName:readline
2022/04/09 04:45:48 target all process. 
2022/04/09 04:45:54  PID:3687,  Comm:bash,  Line: pwd
2022/04/09 04:46:03  PID:3687,  Comm:bash,  Line: cat /etc/passwd

如上,我們可以在記錄中查看到命令執(zhí)行的時(shí)間,命令名為bash,命令id為3687,具體命令行為pwd,第二個(gè)命令為cat /etc/passwd.

3.2.2 mysql命令記錄

# 安裝server 注意這個(gè)程序不支持mysql,所以只能安裝mariadb
miao@ubuntu-lab:~/ehids-agent-master$ sudo apt-get  install mariadb-server 

# mysql命令執(zhí)行:
sudo mysql -u root
[sudo] password for miao: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 30
Server version: 10.5.15-MariaDB-0ubuntu0.21.10.1 Ubuntu 21.10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.001 sec)

MariaDB [(none)]> create database test;
Query OK, 1 row affected (0.000 sec)

MariaDB [(none)]> use test;
Database changed
MariaDB [test]> CREATE TABLE user(
    ->            id int(10) unsigned not null auto_increment,
    ->            name varchar(25),
    ->            sex varchar(5),
    ->            age int(10),
    ->            password varchar(25),
    ->            primary key(id))engine=Innodb;
Query OK, 0 rows affected (0.013 sec)

MariaDB [test]> create table test(id  int(10),name varchar(64),aget int(10));
Query OK, 0 rows affected (0.010 sec)
MariaDB [test]> insert test values(1,'abc',14);
Query OK, 1 row affected (0.003 sec)
MariaDB [test]> insert test values(2,'edf',14);
Query OK, 1 row affected (0.001 sec)
MariaDB [test]> insert test values(3,'dfg',18);
Query OK, 1 row affected (0.001 sec)
MariaDB [test]> select * from test;
+------+------+------+
| id   | name | aget |
+------+------+------+
|    1 | abc  |   14 |
|    2 | edf  |   14 |
|    3 | dfg  |   18 |
+------+------+------+
3 rows in set (0.000 sec)

MariaDB [test]> delete from test where id=3;
Query OK, 1 row affected (0.001 sec)
MariaDB [test]> commit;
Query OK, 0 rows affected (0.000 sec)
MariaDB [test]> drop table user;
Query OK, 0 rows affected (0.003 sec)
MariaDB [test]> quit
Bye

演示了增刪改查和創(chuàng)建刪除表等命令,我們來(lái)看看審計(jì)的情況:

root@ubuntu-lab:/home/miao/ecapture-master# ./bin/ecapture mysqld
2022/04/09 04:57:32 start to run EBPFProbeMysqld module
2022/04/09 04:57:32 pid info :11307
2022/04/09 04:57:32 Mysql Version:mysqld-5.6, binrayPath:/usr/sbin/mariadbd, FunctionName:_Z16dispatch_command19enum_server_commandP3THDPcjbb ,UprobeOffset:0
2022/04/09 04:57:48  PID:10185, Comm:mariadbd, Time:3827419930458,  length:(32/32),  Line:select @@version_comment limit 1
2022/04/09 04:58:06  PID:10185, Comm:mariadbd, Time:3845780980800,  length:(14/14),  Line:show databases
2022/04/09 04:58:16  PID:10185, Comm:mariadbd, Time:3855625666790,  length:(20/20),  Line:create database test
2022/04/09 04:58:20  PID:10185, Comm:mariadbd, Time:3859549915643,  length:(17/17),  Line:SELECT DATABASE()
2022/04/09 04:58:20  PID:10185, Comm:mariadbd, Time:3859551387926,  length:(14/14),  Line:show databases
2022/04/09 04:58:20  PID:10185, Comm:mariadbd, Time:3859551716349,  length:(11/11),  Line:show tables
2022/04/09 05:00:39  PID:10185, Comm:mariadbd, Time:3998880500344,  length:(228/228),  Line:CREATE TABLE user(
           id int(10) unsigned not null auto_increment,
           name varchar(25),
           sex varchar(5),
           age int(10),
           password varchar(25),
           primary key(id))engine=Innodb
2022/04/09 05:02:51  PID:10185, Comm:mariadbd, Time:4131399810197,  length:(60/60),  Line:create table test(id  int(10),name varchar(64),aget int(10))
2022/04/09 05:03:09  PID:10185, Comm:mariadbd, Time:4148536516108,  length:(30/30),  Line:insert test values(1,'abc',14)
2022/04/09 05:03:16  PID:10185, Comm:mariadbd, Time:4156272316044,  length:(30/30),  Line:insert test values(2,'edf',14)
2022/04/09 05:03:25  PID:10185, Comm:mariadbd, Time:4165122488367,  length:(30/30),  Line:insert test values(3,'dfg',18)
2022/04/09 05:03:32  PID:10185, Comm:mariadbd, Time:4172032070611,  length:(18/18),  Line:select * from test
2022/04/09 05:04:00  PID:10185, Comm:mariadbd, Time:4199712261102,  length:(27/27),  Line:delete from test where id=3
2022/04/09 05:04:02  PID:10185, Comm:mariadbd, Time:4202319566537,  length:(6/6),  Line:commit
2022/04/09 05:04:17  PID:10185, Comm:mariadbd, Time:4217159993175,  length:(15/15),  Line:drop table user

審計(jì)記錄的內(nèi)容包括:時(shí)間、進(jìn)程id、進(jìn)程名、命令長(zhǎng)度、命令行;
注意:沒(méi)有執(zhí)行結(jié)果的展示,也沒(méi)有命令的返回值,如果能做到輸入的命令和返回的內(nèi)容就好了,不過(guò)這個(gè)改造起來(lái)難度應(yīng)該也不大,如果返回的select的內(nèi)容很多,可能map記錄不一定存的下,但是我覺(jué)得執(zhí)行成功失敗還是要有的,有興趣的同學(xué)可以繼續(xù)完善下。

3.2.2 tls 通信明文還原

本來(lái)我是用編譯的程序來(lái)還原的,發(fā)現(xiàn)不能用,原因是:

root@ubuntu-lab:/home/miao/ecapture-master/bin# ./ecapture  tls
2022/04/09 07:33:55 pid info :17222
2022/04/09 07:33:55 start to run EBPFProbeOPENSSL module
2022/04/09 07:33:55 start to run EBPFProbeGNUTLS module
2022/04/09 07:33:55 start to run EBPFProbeNSPR module
2022/04/09 07:33:55 HOOK type:2, binrayPath:/lib/x86_64-linux-gnu/libnspr4.so
2022/04/09 07:33:55 target all process. 
2022/04/09 07:33:55 HOOK type:2, binrayPath:/lib/x86_64-linux-gnu/libssl.so.1.1
2022/04/09 07:33:55 libPthread so Path:/lib/x86_64-linux-gnu/libpthread.so.0
2022/04/09 07:33:55 target all process. 
2022/04/09 07:33:55 HOOK type:2, binrayPath:/lib/x86_64-linux-gnu/libgnutls.so.30
2022/04/09 07:33:55 target all process. 
2022/04/09 07:33:55 couldn't start bootstrap manager: error:1 error occurred:
    * error:opening uprobe: symbol connect: not found , isRet:%!d(bool=false), {UID:, EbpfFuncName:probe_connect}

, probes activation validation failed

看樣子是ebpf的函數(shù)名竟然找不到,可能是我裝的ebpf版本太新了??催€有一個(gè)編譯好的版本,所以嘗試下:

wget https://github.do/https://github.com/ehids/ecapture/releases/download/v0.1.5/ecapture_v0.1.5.zip

解壓后運(yùn)行,果然沒(méi)報(bào)錯(cuò):

root@ubuntu-lab:/home/miao# ./ecapture tls
2022/04/09 07:39:15 pid info :17414
2022/04/09 07:39:15 start to run EBPFProbeOPENSSL module
2022/04/09 07:39:15 start to run EBPFProbeGNUTLS module
2022/04/09 07:39:15 start to run EBPFProbeNSPR module
2022/04/09 07:39:15 HOOK type:2, binrayPath:/lib/x86_64-linux-gnu/libssl.so.1.1
2022/04/09 07:39:15 target all process. 
2022/04/09 07:39:15 HOOK type:2, binrayPath:/lib/x86_64-linux-gnu/libgnutls.so.30
2022/04/09 07:39:15 target all process. 
2022/04/09 07:39:15 HOOK type:2, binrayPath:/lib/x86_64-linux-gnu/libnspr4.so
2022/04/09 07:39:15 target all process. 
2022/04/09 07:40:38  PID:17458, Comm:wget, TID:17458, TYPE:Send, DataLen:126 bytes, Payload:
GET / HTTP/1.1
User-Agent: Wget/1.21
Accept: */*
Accept-Encoding: identity
Host: www.baidu.com
Connection: Keep-Alive


2022/04/09 07:40:38  PID:17458, Comm:wget, TID:17458, TYPE:Recived, DataLen:116 bytes, Payload:
HTTP/1.1 200 OK
Content-Length: 2443
Content-Type: text/html
Server: bfe
Date: Sat, 09 Apr 2022 07:40:38 GMT


2022/04/09 07:40:38  PID:17458, Comm:wget, TID:17458, TYPE:Recived, DataLen:1063 bytes, Payload:
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=https://ss1.bdstatic.com/5eN1bjq8AAUYm2zgoY3K/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus=autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度
2022/04/09 07:40:38  PID:17458, Comm:wget, TID:17458, TYPE:Recived, DataLen:1380 bytes, Payload:
下 class="bg s_btn" autofocus></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新聞</a> <a href=https://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地圖</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>視頻</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>貼吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登錄</a> </noscript> <script>document.write('<a + encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登錄</a>');
                </script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多產(chǎn)品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>關(guān)于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必讀</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意見(jiàn)反饋</a>&nbsp;京ICP證030173號(hào)&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>

這是我在另外一個(gè)終端運(yùn)行,抓獲的結(jié)果。

wget https://www.baidu.com

同時(shí)發(fā)現(xiàn)個(gè)問(wèn)題,我在服務(wù)器上部署一個(gè)https的服務(wù)器,通過(guò)windows下的瀏覽器訪問(wèn)這個(gè)地址,沒(méi)有看到抓獲的明文內(nèi)容,所以我猜應(yīng)該是只處理了客戶端命令,回頭看下原理驗(yàn)證下。

四 原理分析

原理比較簡(jiǎn)單,其實(shí)就是去找用戶空間的運(yùn)行程序或庫(kù)的特定函數(shù)的地址信息,然后在這個(gè)函數(shù)地址安裝hook,這樣就可以在程序進(jìn)入到這個(gè)函數(shù)的時(shí)候,執(zhí)行我們的代碼,就可以把得到的報(bào)文信息簡(jiǎn)單打印出來(lái)。

這些函數(shù)位置如何找那,參考官網(wǎng)的文章,以tls模塊為例子說(shuō)明下。

4.1 tls 明文抓包的原理

ecapture tls 命令啟動(dòng)tls/ssl 模塊,支持三個(gè)常用的tls庫(kù),分別是:

  1. openssl ,動(dòng)態(tài)鏈接庫(kù)名字為libssl.so
  2. gnutls ,動(dòng)態(tài)鏈接庫(kù)名字為libgnutls.so

  3. nss/nspr ,動(dòng)態(tài)鏈接庫(kù)名字為libnspr4.so


    圖來(lái)自官網(wǎng),侵權(quán)刪除

比如我們測(cè)試用的是wget,我們先查看wget使用什么tls庫(kù),如下命令:

root@ubuntu-lab:/home/miao/apache-tomcat-9.0.0.M20/bin# ldd `which wget` |grep -E "tls|ssl|nspr|nss"
    libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f9099d0a000)

我們可以看到依賴的libssl庫(kù)是ecapture 可以hook的,所以我們可以使用wget進(jìn)行https請(qǐng)求,同時(shí)進(jìn)行明文抓包。這樣看來(lái),只要程序進(jìn)行通信的時(shí)候使用了這三類tls庫(kù),就可以進(jìn)行明文抓包。

下一步就是定位函數(shù)了,定位函數(shù)需要對(duì)libssl庫(kù)有所了解,知道哪個(gè)是解密出明文的,然后通過(guò):

objdump -T /lib/x86_64-linux-gnu/libssl.so.1.1

這個(gè)命令查看符號(hào)的地址,做hook即可,這是我猜測(cè)的,看了下代碼:

func (this *MOpenSSLProbe) setupManagers() error {
    var binaryPath, libPthread string
    switch this.conf.(*OpensslConfig).elfType {
    case ELF_TYPE_BIN:
        binaryPath = this.conf.(*OpensslConfig).Curlpath
    case ELF_TYPE_SO:
        binaryPath = this.conf.(*OpensslConfig).Openssl
    default:
        //如果沒(méi)找到
        binaryPath = "/lib/x86_64-linux-gnu/libssl.so.1.1"
    }

    libPthread = this.conf.(*OpensslConfig).Pthread
    if libPthread == "" {
        libPthread = "/lib/x86_64-linux-gnu/libpthread.so.0"
    }
    _, err := os.Stat(binaryPath)
    if err != nil {
        return err
    }

    this.logger.Printf("HOOK type:%d, binrayPath:%s\n", this.conf.(*OpensslConfig).elfType, binaryPath)
    this.logger.Printf("libPthread so Path:%s\n", libPthread)

    this.bpfManager = &manager.Manager{
        Probes: []*manager.Probe{
            {
                Section:          "uprobe/SSL_write",
                EbpfFuncName:     "probe_entry_SSL_write",
                AttachToFuncName: "SSL_write",
                BinaryPath:       binaryPath,
            },
            {
                Section:          "uretprobe/SSL_write",
                EbpfFuncName:     "probe_ret_SSL_write",
                AttachToFuncName: "SSL_write",
                BinaryPath:       binaryPath,
            },
            {
                Section:          "uprobe/SSL_read",
                EbpfFuncName:     "probe_entry_SSL_read",
                AttachToFuncName: "SSL_read",
                BinaryPath:       binaryPath,
            },
            {
                Section:          "uretprobe/SSL_read",
                EbpfFuncName:     "probe_ret_SSL_read",
                AttachToFuncName: "SSL_read",
                BinaryPath:       binaryPath,
            },
            {
                Section:          "uprobe/connect",
                EbpfFuncName:     "probe_connect",
                AttachToFuncName: "connect",
                BinaryPath:       libPthread,
            },
        },

        Maps: []*manager.Map{
            {
                Name: "tls_events",
            },
            {
                Name: "connect_events",
            },
        },
    }

    this.bpfManagerOptions = manager.Options{
        DefaultKProbeMaxActive: 512,

        VerifierOptions: ebpf.CollectionOptions{
            Programs: ebpf.ProgramOptions{
                LogSize: 2097152,
            },
        },

        RLimit: &unix.Rlimit{
            Cur: math.MaxUint64,
            Max: math.MaxUint64,
        },
        // 填充 RewriteContants 對(duì)應(yīng)map
        ConstantEditors: this.constantEditor(),
    }
    return nil
}

可以看到就是在SSL_read和SSL_write的函數(shù)上建立hook,hook函數(shù)看樣子是probe_ret_SSL_read和probe_ret_SSL_write,我們繼續(xù)看下這兩個(gè)函數(shù)是干嘛的。

我們只看openssl的代碼,這部分是通過(guò)c代碼來(lái)實(shí)現(xiàn)的,結(jié)構(gòu)很清晰:

SEC("uprobe/SSL_write")
int probe_entry_SSL_write(struct pt_regs* ctx) {
    uint64_t current_pid_tgid = bpf_get_current_pid_tgid();
    uint32_t pid = current_pid_tgid >> 32;

    // if target_ppid is 0 then we target all pids
    if (target_pid != 0 && target_pid != pid) {
        return 0;
    }

    void * ssl = (void *) PT_REGS_PARM1(ctx);
    // https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/bio/bio_local.h
    struct ssl_st  ssl_info;
    bpf_probe_read_user(&ssl_info, sizeof(ssl_info), ssl);

    struct BIO  bio_w;
    bpf_probe_read_user(&bio_w, sizeof(bio_w), ssl_info.wbio);

    // get fd ssl->wbio->num
    u32 fd = bio_w.num;
    debug_bpf_printk("uprobe SSL_write FD:%d\n", fd);

    const char* buf = (const char*)PT_REGS_PARM2(ctx);
    struct active_ssl_buf active_ssl_buf_t;
    __builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t));
    active_ssl_buf_t.fd = fd;
    active_ssl_buf_t.buf = buf;
    bpf_map_update_elem(&active_ssl_write_args_map, &current_pid_tgid, &active_ssl_buf_t, BPF_ANY);

    return 0;
}

SEC("uretprobe/SSL_write")
int probe_ret_SSL_write(struct pt_regs* ctx) {
    uint64_t current_pid_tgid = bpf_get_current_pid_tgid();
    uint32_t pid = current_pid_tgid >> 32;

    // if target_ppid is 0 then we target all pids
    if (target_pid != 0 && target_pid != pid) {
        return 0;
    }

    struct active_ssl_buf* active_ssl_buf_t = bpf_map_lookup_elem(&active_ssl_write_args_map, &current_pid_tgid);
    if (active_ssl_buf_t != NULL) {
        const char* buf;
        u32 fd = active_ssl_buf_t->fd;
        bpf_probe_read(&buf, sizeof(const char *), &active_ssl_buf_t->buf);
        process_SSL_data(ctx, current_pid_tgid, kSSLWrite, buf, fd);
    }
    bpf_map_delete_elem(&active_ssl_write_args_map, &current_pid_tgid);
    return 0;
}

// Function signature being probed:
// int SSL_read(SSL *s, void *buf, int num)
SEC("uprobe/SSL_read")
int probe_entry_SSL_read(struct pt_regs* ctx) {
    uint64_t current_pid_tgid = bpf_get_current_pid_tgid();
    uint32_t pid = current_pid_tgid >> 32;

    // if target_ppid is 0 then we target all pids
    if (target_pid != 0 && target_pid != pid) {
        return 0;
    }

    void * ssl = (void *) PT_REGS_PARM1(ctx);
    // https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/bio/bio_local.h
    struct ssl_st  ssl_info;
    bpf_probe_read_user(&ssl_info, sizeof(ssl_info), ssl);

    struct BIO  bio_r;
    bpf_probe_read_user(&bio_r, sizeof(bio_r), ssl_info.rbio);

    // get fd ssl->rbio->num
    u32 fd = bio_r.num;
    debug_bpf_printk("uprobe SSL_read FD:%d\n", fd);

    const char* buf = (const char*)PT_REGS_PARM2(ctx);
    struct active_ssl_buf active_ssl_buf_t;
    __builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t));
    active_ssl_buf_t.fd = fd;
    active_ssl_buf_t.buf = buf;
    bpf_map_update_elem(&active_ssl_read_args_map, &current_pid_tgid, &active_ssl_buf_t, BPF_ANY);
    return 0;
}

SEC("uretprobe/SSL_read")
int probe_ret_SSL_read(struct pt_regs* ctx) {
    uint64_t current_pid_tgid = bpf_get_current_pid_tgid();
    uint32_t pid = current_pid_tgid >> 32;

    // if target_ppid is 0 then we target all pids
    if (target_pid != 0 && target_pid != pid) {
        return 0;
    }

    struct active_ssl_buf* active_ssl_buf_t = bpf_map_lookup_elem(&active_ssl_read_args_map, &current_pid_tgid);
    if (active_ssl_buf_t != NULL) {
        const char* buf;
        u32 fd = active_ssl_buf_t->fd;
        bpf_probe_read(&buf, sizeof(const char *), &active_ssl_buf_t->buf);
        process_SSL_data(ctx, current_pid_tgid, kSSLRead, buf, fd);
    }
    bpf_map_delete_elem(&active_ssl_read_args_map, &current_pid_tgid);
    return 0;
}

最終都調(diào)用process_SSL_data來(lái)處理的,代碼如下:

static int process_SSL_data(struct pt_regs* ctx, uint64_t id, enum ssl_data_event_type type,
                            const char* buf, u32 fd) {
    int len = (int)PT_REGS_RC(ctx);
    if (len < 0) {
        return 0;
    }

    struct ssl_data_event_t* event = create_ssl_data_event(id);
    if (event == NULL) {
        return 0;
    }

    event->type = type;
    event->fd = fd;
    // This is a max function, but it is written in such a way to keep older BPF verifiers happy.
    event->data_len = (len < MAX_DATA_SIZE_OPENSSL ? (len & (MAX_DATA_SIZE_OPENSSL - 1)) : MAX_DATA_SIZE_OPENSSL);
    bpf_probe_read(event->data, event->data_len, buf);
    bpf_get_current_comm(&event->comm, sizeof(event->comm));
    bpf_perf_event_output(ctx, &tls_events, BPF_F_CURRENT_CPU, event,sizeof(struct ssl_data_event_t));
    return 0;
}

通過(guò)bpf的函數(shù)讀取解密后的數(shù)據(jù),進(jìn)程命令,然后通過(guò)事件的形式輸出。
整體邏輯沒(méi)細(xì)看,大差不差吧,下次有空好好分析下代碼吸收下。

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容