Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EBPFProbeGoTLS module initialization failed. [skip it]. error:no symbol section #377

Closed
qqq-1123 opened this issue Jul 7, 2023 · 10 comments
Closed

EBPFProbeGoTLS module initialization failed. [skip it]. error:no symbol section #377

qqq-1123 opened this issue Jul 7, 2023 · 10 comments
Labels
🐞 bug Something isn't working question Further information is requested

Comments

@qqq-1123
Copy link

qqq-1123 commented Jul 7, 2023
edited
Loading

./ecapture gotls --elfpath=/usr/local/piggo --pid=46196
tls_2023/07/07 15:20:01 ECAPTURE :: ecapture Version : linux_x86_64:0.6.0-20230702-44d2d47:5.15.0-1040-azure
tls_2023/07/07 15:20:01 ECAPTURE :: Pid Info : 46196
tls_2023/07/07 15:20:01 ECAPTURE :: Kernel Info : 5.15.99
tls_2023/07/07 15:20:01 EBPFProbeGoTLS module initialization failed. [skip it]. error:no symbol section
@cfc4n
Copy link
Member

cfc4n commented Jul 7, 2023

when i use bash command “ecapture gotls” on ubuntu 22.04 tls ,it look error EBPFProbeGoTLS module [disabled].

please upload more detail..

@cfc4n cfc4n added the question Further information is requested label Jul 7, 2023
@qqq-1123 qqq-1123 changed the title EBPFProbeGoTLS module [disabled]. EBPFProbeGoTLS module initialization failed. [skip it]. error:no symbol section Jul 9, 2023
@cfc4n
Copy link
Member

cfc4n commented Jul 10, 2023
edited
Loading

When compiling a Go program, please preserve the symbol table debug information, for example, remove -ldflags="-s -w".

@qqq-1123
Copy link
Author

When compiling a Go program, please preserve the symbol table debug information, for example, remove -ldflags="-s -w".

root@localhost:/tmp/ecapture-v0.6.0-linux-x86_64# ./ecapture gotls --elfpath=/usr/local/piggo --pid=6085
tls_2023/07/15 09:07:49 ECAPTURE :: ecapture Version : linux_x86_64:0.6.0-20230702-44d2d47:5.15.0-1040-azure
tls_2023/07/15 09:07:49 ECAPTURE :: Pid Info : 6134
tls_2023/07/15 09:07:49 ECAPTURE :: Kernel Info : 5.15.99
tls_2023/07/15 09:07:49 EBPFProbeGoTLS module initialization
tls_2023/07/15 09:07:49 EBPFProbeGoTLS master key keylogger: ecapture_masterkey.log
tls_2023/07/15 09:07:49 ECAPTURE :: Module.Run()
tls_2023/07/15 09:07:49 EBPFProbeGoTLS UPROBE MODEL
tls_2023/07/15 09:07:49 EBPFProbeGoTLS eBPF Function Name:gotls_write_register, isRegisterABI:true
tls_2023/07/15 09:07:49 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x104
tls_2023/07/15 09:07:49 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x131
tls_2023/07/15 09:07:49 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x1B2
tls_2023/07/15 09:07:49 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x2FD
tls_2023/07/15 09:07:49 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x330
tls_2023/07/15 09:07:49 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x3AD
tls_2023/07/15 09:07:49 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x3CB
tls_2023/07/15 09:07:49 EBPFProbeGoTLS target PID:6085
tls_2023/07/15 09:07:49 EBPFProbeGoTLS target all users.
tls_2023/07/15 09:07:49 EBPFProbeGoTLS BPF bytecode filename:user/bytecode/gotls_kern.o
tls_2023/07/15 09:07:49 EBPFProbeGoTLS module run failed, [skip it]. error:couldn't init manager error:unknown EbpfFuncName , couldn't find program at gotls_write_register

@cfc4n
Copy link
Member

cfc4n commented Jul 16, 2023

I tested it, and the program is working fine. What is your environment like? Can you please upload the file for elfpath?

root@vm-server:/home/cfc4n/project/ecapture# bin/ecapture gotls -e /home/cfc4n/project/ecapture/tests/golang_https
tls_2023/07/16 10:17:43 ECAPTURE :: ecapture Version : linux_x86_64:--:[CORE]
tls_2023/07/16 10:17:43 ECAPTURE :: Pid Info : 21608
tls_2023/07/16 10:17:43 ECAPTURE :: Kernel Info : 5.15.108
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	module initialization
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	master key keylogger: ecapture_masterkey.log
tls_2023/07/16 10:17:43 ECAPTURE ::	Module.Run()
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	UPROBE MODEL
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	eBPF Function Name:gotls_write_register, isRegisterABI:true
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	add uretprobe function :crypto/tls.(*Conn).Read, offset:0x104
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	add uretprobe function :crypto/tls.(*Conn).Read, offset:0x131
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	add uretprobe function :crypto/tls.(*Conn).Read, offset:0x1B2
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	add uretprobe function :crypto/tls.(*Conn).Read, offset:0x2FD
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	add uretprobe function :crypto/tls.(*Conn).Read, offset:0x330
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	add uretprobe function :crypto/tls.(*Conn).Read, offset:0x3AD
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	add uretprobe function :crypto/tls.(*Conn).Read, offset:0x3CB
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	target all process.
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	target all users.
tls_2023/07/16 10:17:43 EBPFProbeGoTLS	BPF bytecode filename:user/bytecode/gotls_kern.o
tls_2023/07/16 10:17:44 EBPFProbeGoTLS	module started successfully.
^Ctls_2023/07/16 10:17:52 EBPFProbeGoTLS	close.
tls_2023/07/16 10:17:52 EBPFProbeGoTLS	close

@cfc4n
Copy link
Member

cfc4n commented Jul 16, 2023

It's probably the same issue as #378 . In non-co-re mode, there was a compilation error, but it will be fixed later by PR #379.

@cfc4n cfc4n added the 🐞 bug Something isn't working label Jul 16, 2023
@cfc4n
Copy link
Member

cfc4n commented Jul 16, 2023

@qqq-1123 Please try the new version. v0.6.1

@qqq-1123
Copy link
Author

qqq-1123 commented Jul 16, 2023
edited
Loading

@qqq-1123 Please try the new version. v0.6.1

it work on v0.61 when i remove -ldflags "-w -s", like this:
root@localhost:~/ecapture-v0.6.1-linux-x86_64# ./ecapture gotls --elfpath=/usr/local/piggo
tls_2023/07/16 14:04:15 ECAPTURE :: ecapture Version : linux_x86_64:0.6.1-20230716-e1cd6c7:5.15.0-1041-azure
tls_2023/07/16 14:04:15 ECAPTURE :: Pid Info : 4874
tls_2023/07/16 14:04:15 ECAPTURE :: Kernel Info : 5.15.98
tls_2023/07/16 14:04:15 EBPFProbeGoTLS module initialization
tls_2023/07/16 14:04:15 EBPFProbeGoTLS master key keylogger: ecapture_masterkey.log
tls_2023/07/16 14:04:15 ECAPTURE :: Module.Run()
tls_2023/07/16 14:04:15 EBPFProbeGoTLS UPROBE MODEL
tls_2023/07/16 14:04:15 EBPFProbeGoTLS eBPF Function Name:gotls_write_register, isRegisterABI:true
tls_2023/07/16 14:04:15 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x104
tls_2023/07/16 14:04:15 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x131
tls_2023/07/16 14:04:15 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x1B2
tls_2023/07/16 14:04:15 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x2FD
tls_2023/07/16 14:04:15 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x330
tls_2023/07/16 14:04:15 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x3AD
tls_2023/07/16 14:04:15 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x3CB
tls_2023/07/16 14:04:15 EBPFProbeGoTLS target all process.
tls_2023/07/16 14:04:15 EBPFProbeGoTLS target all users.
tls_2023/07/16 14:04:15 EBPFProbeGoTLS BPF bytecode filename:user/bytecode/gotls_kern.o
tls_2023/07/16 14:04:16 EBPFProbeGoTLS module started successfully.
^Ctls_2023/07/16 14:04:21 EBPFProbeGoTLS close.
tls_2023/07/16 14:04:21 EBPFProbeGoTLS close

but it still can not work when I use -ldflags "-w -s"。
when use -ldflags "-w -s",the error still like this:
root@localhost:~/ecapture-v0.6.1-linux-x86_64# ./ecapture gotls --elfpath=/usr/local/piggo
tls_2023/07/16 14:08:42 ECAPTURE :: ecapture Version : linux_x86_64:0.6.1-20230716-e1cd6c7:5.15.0-1041-azure
tls_2023/07/16 14:08:42 ECAPTURE :: Pid Info : 5134
tls_2023/07/16 14:08:42 ECAPTURE :: Kernel Info : 5.15.98
tls_2023/07/16 14:08:42 EBPFProbeGoTLS module initialization failed. [skip it]. error:no symbol section

@cfc4n
Copy link
Member

cfc4n commented Jul 17, 2023

Can you test the official 'golang tls' client? https://github.com/gojue/ecapture/blob/master/tests/golang_https.go

cd ecapture/tests/
go build golang_https.go
cd ../
./bin/ecapture gotls -e "tests/golang_https"

@qqq-1123
Copy link
Author

it work!
root@localhost:~/ecapture-v0.6.1-linux-x86_64# ./ecapture gotls -e "/root/ecapture/tests/golang_https"
tls_2023/07/17 14:16:52 ECAPTURE :: ecapture Version : linux_x86_64:0.6.1-20230716-e1cd6c7:5.15.0-1041-azure
tls_2023/07/17 14:16:52 ECAPTURE :: Pid Info : 1996
tls_2023/07/17 14:16:52 ECAPTURE :: Kernel Info : 5.15.98
tls_2023/07/17 14:16:52 EBPFProbeGoTLS module initialization
tls_2023/07/17 14:16:52 EBPFProbeGoTLS master key keylogger: ecapture_masterkey.log
tls_2023/07/17 14:16:52 ECAPTURE :: Module.Run()
tls_2023/07/17 14:16:52 EBPFProbeGoTLS UPROBE MODEL
tls_2023/07/17 14:16:52 EBPFProbeGoTLS eBPF Function Name:gotls_write_register, isRegisterABI:true
tls_2023/07/17 14:16:52 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x104
tls_2023/07/17 14:16:52 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x131
tls_2023/07/17 14:16:52 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x1B2
tls_2023/07/17 14:16:52 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x2FD
tls_2023/07/17 14:16:52 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x330
tls_2023/07/17 14:16:52 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x3AD
tls_2023/07/17 14:16:52 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x3CB
tls_2023/07/17 14:16:52 EBPFProbeGoTLS target all process.
tls_2023/07/17 14:16:52 EBPFProbeGoTLS target all users.
tls_2023/07/17 14:16:52 EBPFProbeGoTLS BPF bytecode filename:user/bytecode/gotls_kern.o
tls_2023/07/17 14:16:53 EBPFProbeGoTLS module started successfully.

@cfc4n
Copy link
Member

cfc4n commented Aug 8, 2023
edited
Loading

eCapture does not support ELF files without symbol section.

You can manually search the offset of the tls.(*Conn).Read function in the ELF file, and hardcode it into the code. Then compile eCapture yourself.

@cfc4n cfc4n closed this as completed Aug 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐞 bug Something isn't working question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cfc4n @qqq-1123