Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support keylog and pcap mode in gnutls #654

Merged
merged 12 commits into from
Nov 11, 2024
Merged

feat: support keylog and pcap mode in gnutls #654

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
1af2a9f
basic kernel
yuweizzz Oct 30, 2024
3934b85
config
yuweizzz Oct 30, 2024
24aa092
user
yuweizzz Oct 30, 2024
a1a0cbd
Merge branch 'gojue:master' into new
yuweizzz Oct 30, 2024
a995110
consts
yuweizzz Oct 31, 2024
c348fc0
update kernel
yuweizzz Nov 4, 2024
843c124
update user
yuweizzz Nov 4, 2024
244d84c
[skip ci] update code style
yuweizzz Nov 5, 2024
38da5a9
[skip ci] update offset.c
yuweizzz Nov 6, 2024
f514903
update keylogfile suffix
yuweizzz Nov 8, 2024
90670fd
update offset.sh
yuweizzz Nov 10, 2024
956a95c
[skip ci] add sudo
yuweizzz Nov 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions cli/cmd/gnutls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@
package cmd

import (
"strings"

"github.com/gojue/ecapture/user/config"
"github.com/gojue/ecapture/user/module"
"github.com/spf13/cobra"
Expand All @@ -35,17 +37,26 @@ ecapture gnutls
ecapture gnutls --hex --pid=3423
ecapture gnutls -l save.log --pid=3423
ecapture gnutls --gnutls=/lib/x86_64-linux-gnu/libgnutls.so
ecapture gnutls -m keylog -k ecapture_gnutls_key.og
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why use the file suffix og?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

follow the value of openssl part: https://github.com/gojue/ecapture/blob/master/cli/cmd/tls.go#L53

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/gojue/ecapture/pull/436/files#diff-e8e66257f925faa6708802f4512557ebaab2558cd841f914c7f83897421adc48

这可能是一个在将近一年前引入的 typo。因为我尝试关键词 .og file 搜索时看到的大多数内容都与 .ogg 格式相关,而且根据相关上下文推测应该是 .log 而不是 .og。如果选一个合适的后缀的话我会尝试 .keylog.txt

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.log 应该足够了。

ecapture gnutls -m pcap --pcapfile save.pcapng -i eth0 --gnutls=/lib/x86_64-linux-gnu/libgnutls.so tcp port 443
`,
Run: gnuTlsCommandFunc,
}

func init() {
//opensslCmd.PersistentFlags().StringVar(&gc.Curlpath, "wget", "", "wget file path, default: /usr/bin/wget. (Deprecated)")
gnutlsCmd.PersistentFlags().StringVar(&gc.Gnutls, "gnutls", "", "libgnutls.so file path, will automatically find it from curl default.")
gnutlsCmd.PersistentFlags().StringVarP(&gc.Model, "model", "m", "text", "capture model, such as : text, pcap/pcapng, key/keylog")
gnutlsCmd.PersistentFlags().StringVarP(&gc.KeylogFile, "keylogfile", "k", "ecapture_gnutls_key.og", "The file stores SSL/TLS keys, and eCapture captures these keys during encrypted traffic communication and saves them to the file.")
gnutlsCmd.PersistentFlags().StringVarP(&gc.PcapFile, "pcapfile", "w", "save.pcapng", "write the raw packets to file as pcapng format.")
gnutlsCmd.PersistentFlags().StringVarP(&gc.Ifname, "ifname", "i", "", "(TC Classifier) Interface name on which the probe will be attached.")
rootCmd.AddCommand(gnutlsCmd)
}

// gnuTlsCommandFunc executes the "bash" command.
func gnuTlsCommandFunc(command *cobra.Command, args []string) {
if gc.PcapFilter == "" && len(args) != 0 {
gc.PcapFilter = strings.Join(args, " ")
}
runModule(module.ModuleNameGnutls, gc)
}
3 changes: 3 additions & 0 deletions kern/gnutls_kern.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
// limitations under the License.

#include "ecapture.h"
#include "tc.h"

enum ssl_data_event_type { kSSLRead, kSSLWrite };

Expand Down Expand Up @@ -217,3 +218,5 @@ int probe_ret_SSL_read(struct pt_regs* ctx) {
bpf_map_delete_elem(&active_ssl_read_args_map, &current_pid_tgid);
return 0;
}

#include "gnutls_masterkey.h"
Loading
Loading