Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ecapture 启动成功,但标准输出有报错 #222

Closed
boost2020 opened this issue Sep 26, 2022 · 3 comments · Fixed by #223
Closed

ecapture 启动成功,但标准输出有报错 #222

boost2020 opened this issue Sep 26, 2022 · 3 comments · Fixed by #223
Labels
bug Something isn't working

Comments

@boost2020
Copy link

环境:
内核版本:Linux 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linuxx
编译条件: make nocore(阿里镜像默认没有开btf,所以无法使用make 默认编译)
ecapture版本:eCapture version: linux_x86_64:0.4.3-20220916-d82a347:4.19.0-10-amd64
openssl: OpenSSL 1.1.1n 15 Mar 2022

问题描述:
使用以下启动报错:
./ecapture tls

输出的信息如下
image
@cfc4n cfc4n added the bug Something isn't working label Sep 27, 2022
cfc4n added a commit that referenced this issue Sep 28, 2022
@cfc4n
kern: rodata map not supported on kernel 4.19 or older
2936b80 
fixes : #222

.rodata: map create: read- and write-only maps not supported

Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
@cfc4n cfc4n mentioned this issue Sep 28, 2022
Merged
@cfc4n cfc4n linked a pull request Sep 28, 2022 that will close this issue
kern: rodata map not supported on kernel 4.19 or older #223
Merged
@cfc4n
Copy link
Member

cfc4n commented Sep 28, 2022

是有bug,不过,4.19版本不支持参数过滤了。 需要5.2以上版本才支持。

所以,这PR会修复4.19报错的问题。

可以试试 #223 这个PR

@boost2020
Copy link
Author

go run github.com/shuLhan/go-bindata/cmd/go-bindata -pkg assets -o "assets/ebpf_probe.go" ./user/bytecode/gossl_kern.o ./user/bytecode/gnutls_kern.o ./user/bytecode/mysqld_kern.o ./user/bytecode/bash_kern.o ./user/bytecode/postgres_kern.o ./user/bytecode/nspr_kern.o
CGO_ENABLED=0 go build -tags linux -ldflags "-w -s -X 'ecapture/cli/cmd.GitVersion=linux_x86_64:0.4.3-20220916-d82a347:4.19.0-10-amd64' -X 'main.enableCORE=false'" -o bin/ecapture .
Thu Sep 29 10:04:23 CST 2022
root@al-wave-test-336-001:/ecapture# ls
CHANGELOG.md CONTRIBUTING.md Makefile README_CN.md bin cli go.mod images main.go user
CODE_OF_CONDUCT.md LICENSE README.md assets builder configuration.json go.sum kern pkg
root@al-wave-test-336-001:/ecapture# ls -lrht bin/
total 8.6M
-rw------- 1 root root 0 Sep 23 17:41 ecapture_masterkey.log
-rw-r--r-- 1 root root 424 Sep 23 18:33 pcapng
-rwxr-xr-x 1 root root 8.6M Sep 29 10:04 ecapture
root@al-wave-test-336-001:~/ecapture# bin/ecapture tls
tls_2022/09/29 10:05:03 ECAPTURE :: version :linux_x86_64:0.4.3-20220916-d82a347:4.19.0-10-amd64
tls_2022/09/29 10:05:03 ECAPTURE :: pid info :13539
tls_2022/09/29 10:05:03 EBPFProbeOPENSSL module initialization
tls_2022/09/29 10:05:03 EBPFProbeOPENSSL master key keylogger: ecapture_masterkey.log
tls_2022/09/29 10:05:03 EBPFProbeOPENSSL Module.Run()
tls_2022/09/29 10:05:03 EBPFProbeOPENSSL module run failed, [skip it]. error:EBPFProbeOPENSSL couldn't find asset open user/bytecode/openssl_kern.o: file does not exist .
tls_2022/09/29 10:05:03 EBPFProbeGNUTLS module initialization
tls_2022/09/29 10:05:03 EBPFProbeGNUTLS Module.Run()
tls_2022/09/29 10:05:03 EBPFProbeGNUTLS HOOK type:2, binrayPath:/lib/x86_64-linux-gnu/libgnutls.so.30
tls_2022/09/29 10:05:03 EBPFProbeGNUTLS module started successfully.
tls_2022/09/29 10:05:03 EBPFProbeNSPR module initialization
tls_2022/09/29 10:05:03 EBPFProbeNSPR Module.Run()
tls_2022/09/29 10:05:03 EBPFProbeNSPR HOOK type:2, binrayPath:/lib/x86_64-linux-gnu/libnspr4.so
tls_2022/09/29 10:05:03 EBPFProbeNSPR module started successfully.
tls_2022/09/29 10:05:03 EBPFProbeGoSSL module [disabled].
tls_2022/09/29 10:05:03 ECAPTURE :: start 2 modules

还不行,少文件

@cfc4n
Copy link
Member

cfc4n commented Sep 29, 2022
edited
Loading

确保你编译没报错。 看这个信息,缺少的openssl_kern.o文件,更多的是编译报错了。
另外,你最好把你完整的环境信息给出来,是debian哪个发行版?

我在阿里云上试了好久,也没找到你这个内核对应的版本。最后用了 debian 10 ,内核是 4.19.0-16-amd64

root@iZj6:/lib/modules/4.19.0-16-amd64# uname -r
4.19.0-16-amd64
root@iZj6:/lib/modules/4.19.0-19-amd64# apt search linux-headers-$(uname -r)
Sorting... Done
Full Text Search... Done   # 没有这个版本的头文件
root@iZj6:/lib/modules/4.19.0-16-amd64# apt install linux-headers-4.19.0-19-amd64 # 只好装相邻版本使用。
root@iZj6:/lib/modules/4.19.0-16-amd64# ln -s /usr/src/linux-headers-4.19.0-19-common/ source
root@iZj6:/lib/modules/4.19.0-16-amd64# ln -s /usr/src/linux-headers-4.19.0-19-amd64/ build

测试了 #223 这个PR,没问题。

root@iZj6:~/ecapture# bin/ecapture tls
tls_2022/09/29 16:32:31 ECAPTURE :: version :linux_x86_64:0.4.3-20220928-2936b80:4.19.0-16-amd64
tls_2022/09/29 16:32:31 ECAPTURE :: pid info :5388
tls_2022/09/29 16:32:31 EBPFProbeOPENSSL	module initialization
tls_2022/09/29 16:32:31 EBPFProbeOPENSSL	master key keylogger: ecapture_masterkey.log
tls_2022/09/29 16:32:31 EBPFProbeOPENSSL	Module.Run()
tls_2022/09/29 16:32:31 EBPFProbeOPENSSL	UPROBE MODEL
tls_2022/09/29 16:32:31 EBPFProbeOPENSSL	HOOK type:2, binrayPath:/lib/x86_64-linux-gnu/libssl.so.1.1
tls_2022/09/29 16:32:31 EBPFProbeOPENSSL	libPthread so Path:/lib/x86_64-linux-gnu/libpthread.so.0
tls_2022/09/29 16:32:31 EBPFProbeOPENSSL	module started successfully.
tls_2022/09/29 16:32:31 EBPFProbeGNUTLS	module initialization
tls_2022/09/29 16:32:31 EBPFProbeGNUTLS	Module.Run()
tls_2022/09/29 16:32:31 EBPFProbeGNUTLS	HOOK type:2, binrayPath:/lib/x86_64-linux-gnu/libgnutls.so.30
tls_2022/09/29 16:32:31 EBPFProbeGNUTLS	module started successfully.
tls_2022/09/29 16:32:31 EBPFProbeNSPR	module initialization
tls_2022/09/29 16:32:31 EBPFProbeNSPR	Module.Run()
tls_2022/09/29 16:32:31 EBPFProbeNSPR	HOOK type:2, binrayPath:/lib/x86_64-linux-gnu/libnspr4.so
tls_2022/09/29 16:32:31 EBPFProbeNSPR	module started successfully.
tls_2022/09/29 16:32:31 EBPFProbeGoSSL	module [disabled].
tls_2022/09/29 16:32:31 ECAPTURE :: 	start 3 modules
tls_2022/09/29 16:32:42 TLS1_2_VERSION: save CLIENT_RANDOM 259bc97f4ec54cf2591d1e6b624cab2b1415a78596e093ec0e78730d2992d3b1 to file success, 176 bytes
tls_2022/09/29 16:32:43 UUID:5399_5399_curl_3_1, Name:HTTPRequest, Type:1, Length:77
tls_2022/09/29 16:32:43
GET / HTTP/1.1
Host: www.baidu.com
Accept: */*
User-Agent: curl/7.64.0


tls_2022/09/29 16:32:43 UUID:5399_5399_curl_3_0, Name:HTTPResponse, Type:2, Length:2843
tls_2022/09/29 16:32:43
HTTP/1.1 200 OK
Content-Length: 2443
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Type: text/html
Date: Thu, 29 Sep 2022 08:32:42 GMT
Etag: "58860410-98b"
Last-Modified: Mon, 23 Jan 2017 13:24:32 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/

<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;ch
...
^Ctls_2022/09/29 16:32:44 EBPFProbeOPENSSL	close.
tls_2022/09/29 16:32:44 EBPFProbeOPENSSL	close
tls_2022/09/29 16:32:44 EBPFProbeGNUTLS	close
tls_2022/09/29 16:32:44 EBPFProbeNSPR	close
root@iZj6:~/ecapture# git log -n1
commit 2936b80f7c64b73fadfc5a66a670527f62257c3c (HEAD -> 222-rodata-write-only-maps, origin/222-rodata-write-only-maps)
Author: CFC4N <cfc4n.cs@gmail.com>
Date:   Wed Sep 28 21:19:49 2022 +0800

    kern: rodata map not supported on kernel 4.19 or older
    fixes : #222

    .rodata: map create: read- and write-only maps not supported

    Signed-off-by: CFC4N <cfc4n.cs@gmail.com>

cfc4n added a commit that referenced this issue Sep 29, 2022
@cfc4n
kern: rodata map not supported on kernel 4.19 or older
dc3bbe1 
fixes : #222

.rodata: map create: read- and write-only maps not supported

Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

kern: rodata map not supported on kernel 4.19 or older gojue/ecapture
2 participants
@cfc4n @boost2020