Capture TLS master_key ,save to file. Support openssl 1.1.1.X . TLS 1.2 .
Quick Guide:
- use
ecaptureto capture TLS master_key, will save master secret toecapture_masterkey_[pid].log. - use
tcpdumpto capture and save packets toxxx.pcapngfile. - open
xxx.pcapngfile withwireshark. - Setting :
Wireshark-->Preferences-->Protocols-->TLS-->(Pre)-Master-Secret log filename, selectecapture_masterkey_[pid].log. - Using : right click packet item, select
follow->HTTP Stream/HTTP/2 Stream
Full Changelog: https://github.com/ehids/ecapture/compare/v0.2.2...v0.3.0
- workflows: build failed on aarch 64 ubuntu : 'linux/kconfig.h' file not found #125 by @cfc4n in gojue#126
- Makefile: shell running,with a unexcepted result: lost DKERNEL_LESS_5_2 on kernel 4.15 #129 by @cfc4n in gojue#132
- ebpf: remove detection of BPF config when running at container #127 by @cfc4n in gojue#128
Full Changelog: https://github.com/ehids/ecapture/compare/v0.2.1...v0.2.2
- pkg : fix Kernel config read failed, error:Config not found #117 by @cfc4n in gojue#123
- user : Clean up unnecessary information. fix #122 by @cfc4n in gojue#124
Full Changelog: https://github.com/ehids/ecapture/compare/v0.2.0...v0.2.1
- Directly search so in search path when /usr/bin/curl is not exist by @tiann in gojue#97
- Add GitHub Action :Golangci lint by @cfc4n in gojue#99
- Add Chinese name 旁观者. by @cfc4n in gojue#103
- build: change tar.gz file path in checksum.txt by @cfc4n in gojue#104
- Support Golang HTTPS introspection by @chenhengqi in gojue#100
- New Feature: support Android without GKI (kernel version > 4.18) by @cfc4n in gojue#107
- fixed :#108 tls module cannot to capture payload on Aarch64 kernel 4.18 by @huzai9527 in gojue#109
- fixed #108: ip address lost on aarch64 kernel 4.18 by @cfc4n in gojue#111
- New feature: add payload parser. by @cfc4n in gojue#113
- document: message friendly by @cfc4n in gojue#119
- @tiann made their first contribution in gojue#97
- @chenhengqi made their first contribution in gojue#100
Full Changelog: https://github.com/ehids/ecapture/compare/v0.1.10...v0.2.0
- user : fixed bug. #76 libpthread.so not found. by @cfc4n in gojue#77
- Support for ARM64 architecture by @cfc4n in gojue#75
- fixed: outputing blank text on linux 4.18 #81 by @cfc4n in gojue#82
- New feature: update ebpfmanager package to 0.3.0 by @cfc4n in gojue#83
- New feature: #80 event filter by uid by @cfc4n in gojue#84
- New feature: #85 event filter by uid for module tls by @cfc4n in gojue#86
- New feature: #87 support Android GKI by @cfc4n in gojue#88
- fixed: #92 github checkout error while a PR sent. by @cfc4n in gojue#93
- New Feature: #79 Auto release for android gki by @cfc4n in gojue#94
Full Changelog: https://github.com/ehids/ecapture/compare/v0.1.9...v0.1.10
-
code refactoring: event dispatcher
- PR: #58
-
add notes for how to use ecapture in other libs
- PR: #60
-
- : add TLS/SSL Version info (openssl).
- PR: #62
- Add nosearch argument to skip auto search lib path
- PR: #70
- code refactoring: event dispatcher by @cfc4n in gojue#58
- add notes for how to use ecapture in other libs by @xjas in gojue#60
- add TLS/SSL Version info (openssl). by @cfc4n in gojue#62
- Update README.md by @nfsec in gojue#63
- fix some typos by @cuishuang in gojue#68
- Add nosearch argument to skip auto search lib path by @vincentmli in gojue#70
- @xjas made their first contribution in gojue#60
- @nfsec made their first contribution in gojue#63
- @cuishuang made their first contribution in gojue#68
- @vincentmli made their first contribution in gojue#70
Full Changelog: https://github.com/ehids/ecapture/compare/v0.1.8...v0.1.9
- ADD mysqld dispatch_command return value. by @cfc4n in gojue#44
- autogen vmlinux header file to compatible current OS by @cfc4n in gojue#50
- feat: support postgres query hook by @yihong0618 in gojue#51
- added return value of bash module. by @huzai9527 in gojue#52
- change bash line size to 256 bytes by @yindex in gojue#55
- add errnumber flag for command bash by @huzai9527 in gojue#56
- @huzai9527 made their first contribution in gojue#52
- @yindex made their first contribution in gojue#55
Full Changelog: https://github.com/ehids/ecapture/compare/v0.1.7...v0.1.8
- user: fix #29 ubuntu21.10 error :connect symbol cant found by @cfc4n in gojue#30
- support no co-re version on linux kernel >= 5.2 by @cfc4n in gojue#32
- merge two Makefile files. by @cfc4n in gojue#33
- images : fix #34 Inaccurate/Confusing Diagrams by @cfc4n in gojue#36
- Fix #37 Shared object dependence by @cfc4n in gojue#38
- README grammar fix by @chriskaliX in gojue#35
- Fix #39 .rodata: map create: read- and write-only maps not supported (requires >= v5.2) by @cfc4n in gojue#40
- set clang version lower to 9 from 12 by @cfc4n in gojue#41
- @cfc4n made their first contribution in gojue#30
Full Changelog: https://github.com/ehids/ecapture/compare/v0.1.6...v0.1.7
- 更新mysqld数据库审计模块
- 更新tls网络捕获模块
- 支持mysql5.7/8.0, MariadDB 10.5+的Mysqld数据库的查询审计。
- 自动识别mysqld版本 。
- 自动查找hook的sql 查询函数。
- 支持openssl的IP地址关联
- 支持网络IP地址的存储、关联到网络数据中。
- 支持自定义libpthread.so路径指定(定位connect函数)。
- 增加mysqld数据库审计模块
- 支持mysql5.6的mariaDB数据库的查询审计
- 默认path目录为/usr/sbin/mariadb 。
- 支持function name、offset两个参数自定义。
- 调整运行环境检测方式
- 判断BTF支持的方法,改为优先判断
/sys/kernel/btf/vmlinux文件,以及其他BTF特征的vmlinux-*目录等 。 - 增加运行原理图。
- 判断BTF支持的方法,改为优先判断
- 支持gnutls 、 nspr 两个类库的数据捕获
- 重命名子命令,由
openssl改为tls
- 增加运行环境检测
- 检测linux kernel必须大于4.18 。
- 检测kernel config中CONFIG_DEBUG_INFO_BTF必须有,且值为y。
- 去除编译生成的文件(./bin/、./assets/、./user/bytecode/)
- 整理go mod依赖文件
- 模块拆分,启用子命令模式
- 增加全局可选PID参数,针对特定PID进行数据捕获
- 增加hexdump打印模式
- 支持自定义openssl的so路径。
- 支持hex进制的数据输出
- 支持自定义bash路径参数
- 支持自定义readline.so路径参数
- 支持hex进制的数据输出
- 增加openssl的libssl.so的SSL/TLS数据抓包功能。
- 根据wget路径,自动选择libssl.so路径。
- 自动根据ENV查找bash
- 根据bash自动查找
readline.so,并进行bash命令捕获