如何捕获由python程序发出的HTTPS请求？ #336

Your7Maxx · 2023-03-23T09:46:28Z

Your7Maxx
Mar 23, 2023

我在使用LD_DEBUG信息跟踪某发送HTTPS请求的python程序时，输出了该python程序引用到的链接库，如下所示：

所以我使用bpftrace简单地hook了该链接库的SSL_write函数，在执行该python测试程序后并没有捕获到相关信息：

这是一个有趣的现象，同样地我对curl进行了测试，发现curl也同样引用了该链接库，但是不同地是可以捕获到调用信息：

这个测试来源于我在实现自研的进程级别的流量监控程序的过程中，同样我借鉴了ecapture项目的实现思路，但针对上述这个具体的问题，ecapture的结果也不尽如人意，所以想跟大家讨论下~

cfc4n · 2023-03-23T10:03:20Z

cfc4n
Mar 23, 2023
Maintainer

plese upload test.py here.

5 replies

Your7Maxx Mar 23, 2023
Author

hi！test.py是一个简单的使用requests库发送https请求的例子，在图2中cat出来了：

#!/usr/bin/python3
import requests

url = "https://www.baidu.com"
while 1:
    r = requests.get(url)
    print(r.status_code)`

我对这个问题的理解是：Python在2.7.9及以上版本中引入了标准库ssl，它是完全基于OpenSSL实现，并且提供了Python程序和OpenSSL之间的接口，在上述的LD_DEBUG中也可以看到相关线索，但实验现象表示并没有通过eBPF捕获到HTTPS请求。我目前认为该python程序引用了libssl.so链接库但是并没有调用SSL_write函数。希望得到您对这个具体问题的分享~

Your7Maxx Mar 23, 2023
Author

下面的这个截图证实了我的想法，该python程序引用了libssl.so链接库但是并没有调用SSL_write函数，而是其他一些uprobe，如下所示：

Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_new
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_new_ex
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_COMP_get_compression_methods
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_ex_data_X509_STORE_CTX_idx
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_ciphersuites
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_COMP_get_compression_methods
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CONF_CTX_new
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CONF_CTX_set_ssl_ctx
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CONF_CTX_set_flags
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CONF_cmd
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_cipher_list
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CONF_CTX_finish
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CONF_CTX_free
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_get_verify_callback
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_verify
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_options
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_cipher_list
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_ctrl
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_ctrl
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_session_id_context
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_get0_param
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_post_handshake_auth
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_cipher_list
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_get_options
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_get_options
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_options
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_get_verify_callback
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_verify
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_get_verify_callback
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_verify
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_load_verify_locations
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_load_verify_file
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_alpn_protos
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_set_alpn_select_cb
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_new
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_up_ref
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_up_ref
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_clear
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_SESSION_free
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_set_ct_validation_callback
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get0_param
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_set_ex_data
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_set_fd
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_set_bio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_rbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_rbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_wbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_set0_rbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_set0_wbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_ctrl
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_set_post_handshake_auth
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_ctrl
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_set_connect_state
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_rbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_wbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_do_handshake
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_before
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_clear
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_SESSION_free
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_before
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_SESSION_new
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_SESSION_free
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_ciphers
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get1_supported_ciphers
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_ciphers
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get1_supported_ciphers
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_ciphers
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_srtp_profiles
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_SESSION_free
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get0_CA_list
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_state
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_version
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_version
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_options
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_ex_data_X509_STORE_CTX_idx
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_security_level
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_state
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_state
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_state
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_is_init_finished
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_version
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_get_verify_mode
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_is_init_finished
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get1_peer_certificate
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get0_peer_certificate
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_SSL_CTX
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_get_verify_mode
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_get_verify_mode
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_rbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_wbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_write_ex
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_state
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_rbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_wbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_read_ex
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_rbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_wbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_read_ex
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_rbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_get_wbio
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_read_ex
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_free
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_init
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_in_before
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_remove_session
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_SESSION_free
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_SESSION_free
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_free
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_free
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_free
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_CTX_flush_sessions
Get!uprobe:/lib/x86_64-linux-gnu/libssl.so.3:TLS_client_method

Your7Maxx Mar 23, 2023
Author

wow，我发现了一个有趣的uprobe也被调用了：uprobe:/lib/x86_64-linux-gnu/libssl.so.3:SSL_write_ex，这仿佛可以解决我的需求了！

cfc4n Mar 24, 2023
Maintainer

你可以手动更改eCapture的hook函数，指定为SSL_write_ex ，或者参考被删除的代码：

https://github.com/gojue/ecapture/blob/v0.5.0/user/module/probe_openssl.go#L330-L360

// for SSL_write_ex \ SSL_read_ex
			/*
				{
					Section:          "uprobe/SSL_write",
					EbpfFuncName:     "probe_entry_SSL_write",
					AttachToFuncName: "SSL_write_ex",
					BinaryPath:       binaryPath,
					UID:              "uprobe_SSL_write_ex",
				},
				{
					Section:          "uretprobe/SSL_write",
					EbpfFuncName:     "probe_ret_SSL_write",
					AttachToFuncName: "SSL_write_ex",
					BinaryPath:       binaryPath,
					UID:              "uretprobe_SSL_write_ex",
				},
				{
					Section:          "uprobe/SSL_read",
					EbpfFuncName:     "probe_entry_SSL_read",
					AttachToFuncName: "SSL_read_ex",
					BinaryPath:       binaryPath,
					UID:              "uprobe_SSL_read_ex",
				},
				{
					Section:          "uretprobe/SSL_read",
					EbpfFuncName:     "probe_ret_SSL_read",
					AttachToFuncName: "SSL_read_ex",
					BinaryPath:       binaryPath,
					UID:              "uretprobe_SSL_read_ex",
				},
			*/

Your7Maxx Mar 24, 2023
Author

nice！谢谢您的分享～

Your7Maxx · 2023-03-24T02:43:47Z

Your7Maxx
Mar 24, 2023
Author

update下昨晚实现的demo截图，希望能给遇到同样场景或问题的朋友提供解决思路：

0 replies

Your7Maxx · 2023-03-25T15:08:05Z

Your7Maxx
Mar 25, 2023
Author

更新一下在该场景下的一些引申的问题：
在之前的讨论中已经探索出可以通过SSL_write_ex 函数来hook由py程序发出的HTTPS请求，但是我在测试demo的时候遇到了新的问题：

这是由test.py程序发出的POST类似的HTTPS请求，由左侧bcc程序的输出可以看到，bcc程序hook了两次SSL_write_ex 函数，分别捕捉了请求头和请求体，通过bpftrace工具也可以证实这一现象：

这应该是py程序对于libssl.so的封装使用方式所造成的，这样的输出结果当然不尽如人意，我希望能够通过一种类似session的机制将两次SSL_write_ex 关联到一起，毕竟这本来就是同一个请求。所以我想到利用SSL_write_ex 的参数SSL * s也就是ssl结构体指针做关联，但是我目前遇到的问题有两个：
（1）如果不引入<openssl/ssl.h>库，我是无法通过SSL结构体指针访问SSL * s的成员字段变量的，因为SSL结构体总是未定义，但是在eBPF程序中引入<openssl/ssl.h>库仿佛是不被允许的（我的系统已经安装了openssl-dev相关依赖）。
（2）如果尝试将SSL * s强制转化为void *类型，并赋值给自定义的变量，那么我将可能访问错误的内存地址。
所以想和大家讨论下，在这样的场景下有什么解决办法或思路呢？

0 replies

cfc4n · 2023-03-26T11:43:07Z

cfc4n
Mar 26, 2023
Maintainer

简体中文

关于回话合并

这并不是py程序对libssl.so封装使用方式造成的，而是本身这种HOOK机制导致的。应用层调用函数进行加密解密，本身与TCP通讯的回话没有直接关系。现在你看到的只是request、response无法直接关联，其实，当payload较大时，会调用多次SSL_write_ex ，导致一个payload会被HOOK触发多次。同时，如果有多线程的话，会带来更大的消息顺序混乱，确实是很难解决的。

不过，你可以在eBPF的函数里，HOOK的地方，针对每个hook事件，取当时的CPU时钟，用户空间程序收到事件后，再进行消息顺序排序。可以很好的减缓这类问题。但仍无法完美解决。

在eCapture的代码中，pkg/event_processor也做了类似的实现，虽然目前还不完美，也够用了。另外，你可以使用eCapture的pcapng模式，跟wireshark抓的包是一样的，可以很好的串联TCP回话的消息，而且是解密后的。

关于SSL结构体访问

也不需要完全引入openssl/ssl.h，可以根据SSL结构体的偏移量来获取内存地址，这个方式，在 eCapture中是主要的实现机制，你可以参考

ecapture/kern/openssl_1_1_1d_kern.c

Lines 7 to 44 in fe4a76d

    
           // ssl_st->version 
        
           #define SSL_ST_VERSION 0x0 
        
           // ssl_st->session 
        
           #define SSL_ST_SESSION 0x510 
        
           // ssl_st->s3 
        
           #define SSL_ST_S3 0xa8 
        
           // ssl_session_st->master_key 
        
           #define SSL_SESSION_ST_MASTER_KEY 0x50 
        
           // ssl3_state_st->client_random 
        
           #define SSL3_STATE_ST_CLIENT_RANDOM 0xb8 
        
           // ssl_session_st->cipher 
        
           #define SSL_SESSION_ST_CIPHER 0x1f8 
        
           // ssl_session_st->cipher_id 
        
           #define SSL_SESSION_ST_CIPHER_ID 0x200 
        
           // ssl_cipher_st->id 
        
           #define SSL_CIPHER_ST_ID 0x18 
        
           // ssl_st->handshake_secret 
        
           #define SSL_ST_HANDSHAKE_SECRET 0x17c 
        
           // ssl_st->handshake_traffic_hash 
        
           #define SSL_ST_HANDSHAKE_TRAFFIC_HASH 0x2fc 
        
           // ssl_st->client_app_traffic_secret 
        
           #define SSL_ST_CLIENT_APP_TRAFFIC_SECRET 0x33c 
        
           // ssl_st->server_app_traffic_secret 
        
           #define SSL_ST_SERVER_APP_TRAFFIC_SECRET 0x37c 
        
           // ssl_st->exporter_master_secret 
        
           #define SSL_ST_EXPORTER_MASTER_SECRET 0x3bc

English

About conversation merging

This is not caused by the py program encapsulating libssl.so usage method, but rather by the HOOK mechanism itself. The function called by the application layer for encryption and decryption is not directly related to the TCP communication session. What you see now is that request and response cannot be directly associated. In fact, when the payload is large, SSL_write_ex will be called multiple times, causing a payload to be triggered multiple times by HOOK. At the same time, if there are multiple threads, it will bring greater message disorder and it is indeed difficult to solve.

However, in eBPF functions where HOOK occurs, you can take the CPU clock at that time for each hook event and sort messages in order after receiving events in user space programs. This can greatly alleviate such problems. But still cannot solve perfectly.

In eCapture's code, pkg/event_processor has also implemented similar implementations although they are not perfect yet but enough to use. In addition, you can use eCapture's pcapng mode which captures packets like Wireshark does and can well connect TCP conversation messages after decryption.

About SSL structure access

You don't need to fully introduce openssl/ssl.h. You can obtain memory addresses based on the offset of SSL structures. This approach is mainly used in eCapture implementation mechanism as shown here:

ecapture/kern/openssl_1_1_1d_kern.c

Lines 7 to 44 in fe4a76d

    
           // ssl_st->version 
        
           #define SSL_ST_VERSION 0x0 
        
           // ssl_st->session 
        
           #define SSL_ST_SESSION 0x510 
        
           // ssl_st->s3 
        
           #define SSL_ST_S3 0xa8 
        
           // ssl_session_st->master_key 
        
           #define SSL_SESSION_ST_MASTER_KEY 0x50 
        
           // ssl3_state_st->client_random 
        
           #define SSL3_STATE_ST_CLIENT_RANDOM 0xb8 
        
           // ssl_session_st->cipher 
        
           #define SSL_SESSION_ST_CIPHER 0x1f8 
        
           // ssl_session_st->cipher_id 
        
           #define SSL_SESSION_ST_CIPHER_ID 0x200 
        
           // ssl_cipher_st->id 
        
           #define SSL_CIPHER_ST_ID 0x18 
        
           // ssl_st->handshake_secret 
        
           #define SSL_ST_HANDSHAKE_SECRET 0x17c 
        
           // ssl_st->handshake_traffic_hash 
        
           #define SSL_ST_HANDSHAKE_TRAFFIC_HASH 0x2fc 
        
           // ssl_st->client_app_traffic_secret 
        
           #define SSL_ST_CLIENT_APP_TRAFFIC_SECRET 0x33c 
        
           // ssl_st->server_app_traffic_secret 
        
           #define SSL_ST_SERVER_APP_TRAFFIC_SECRET 0x37c 
        
           // ssl_st->exporter_master_secret 
        
           #define SSL_ST_EXPORTER_MASTER_SECRET 0x3bc

1 reply

Your7Maxx Mar 26, 2023
Author

wow，学到了！感谢您的耐心分享！

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

如何捕获由python程序发出的HTTPS请求？ #336

{{title}}

Replies: 4 comments 6 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

如何捕获由python程序发出的HTTPS请求？ #336

Your7Maxx Mar 23, 2023

Replies: 4 comments · 6 replies

cfc4n Mar 23, 2023 Maintainer

Your7Maxx Mar 23, 2023 Author

Your7Maxx Mar 23, 2023 Author

Your7Maxx Mar 23, 2023 Author

cfc4n Mar 24, 2023 Maintainer

Your7Maxx Mar 24, 2023 Author

Your7Maxx Mar 24, 2023 Author

Your7Maxx Mar 25, 2023 Author

cfc4n Mar 26, 2023 Maintainer

简体中文

关于回话合并

关于SSL结构体访问

English

About conversation merging

About SSL structure access

Your7Maxx Mar 26, 2023 Author

Your7Maxx
Mar 23, 2023

Replies: 4 comments 6 replies

cfc4n
Mar 23, 2023
Maintainer

Your7Maxx Mar 23, 2023
Author

Your7Maxx Mar 23, 2023
Author

Your7Maxx Mar 23, 2023
Author

cfc4n Mar 24, 2023
Maintainer

Your7Maxx Mar 24, 2023
Author

Your7Maxx
Mar 24, 2023
Author

Your7Maxx
Mar 25, 2023
Author

cfc4n
Mar 26, 2023
Maintainer

Your7Maxx Mar 26, 2023
Author