Trace TLS in container - Specify offset of functions

[x1mus]

I am trying to hook an HTTPS communication from a docker container (the server is in the container and clients are connecting to it). I followed the wiki page: https://github.com/gojue/ecapture/wiki/trace-TLS-in-container
This gives me two libraries:

• /var/lib/docker/overlay2/29e24959ba4c313d1e9a5b1b249849b4ed37c21a4de0cbc0f3f9d336bd4b4d06/merged/usr/lib/x86_64-linux-gnu/libssl.so.3
• /var/lib/docker/overlay2/29e24959ba4c313d1e9a5b1b249849b4ed37c21a4de0cbc0f3f9d336bd4b4d06/merged/usr/lib/python3.10/lib-dynload/_ssl.cpython-310-x86_64-linux-gnu.so

The first one can correctly be hooked but no traffic is being captured so I suppose the traffic is actually going through the second one. However, no symbols are available on the binary but I can get the offset of the functions through gdb.

How would I specify the offset of these functions (SSL_get_wbio, ...) when invoking the program (or directly in the source code).

[cfc4n]

add UprobeOffset into manager.Probe

like this:

ecapture/user/module/probe_openssl_text.go

Line 50 in b73a099

AttachToFuncName: "SSL_write",

refer:

ecapture/user/module/probe_mysqld.go

Lines 131 to 137 in b73a099

	{
	Section: "uprobe/dispatch_command_57",
	EbpfFuncName: "mysql57_query",
	AttachToFuncName: attachFunc,
	UprobeOffset: offset,
	BinaryPath: binaryPath,
	},

[x1mus]

I made the modification but still getting the same error:

2024-07-28T03:53:55-04:00 FTL module run failed, skip it. error="couldn't start bootstrap manager error:3 errors occurred:
    * error:opening uprobe: cannot resolve /var/lib/docker/overlay2/2444f60a41a1bb66184b321ea773e1b9273552affc435818f1e3e7a74d99ecb4/merged/usr/lib/python3.10/lib-dynload/_ssl.cpython-310-x86_64-linux-gnu.so library call 'SSL_get_wbio': not supported (consider providing UprobeOptions.Address) , isRet:false, opts:&{0 0 0 0 0 }, {UID:uprobe_smk_SSL_get_wbio, EbpfFuncName:probe_ssl_master_key}
    * error:opening uprobe: symbol SSL_in_before: not found , isRet:false, opts:&{0 0 0 0 0 }, {UID:uprobe_smk_SSL_in_before, EbpfFuncName:probe_ssl_master_key}
    * error:opening uprobe: cannot resolve /var/lib/docker/overlay2/2444f60a41a1bb66184b321ea773e1b9273552affc435818f1e3e7a74d99ecb4/merged/usr/lib/python3.10/lib-dynload/_ssl.cpython-310-x86_64-linux-gnu.so library call 'SSL_do_handshake': not supported (consider providing UprobeOptions.Address) , isRet:false, opts:&{0 0 0 0 0 }, {UID:uprobe_smk_SSL_do_handshake, EbpfFuncName:probe_ssl_master_key}
, probes activation validation failed ." isReload=false

I also specified the offset of SSL_do_handshake without success. (And SSL_in_before is not available in the binary)

[cfc4n]

Similarly, a clear offset for SSL_get_wbio needs to be provided. That is to say, the current ssl.so has its symbol table stripped, and you need to set the offsets for all hook functions.