-
Notifications
You must be signed in to change notification settings - Fork 838
/
config_gotls.go
366 lines (336 loc) · 10.1 KB
/
config_gotls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
// Copyright 2022 CFC4N <cfc4n.cs@gmail.com>. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Copyright © 2022 Hengqi Chen
package config
import (
"bytes"
"debug/buildinfo"
"debug/elf"
"debug/gosym"
"encoding/binary"
"errors"
"fmt"
"os"
"runtime"
"strings"
)
const (
GoTlsReadFunc = "crypto/tls.(*Conn).Read"
GoTlsWriteFunc = "crypto/tls.(*Conn).writeRecordLocked"
GoTlsMasterSecretFunc = "crypto/tls.(*Config).writeKeyLog"
)
var (
ErrorGoBINNotFound = errors.New("The executable program (compiled by Golang) was not found")
ErrorSymbolEmpty = errors.New("symbol is empty")
ErrorSymbolNotFound = errors.New("symbol not found")
ErrorSymbolNotFoundFromTable = errors.New("symbol not found from table")
ErrorNoRetFound = errors.New("no RET instructions found")
ErrorNoFuncFoundFromSymTabFun = errors.New("no function found from golang symbol table with Func Name")
)
// From go/src/debug/gosym/pclntab.go
const (
go12magic = 0xfffffffb
go116magic = 0xfffffffa
go118magic = 0xfffffff0
go120magic = 0xfffffff1
)
// Select the magic number based on the Go version
func magicNumber(goVersion string) []byte {
bs := make([]byte, 4)
var magic uint32
if strings.Compare(goVersion, "go1.20") >= 0 {
magic = go120magic
} else if strings.Compare(goVersion, "go1.18") >= 0 {
magic = go118magic
} else if strings.Compare(goVersion, "go1.16") >= 0 {
magic = go116magic
} else {
magic = go12magic
}
binary.LittleEndian.PutUint32(bs, magic)
return bs
}
type FuncOffsets struct {
Start uint64
Returns []uint64
}
// GoTLSConfig represents configuration for Go SSL probe
type GoTLSConfig struct {
eConfig
Path string `json:"path"` // golang application path to binary built with Go toolchain.
PcapFile string `json:"pcapFile"` // pcapFile the raw packets to file rather than parsing and printing them out.
KeylogFile string `json:"keylogFile"` // keylogFile The file stores SSL/TLS keys, and eCapture captures these keys during encrypted traffic communication and saves them to the file.
Model string `json:"model"` // model such as : text, pcapng/pcap, key/keylog.
Ifname string `json:"ifName"` // (TC Classifier) Interface name on which the probe will be attached.
PcapFilter string `json:"pcapFilter"` // pcap filter
goElfArch string //
goElf *elf.File //
Buildinfo *buildinfo.BuildInfo
ReadTlsAddrs []int
GoTlsWriteAddr uint64
GoTlsMasterSecretAddr uint64
IsPieBuildMode bool
goSymTab *gosym.Table
}
// NewGoTLSConfig creates a new config for Go SSL
func NewGoTLSConfig() *GoTLSConfig {
gc := &GoTLSConfig{}
gc.PerCpuMapSize = DefaultMapSizePerCpu
return gc
}
func (gc *GoTLSConfig) Check() error {
var err error
if gc.Path == "" {
return ErrorGoBINNotFound
}
_, err = gc.checkModel()
if err != nil {
return err
}
_, err = os.Stat(gc.Path)
if err != nil {
return err
}
// Read the build information of the Go application
gc.Buildinfo, err = buildinfo.ReadFile(gc.Path)
if err != nil {
return err
}
var goElf *elf.File
goElf, err = elf.Open(gc.Path)
if err != nil {
return err
}
var goElfArch string
switch goElf.FileHeader.Machine.String() {
case elf.EM_AARCH64.String():
goElfArch = "arm64"
case elf.EM_X86_64.String():
goElfArch = "amd64"
default:
goElfArch = "unsupport_arch"
}
if goElfArch != runtime.GOARCH {
err = fmt.Errorf("Go Application not match, want:%s, have:%s", runtime.GOARCH, goElfArch)
return err
}
switch goElfArch {
case "amd64":
case "arm64":
default:
return fmt.Errorf("unsupport CPU arch :%s", goElfArch)
}
gc.goElfArch = goElfArch
gc.goElf = goElf
// If built with PIE and stripped, gopclntab is
// unlabeled and nested under .data.rel.ro.
for _, bs := range gc.Buildinfo.Settings {
if bs.Key == "-buildmode" {
if bs.Value == "pie" {
gc.IsPieBuildMode = true
}
break
}
}
if gc.IsPieBuildMode {
gc.goSymTab, err = gc.ReadTable()
if err != nil {
return err
}
var addr uint64
addr, err = gc.findPieSymbolAddr(GoTlsWriteFunc)
if err != nil {
return fmt.Errorf("%s symbol address error:%s", GoTlsWriteFunc, err.Error())
}
gc.GoTlsWriteAddr = addr
addr, err = gc.findPieSymbolAddr(GoTlsMasterSecretFunc)
if err != nil {
return fmt.Errorf("%s symbol address error:%s", GoTlsMasterSecretFunc, err.Error())
}
gc.GoTlsMasterSecretAddr = addr
gc.ReadTlsAddrs, err = gc.findRetOffsetsPie(GoTlsReadFunc)
if err != nil {
return err
}
} else {
gc.ReadTlsAddrs, err = gc.findRetOffsets(GoTlsReadFunc)
if err != nil {
return err
}
}
return err
}
// FindRetOffsets searches for the addresses of all RET instructions within
// the instruction set associated with the specified symbol in an ELF program.
// It is used for mounting uretprobe programs for Golang programs,
// which are actually mounted via uprobe on these addresses.
func (gc *GoTLSConfig) findRetOffsets(symbolName string) ([]int, error) {
var err error
var allSymbs []elf.Symbol
goSymbs, _ := gc.goElf.Symbols()
if len(goSymbs) > 0 {
allSymbs = append(allSymbs, goSymbs...)
}
goDynamicSymbs, _ := gc.goElf.DynamicSymbols()
if len(goDynamicSymbs) > 0 {
allSymbs = append(allSymbs, goDynamicSymbs...)
}
if len(allSymbs) == 0 {
return nil, ErrorSymbolEmpty
}
var found bool
var symbol elf.Symbol
for _, s := range allSymbs {
if s.Name == symbolName {
symbol = s
found = true
break
}
}
if !found {
return nil, ErrorSymbolNotFound
}
section := gc.goElf.Sections[symbol.Section]
var elfText []byte
elfText, err = section.Data()
if err != nil {
return nil, err
}
start := symbol.Value - section.Addr
end := start + symbol.Size
var offsets []int
var instHex []byte
instHex = elfText[start:end]
offsets, _ = gc.decodeInstruction(instHex)
if len(offsets) == 0 {
return offsets, ErrorNoRetFound
}
address := symbol.Value
for _, prog := range gc.goElf.Progs {
// Skip uninteresting segments.
if prog.Type != elf.PT_LOAD || (prog.Flags&elf.PF_X) == 0 {
continue
}
if prog.Vaddr <= symbol.Value && symbol.Value < (prog.Vaddr+prog.Memsz) {
// stackoverflow.com/a/40249502
address = symbol.Value - prog.Vaddr + prog.Off
break
}
}
for i, offset := range offsets {
offsets[i] = int(address) + offset
}
return offsets, nil
}
func (gc *GoTLSConfig) checkModel() (string, error) {
var m string
var e error
switch gc.Model {
case TlsCaptureModelKeylog, TlsCaptureModelKey:
m = TlsCaptureModelKey
case TlsCaptureModelPcap, TlsCaptureModelPcapng:
m = TlsCaptureModelPcap
if gc.Ifname == "" {
return "", errors.New("'pcap' model used, please used -i flag to set ifname value.")
}
fmt.Println(gc.Ifname)
default:
m = TlsCaptureModelText
}
return m, e
}
func (gc *GoTLSConfig) ReadTable() (*gosym.Table, error) {
sectionLabel := ".gopclntab"
section := gc.goElf.Section(sectionLabel)
if section == nil {
// binary may be built with -pie
sectionLabel = ".data.rel.ro.gopclntab"
section = gc.goElf.Section(sectionLabel)
if section == nil {
sectionLabel = ".data.rel.ro"
section = gc.goElf.Section(sectionLabel)
if section == nil {
return nil, fmt.Errorf("could not read section %s from %s ", sectionLabel, gc.Path)
}
}
}
tableData, err := section.Data()
if err != nil {
return nil, fmt.Errorf("found section but could not read %s from %s ", sectionLabel, gc.Path)
}
// Find .gopclntab by magic number even if there is no section label
magic := magicNumber(gc.Buildinfo.GoVersion)
pclntabIndex := bytes.Index(tableData, magic)
//fmt.Printf("Buildinfo :%v, magic:%x, pclntabIndex:%d offset:%x , section:%v \n", gc.Buildinfo, magic, pclntabIndex, section.Offset, section)
if pclntabIndex < 0 {
return nil, fmt.Errorf("could not find magic number in %s ", gc.Path)
}
tableData = tableData[pclntabIndex:]
var addr uint64
{
// get textStart from pclntable
// please see https://go-review.googlesource.com/c/go/+/366695
// tableData
ptrSize := uint32(tableData[7])
if ptrSize == 4 {
addr = uint64(binary.LittleEndian.Uint32(tableData[8+2*ptrSize:]))
} else {
addr = binary.LittleEndian.Uint64(tableData[8+2*ptrSize:])
}
}
lineTable := gosym.NewLineTable(tableData, addr)
symTable, err := gosym.NewTable([]byte{}, lineTable)
if err != nil {
return nil, ErrorSymbolNotFoundFromTable
}
return symTable, nil
}
func (gc *GoTLSConfig) findRetOffsetsPie(lfunc string) ([]int, error) {
var offsets []int
var address uint64
var err error
address, err = gc.findPieSymbolAddr(lfunc)
if err != nil {
return offsets, err
}
f := gc.goSymTab.LookupFunc(lfunc)
funcLen := f.End - f.Entry
for _, prog := range gc.goElf.Progs {
if prog.Type != elf.PT_LOAD || (prog.Flags&elf.PF_X) == 0 {
continue
}
// via https://github.com/golang/go/blob/a65a2bbd8e58cd77dbff8a751dbd6079424beb05/src/cmd/internal/objfile/elf.go#L174
data := make([]byte, funcLen)
_, err = prog.ReadAt(data, int64(address-prog.Vaddr))
if err != nil {
return offsets, fmt.Errorf("finding function return: %w", err)
}
offsets, err = gc.decodeInstruction(data)
if err != nil {
return offsets, fmt.Errorf("finding function return: %w", err)
}
for i, offset := range offsets {
offsets[i] = int(address) + offset
}
return offsets, nil
}
return offsets, errors.New("cant found gotls symbol offsets.")
}
func (gc *GoTLSConfig) findPieSymbolAddr(lfunc string) (uint64, error) {
f := gc.goSymTab.LookupFunc(lfunc)
if f == nil {
return 0, ErrorNoFuncFoundFromSymTabFun
}
return f.Value, nil
}