Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ecapture 0.7.6依旧无法抓取docker pull的完全URL #502

Closed
189er opened this issue Mar 4, 2024 · 8 comments
Closed

ecapture 0.7.6依旧无法抓取docker pull的完全URL #502

189er opened this issue Mar 4, 2024 · 8 comments
Labels
bug Something isn't working

Comments

@189er
Copy link

189er commented Mar 4, 2024

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Linux Server/Android (please complete the following information):

  • Env: [run make env to get the environment variables]
  • OS: [e.g. Ubuntu 21.04]
  • Arch: [e.g. arm_aarch64]
  • Kernel Version: [e.g. 5.10]
  • Version: [e.g. 0.1.3-20220313-69c1e0]

Additional context
Add any other context about the problem here.

ecapture gotls --elfpath=/usr/bin/docker --hex;

docker pull redis ;
@cfc4n cfc4n added the bug Something isn't working label Mar 5, 2024
@cfc4n
Copy link
Member

cfc4n commented Mar 5, 2024

@ruitianzhong can you take a look at this issue?

@ruitianzhong
Copy link
Contributor

ruitianzhong commented Mar 5, 2024
edited
Loading

On my Ubuntu 22.04:

sudo ../bin/ecapture gotls --elfpath=/usr/bin/docker --hex
tls_2024/03/05 15:34:46 ECAPTURE :: ecapture Version : linux_x86_64:0.7.5-20240303-bfb4a8c:[CORE]
tls_2024/03/05 15:34:46 ECAPTURE :: Pid Info : 97130
tls_2024/03/05 15:34:46 ECAPTURE :: Kernel Info : 6.5.8
tls_2024/03/05 15:34:46 EBPFProbeGoTLS	module initialization failed. [skip it]. error:symbol not found

some context information:

file /usr/bin/docker
/usr/bin/docker: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3529861e1bdd15d5629062d4788080311e847984, for GNU/Linux 3.2.0, stripped

eCapture hooks crypto/tls.(*Conn).Read() and looks for it when start up. But /usr/bin/docker seems to not contain this symbol, so the error is returned.

Is that the case? Can you provide more detailed information. @189er

@sancppp
Copy link
Contributor

sancppp commented Mar 5, 2024
edited
Loading

Docker use /usr/bin/dockerd to pull images and log in.

Try to use :
ecapture gotls --elfpath=/usr/bin/dockerd --hex

@sancppp
Copy link
Contributor

sancppp commented Mar 9, 2024

Docker use /usr/bin/dockerd to pull images and log in.

Try to use : ecapture gotls --elfpath=/usr/bin/dockerd --hex

@189er Hello?

cfc4n added a commit that referenced this issue Mar 24, 2024
@cfc4n
Fix cant found RET offset in gotls mode. fix #502.
dd0c48a 
Fix the issue of not being able to fetch the function RET offset in the gotls model when building a Golang binary with pie mode.

Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
@189er
Copy link
Author

189er commented Mar 28, 2024

Docker use /usr/bin/dockerd to pull images and log in.
Try to use : ecapture gotls --elfpath=/usr/bin/dockerd --hex

@189er Hello?

root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# ./ecapture gotls --elfpath=/usr/bin/dockerd --hex;
tls_2024/03/28 07:35:48 ECAPTURE :: ecapture Version : linux_x86_64:0.6.3-20230927-f0cfbdf:5.15.0-1046-azure
tls_2024/03/28 07:35:48 ECAPTURE :: Pid Info : 840788
tls_2024/03/28 07:35:48 ECAPTURE :: Kernel Info : 6.2.16
tls_2024/03/28 07:35:48 EBPFProbeGoTLS module initialization failed. [skip it]. error:no symbol section
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64#
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64#
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64#
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# file /usr/bin/docker
/usr/bin/docker: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3529861e1bdd15d5629062d4788080311e847984, for GNU/Linux 3.2.0, stripped
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# file /usr/bin/dockerd
/usr/bin/dockerd: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=95915fdb7e8b49dcbdadb3b01be93be5bf57fdca, for GNU/Linux 3.2.0, stripped
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# uname -a
Linux ip-172-31-6-36 6.2.0-1017-aws #17~22.04.1-Ubuntu SMP Fri Nov 17 21:07:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64#

@189er
Copy link
Author

189er commented Mar 28, 2024

On my Ubuntu 22.04:

sudo ../bin/ecapture gotls --elfpath=/usr/bin/docker --hex
tls_2024/03/05 15:34:46 ECAPTURE :: ecapture Version : linux_x86_64:0.7.5-20240303-bfb4a8c:[CORE]
tls_2024/03/05 15:34:46 ECAPTURE :: Pid Info : 97130
tls_2024/03/05 15:34:46 ECAPTURE :: Kernel Info : 6.5.8
tls_2024/03/05 15:34:46 EBPFProbeGoTLS	module initialization failed. [skip it]. error:symbol not found

some context information:

file /usr/bin/docker
/usr/bin/docker: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3529861e1bdd15d5629062d4788080311e847984, for GNU/Linux 3.2.0, stripped

eCapture hooks crypto/tls.(*Conn).Read() and looks for it when start up. But /usr/bin/docker seems to not contain this symbol, so the error is returned.

Is that the case? Can you provide more detailed information. @189er

root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# ./ecapture gotls --elfpath=/usr/bin/dockerd --hex; tls_2024/03/28 07:35:48 ECAPTURE :: ecapture Version : linux_x86_64:0.6.3-20230927-f0cfbdf:5.15.0-1046-azure tls_2024/03/28 07:35:48 ECAPTURE :: Pid Info : 840788 tls_2024/03/28 07:35:48 ECAPTURE :: Kernel Info : 6.2.16 tls_2024/03/28 07:35:48 EBPFProbeGoTLS module initialization failed. [skip it]. error:no symbol section root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# file /usr/bin/docker /usr/bin/docker: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3529861e1bdd15d5629062d4788080311e847984, for GNU/Linux 3.2.0, stripped root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# file /usr/bin/dockerd /usr/bin/dockerd: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=95915fdb7e8b49dcbdadb3b01be93be5bf57fdca, for GNU/Linux 3.2.0, stripped root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# uname -a Linux ip-172-31-6-36 6.2.0-1017-aws #17~22.04.1-Ubuntu SMP Fri Nov 17 21:07:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64#

@sancppp
Copy link
Contributor

sancppp commented Mar 28, 2024

Docker use /usr/bin/dockerd to pull images and log in.
Try to use : ecapture gotls --elfpath=/usr/bin/dockerd --hex

@189er Hello?

root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# ./ecapture gotls --elfpath=/usr/bin/dockerd --hex; tls_2024/03/28 07:35:48 ECAPTURE :: ecapture Version : linux_x86_64:0.6.3-20230927-f0cfbdf:5.15.0-1046-azure tls_2024/03/28 07:35:48 ECAPTURE :: Pid Info : 840788 tls_2024/03/28 07:35:48 ECAPTURE :: Kernel Info : 6.2.16 tls_2024/03/28 07:35:48 EBPFProbeGoTLS module initialization failed. [skip it]. error:no symbol section root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# file /usr/bin/docker /usr/bin/docker: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3529861e1bdd15d5629062d4788080311e847984, for GNU/Linux 3.2.0, stripped root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# file /usr/bin/dockerd /usr/bin/dockerd: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=95915fdb7e8b49dcbdadb3b01be93be5bf57fdca, for GNU/Linux 3.2.0, stripped root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# uname -a Linux ip-172-31-6-36 6.2.0-1017-aws #17~22.04.1-Ubuntu SMP Fri Nov 17 21:07:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64#

In my test environment, version 0.6.3 does return the no symbol section error, but the latest 0.7.5 version works fine.

CleanShot_2024-03-28_at_22 14 05@2x

So, please try again with version 0.7.5

@cfc4n cfc4n closed this as completed in cb9e205 Mar 30, 2024
@cfc4n
Copy link
Member

cfc4n commented Mar 30, 2024

在你提这个问题时,ecapture 0.7.6还没发布,最新的是0.7.5, 刚刚发布了0.7.6,你可以再试试。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cfc4n @sancppp @ruitianzhong @189er