Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libnss3 hook failed #662

Open
cfc4n opened this issue Nov 8, 2024 · 1 comment
Open

libnss3 hook failed #662

cfc4n opened this issue Nov 8, 2024 · 1 comment
Labels
🐞 bug Something isn't working help wanted Extra attention is needed

Comments

@cfc4n
Copy link
Member

cfc4n commented Nov 8, 2024

Describe the bug
On Ubuntu 24.04, the encrypted communication of nss3 cannot be successfully captured, and the PR_Write symbol cannot be found.

To Reproduce
Steps to reproduce the behavior:
cmd: sudo bin/ecapture nss --nspr=/lib/x86_64-linux-gnu/libnss3.so

ecapture@gojue:~/project/ecapture$ sudo bin/ecapture nss --nspr=/lib/x86_64-linux-gnu/libnss3.so
2024-11-07T23:47:58-08:00 INF AppName="eCapture(旁观者)"
2024-11-07T23:47:58-08:00 INF HomePage=https://ecapture.cc
2024-11-07T23:47:58-08:00 INF Repository=https://github.com/gojue/ecapture
2024-11-07T23:47:58-08:00 INF Author="CFC4N <[email protected]>"
2024-11-07T23:47:58-08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-11-07T23:47:58-08:00 INF Version=linux_amd64:0.8.6-20240916-d50ee78:6.8.0-45-generic
2024-11-07T23:47:58-08:00 INF Listen=localhost:28256
2024-11-07T23:47:58-08:00 INF eCapture running logs logger=
2024-11-07T23:47:58-08:00 INF the file handler that receives the captured event eventCollector=
2024-11-07T23:47:58-08:00 WRN ========== module starting. ==========
2024-11-07T23:47:58-08:00 INF Kernel Info=6.8.12 Pid=23125
2024-11-07T23:47:58-08:00 INF BTF bytecode mode: CORE. btfMode=0
2024-11-07T23:47:58-08:00 INF module initialization. isReload=false moduleName=EBPFProbeNSPR
2024-11-07T23:47:58-08:00 INF listen=localhost:28256
2024-11-07T23:47:58-08:00 INF https server starting...You can update the configuration file via the HTTP interface.
2024-11-07T23:47:58-08:00 INF Module.Run()
2024-11-07T23:47:58-08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/nspr_kern_core.o
2024-11-07T23:47:58-08:00 INF HOOK type:nspr elf ElfType=2 binrayPath=/lib/x86_64-linux-gnu/libnss3.so
2024-11-07T23:47:58-08:00 INF target all process.
2024-11-07T23:47:58-08:00 INF target all users.
2024-11-07T23:47:58-08:00 FTL module run failed, skip it. error="couldn't start bootstrap manager error:8 errors occurred:\n\t* error:opening uprobe: cannot resolve /lib/x86_64-linux-gnu/libnss3.so library call 'PR_Write': not supported (consider providing UprobeOptions.Address) , isRet:false, opts:&{0 0 0 0 0 }, {UID:, EbpfFuncName:probe_entry_SSL_write}\n\t* error:opening uprobe: cannot resolve /lib/x86_64-linux-gnu/libnss3.so library call 'PR_Write': not supported (consider providing UprobeOptions.Address) , isRet:true, opts:&{0 0 0 0 0 }, {UID:, EbpfFuncName:probe_ret_SSL_write}\n\t* error:opening uprobe: cannot resolve /lib/x86_64-linux-gnu/libnss3.so library call 'PR_Send': not supported (consider providing UprobeOptions.Address) , isRet:false, opts:&{0 0 0 0 0 }, {UID:PR_Write-PR_Send, EbpfFuncName:probe_entry_SSL_write}\n\t* error:opening uprobe: cannot resolve /lib/x86_64-linux-gnu/libnss3.so library call 'PR_Send': not supported (consider providing UprobeOptions.Address) , isRet:true, opts:&{0 0 0 0 0 }, {UID:PR_Write-PR_Send, EbpfFuncName:probe_ret_SSL_write}\n\t* error:opening uprobe: symbol PR_Read: not found , isRet:false, opts:&{0 0 0 0 0 }, {UID:, EbpfFuncName:probe_entry_SSL_read}\n\t* error:opening uprobe: symbol PR_Read: not found , isRet:true, opts:&{0 0 0 0 0 }, {UID:, EbpfFuncName:probe_ret_SSL_read}\n\t* error:opening uprobe: cannot resolve /lib/x86_64-linux-gnu/libnss3.so library call 'PR_Recv': not supported (consider providing UprobeOptions.Address) , isRet:false, opts:&{0 0 0 0 0 }, {UID:PR_Read-PR_Recv, EbpfFuncName:probe_entry_SSL_read}\n\t* error:opening uprobe: cannot resolve /lib/x86_64-linux-gnu/libnss3.so library call 'PR_Recv': not supported (consider providing UprobeOptions.Address) , isRet:true, opts:&{0 0 0 0 0 }, {UID:PR_Read-PR_Recv, EbpfFuncName:probe_ret_SSL_read}\n\n, probes activation validation failed " isReload=false

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Linux Server/Android (please complete the following information):

  • OS: Ubuntu 24.04 ,
  • Kernel: 6.8.0-45
  • Arch : x86_64
  • Version: v0.8.8
@cfc4n cfc4n added 🐞 bug Something isn't working help wanted Extra attention is needed labels Nov 8, 2024
@yuweizzz
Copy link
Contributor

maybe the function placed in libnspr4.so?

# ldd /lib/x86_64-linux-gnu/libnss3.so 
	linux-vdso.so.1 (0x00007ffcb5f83000)
	libnssutil3.so => /lib/x86_64-linux-gnu/libnssutil3.so (0x00007f95449b4000)
	libplc4.so => /lib/x86_64-linux-gnu/libplc4.so (0x00007f95449ad000)
	libplds4.so => /lib/x86_64-linux-gnu/libplds4.so (0x00007f95449a8000)
	libnspr4.so => /lib/x86_64-linux-gnu/libnspr4.so (0x00007f9544967000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9544793000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f9544771000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f9544769000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f9544b4a000)

try to use sudo bin/ecapture nss --nspr=/lib/x86_64-linux-gnu/libnspr4.so instead of?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🐞 bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

2 participants