Comments (7)
cfc4n
commented on June 15, 2024
1
Thanks , I'll tests later.
from ecapture.
cfc4n
commented on June 15, 2024
1
I conducted a test and found that it seems impossible to locate the corresponding symbol in the dynamic section of a stripped ELF program.
go build -ldflags "-w -s" -o bin/golang_https_stripped tests/golang_https.go
file bin/golang_https_stripped
bin/golang_https_stripped: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=sqrYKmrhQDUowmtWyL9D/QZZ4Amu_0aTi1rk9fNyL/o6zsX0d8iRYaKffA936L/rIsFquuJSakoPGQ89xP5, stripped
readelf -Ws bin/golang_https_stripped
Symbol table '.dynsym' contains 42 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 000000000053a420 99 FUNC GLOBAL DEFAULT 1 crosscall2
2: 000000000053a3c0 45 FUNC GLOBAL DEFAULT 1 _cgo_panic
3: 0000000000467de0 25 FUNC GLOBAL DEFAULT 1 _cgo_topofstack
4: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND __errno_location@GLIBC_2.2.5 (6)
5: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND getaddrinfo@GLIBC_2.2.5 (6)
6: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND free@GLIBC_2.2.5 (6)
7: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND freeaddrinfo@GLIBC_2.2.5 (6)
8: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND gai_strerror@GLIBC_2.2.5 (6)
9: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND stderr@GLIBC_2.2.5 (6)
10: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND fwrite@GLIBC_2.2.5 (6)
11: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND __vfprintf_chk@GLIBC_2.3.4 (5)
12: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND fputc@GLIBC_2.2.5 (6)
13: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND abort@GLIBC_2.2.5 (6)
14: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_mutex_lock@GLIBC_2.2.5 (6)
15: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_cond_wait@GLIBC_2.3.2 (4)
16: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_mutex_unlock@GLIBC_2.2.5 (6)
17: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_key_create@GLIBC_2.34 (2)
18: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_setspecific@GLIBC_2.34 (2)
19: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_cond_broadcast@GLIBC_2.3.2 (4)
20: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_create@GLIBC_2.34 (2)
21: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND nanosleep@GLIBC_2.2.5 (6)
22: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_detach@GLIBC_2.34 (2)
23: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND strerror@GLIBC_2.2.5 (6)
24: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND __fprintf_chk@GLIBC_2.3.4 (5)
25: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND malloc@GLIBC_2.2.5 (6)
26: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_attr_init@GLIBC_2.2.5 (6)
27: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_attr_getstacksize@GLIBC_2.34 (2)
28: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_attr_destroy@GLIBC_2.2.5 (6)
29: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND sigfillset@GLIBC_2.2.5 (6)
30: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_sigmask@GLIBC_2.32 (3)
31: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND mmap@GLIBC_2.2.5 (6)
32: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND munmap@GLIBC_2.2.5 (6)
33: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND setenv@GLIBC_2.2.5 (6)
34: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND unsetenv@GLIBC_2.2.5 (6)
35: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND sigemptyset@GLIBC_2.2.5 (6)
36: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND sigaddset@GLIBC_2.2.5 (6)
37: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND sigaction@GLIBC_2.2.5 (6)
38: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND sigismember@GLIBC_2.2.5 (6)
39: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_self@GLIBC_2.2.5 (6)
40: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_getattr_np@GLIBC_2.32 (3)
41: 0000000000000000 0 OBJECT GLOBAL DEFAULT UND pthread_attr_getstack@GLIBC_2.34 (2)Are you sure? If you are sure, could you provide a complete testing demo?
from ecapture.
cfc4n
commented on June 15, 2024
1
Yep, indeed it is running normally, but I haven't figured out the reason. Just wait a moment while I find some information.
from ecapture.
cfc4n
commented on June 15, 2024
1
#19 [target 3/4] RUN --mount=type=bind,from=go,source=/usr/local/go,target=/usr/local/go --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg export CC=$(xx-info)-gcc && xx-go --wrap && make release static-release && for f in $(find bin -executable -type f); do xx-verify $f; done
#19 0.091 ++ xx-info
#19 0.093 + export CC=x86_64-linux-gnu-gcc
#19 0.093 + CC=x86_64-linux-gnu-gcc
#19 0.093 + xx-go --wrap
#19 0.099 + make release static-release
#19 0.649 + bin/ctr
#19 0.649 go build -gcflags=-trimpath=/go/src -buildmode=pie -o bin/ctr -ldflags '-X github.com/containerd/containerd/v2/version.Version= -X github.com/containerd/containerd/v2/version.Revision=1564ffbe8002d2aebecae2d89ae925974c981727 -X github.com/containerd/containerd/v2/version.Package=github.com/containerd/containerd -s -w ' -tags "urfave_cli_no_docs" ./cmd/ctr
#19 22.21 + bin/containerd
#19 22.21 go build -gcflags=-trimpath=/go/src -buildmode=pie -o bin/containerd -ldflags '-X github.com/containerd/containerd/v2/version.Version= -X github.com/containerd/containerd/v2/version.Revision=1564ffbe8002d2aebecae2d89ae925974c981727 -X github.com/containerd/containerd/v2/version.Package=github.com/containerd/containerd -s -w ' -tags "urfave_cli_no_docs" ./cmd/containerdfrom ecapture.
cfc4n
commented on June 15, 2024
1
eh... I still haven't found the reason. Why is file containerd showing stripped, but can still read the symbol table?
and , Why can't this case run properly?
go build -ldflags "-w -s" -o bin/golang_https_stripped tests/golang_https.go
sudo bin/ecapture gotls --elfpath=bin/golang_https_strippedwhy?
But, It works. Merged, thanks. and in the future I will continue to investigate the cause of this issue. Thank you.
from ecapture.
cfc4n
commented on June 15, 2024
1
@h0x0er If you know the reason, please remember to tell me. Thank you very much.
refer: https://stevens.netmeister.org/631/elf.html
from ecapture.
h0x0er
commented on June 15, 2024
@cfc4n , Sorry for late respoding.
For my use-case I had to intercept traffic from containerd. For some reason containerd is stripped, but contains dynamic symbols that are of interest.
You can perform below steps to confirm it.
- Grab the latest version of
containerdfrom here - Extract it & cd to bin folder
- Checkout the version.
./containerd --versioncontainerd github.com/containerd/containerd v1.7.9 4f03e100cb967922bec7459a78d16ccbac9bb81d
- Checkout stripping info
file ./containerd./containerd: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=eca0b140b47f1f3b0da63b6ae246f76b9b9ea52c, for GNU/Linux 3.2.0, stripped
- Checkout symbols
readelf -Ws ./containerd | grep -iE "crypto/tls\.\(\*Conn\)\.Read"
20848: 00000000010f10c0 76 FUNC GLOBAL DEFAULT 15 crypto/tls.(*Conn).Read.func1
31683: 00000000010eee80 2374 FUNC GLOBAL DEFAULT 15 crypto/tls.(*Conn).readHandshake
46385: 0000000001111d40 1915 FUNC GLOBAL DEFAULT 15 crypto/tls.(*Conn).readClientHello
63314: 00000000010f0cc0 1022 FUNC GLOBAL DEFAULT 15 crypto/tls.(*Conn).Read
93336: 00000000010ed960 337 FUNC GLOBAL DEFAULT 15 crypto/tls.(*Conn).readFromUntil
113208: 00000000010eade0 57 FUNC GLOBAL DEFAULT 15 crypto/tls.(*Conn).readChangeCipherSpec
114551: 00000000010eae20 10315 FUNC GLOBAL DEFAULT 15 crypto/tls.(*Conn).readRecordOrCCS
131381: 00000000010eada0 54 FUNC GLOBAL DEFAULT 15 crypto/tls.(*Conn).readRecord
I noticed these symbols are from .dynsym section, so decided to add dynamic symbols to ecapture as in the PR.
from ecapture.
Related Issues (20)
- gotls 捕获golang程序,不能写pcapfile文件,不能看到响应的内容 HOT 4
- Not working with redroid HOT 13
- windows也有ebpf,是否兼容适配? HOT 1
- 鸿蒙4.0支持分析https内容不 HOT 3
- 关于在pcap模式中tc层skb_data payload数据传输的问题 HOT 3
- eCapture run failed, error log: invalid memory address or nil pointer dereference HOT 3
- Build 2 Android Arm64 HOT 1
- ssh加解密教程 HOT 4
- gotls 访问百度,https 包无法获取、只能截取 http 包 HOT 2
- 加解密模式对性能的影响是多少 HOT 2
- tls 模式,app抓包解密失败 HOT 1
- error: couldn't start bootstrap manager error HOT 3
- TLS 模式下,对被检测程序的性能影响。 HOT 9
- The SSL structure in openssl 3.2.0 has been modified HOT 4
- PCAP mode can only decrypt partial HTTPS traffic, not all of it HOT 8
- fatal error: concurrent map read and map write HOT 1
- 这是我姿势不对么?最新版本的总提示No runnable modules, Exit(1) HOT 2
- tls子命令可否支持ip过滤 HOT 6
- archlinux不存在/boot/config-`uname -r`文件,导致启动程序时报错 HOT 6
- I am new. How to use software? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ecapture.