Alexey Ivanov | cc01a9c | 2019-01-16 09:50:46 -0800 | [diff] [blame] | 1 | #!/usr/bin/python |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 2 | # |
jeromemarchand | 8b17dc3 | 2018-08-04 07:09:36 +0200 | [diff] [blame] | 3 | # sslsniff Captures data on read/recv or write/send functions of OpenSSL, |
| 4 | # GnuTLS and NSS |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 5 | # For Linux, uses BCC, eBPF. |
| 6 | # |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 7 | # USAGE: sslsniff.py [-h] [-p PID] [-c COMM] [-o] [-g] [-d] |
| 8 | # |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 9 | # Licensed under the Apache License, Version 2.0 (the "License") |
| 10 | # |
| 11 | # 12-Aug-2016 Adrian Lopez Created this. |
| 12 | # 13-Aug-2016 Mark Drayton Fix SSL_Read |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 13 | # 17-Aug-2016 Adrian Lopez Capture GnuTLS and add options |
| 14 | # |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 15 | |
| 16 | from __future__ import print_function |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 17 | from bcc import BPF |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 18 | import argparse |
Matthias Hörmann | 1b7aab1 | 2020-07-03 13:54:24 +0200 | [diff] [blame] | 19 | import binascii |
| 20 | import textwrap |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 21 | |
| 22 | # arguments |
| 23 | examples = """examples: |
| 24 | ./sslsniff # sniff OpenSSL and GnuTLS functions |
| 25 | ./sslsniff -p 181 # sniff PID 181 only |
| 26 | ./sslsniff -c curl # sniff curl command only |
| 27 | ./sslsniff --no-openssl # don't show OpenSSL calls |
| 28 | ./sslsniff --no-gnutls # don't show GnuTLS calls |
jeromemarchand | 8b17dc3 | 2018-08-04 07:09:36 +0200 | [diff] [blame] | 29 | ./sslsniff --no-nss # don't show NSS calls |
Matthias Hörmann | d40c3a7 | 2020-07-03 14:31:32 +0200 | [diff] [blame] | 30 | ./sslsniff --hexdump # show data as hex instead of trying to decode it as UTF-8 |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 31 | """ |
| 32 | parser = argparse.ArgumentParser( |
| 33 | description="Sniff SSL data", |
| 34 | formatter_class=argparse.RawDescriptionHelpFormatter, |
| 35 | epilog=examples) |
htbegin | 5ac5d6e | 2017-05-24 22:53:17 +0800 | [diff] [blame] | 36 | parser.add_argument("-p", "--pid", type=int, help="sniff this PID only.") |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 37 | parser.add_argument("-c", "--comm", |
| 38 | help="sniff only commands matching string.") |
| 39 | parser.add_argument("-o", "--no-openssl", action="store_false", dest="openssl", |
| 40 | help="do not show OpenSSL calls.") |
| 41 | parser.add_argument("-g", "--no-gnutls", action="store_false", dest="gnutls", |
| 42 | help="do not show GnuTLS calls.") |
jeromemarchand | 8b17dc3 | 2018-08-04 07:09:36 +0200 | [diff] [blame] | 43 | parser.add_argument("-n", "--no-nss", action="store_false", dest="nss", |
| 44 | help="do not show NSS calls.") |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 45 | parser.add_argument('-d', '--debug', dest='debug', action='count', default=0, |
| 46 | help='debug mode.') |
Nathan Scott | cf0792f | 2018-02-02 16:56:50 +1100 | [diff] [blame] | 47 | parser.add_argument("--ebpf", action="store_true", |
| 48 | help=argparse.SUPPRESS) |
Matthias Hörmann | d91b31a | 2020-07-06 09:38:39 +0200 | [diff] [blame] | 49 | parser.add_argument("--hexdump", action="store_true", dest="hexdump", |
| 50 | help="show data as hexdump instead of trying to decode it as UTF-8") |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 51 | args = parser.parse_args() |
| 52 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 53 | |
| 54 | prog = """ |
| 55 | #include <linux/ptrace.h> |
| 56 | #include <linux/sched.h> /* For TASK_COMM_LEN */ |
| 57 | |
| 58 | struct probe_SSL_data_t { |
| 59 | u64 timestamp_ns; |
| 60 | u32 pid; |
| 61 | char comm[TASK_COMM_LEN]; |
Brenden Blanco | 71eb177 | 2017-04-20 09:47:28 -0700 | [diff] [blame] | 62 | char v0[464]; |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 63 | u32 len; |
| 64 | }; |
| 65 | |
| 66 | BPF_PERF_OUTPUT(perf_SSL_write); |
| 67 | |
| 68 | int probe_SSL_write(struct pt_regs *ctx, void *ssl, void *buf, int num) { |
Hengqi Chen | 151fe19 | 2021-05-16 17:18:27 +0800 | [diff] [blame^] | 69 | u64 pid_tgid = bpf_get_current_pid_tgid(); |
| 70 | u32 pid = pid_tgid >> 32; |
| 71 | |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 72 | FILTER |
| 73 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 74 | struct probe_SSL_data_t __data = {0}; |
| 75 | __data.timestamp_ns = bpf_ktime_get_ns(); |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 76 | __data.pid = pid; |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 77 | __data.len = num; |
| 78 | |
| 79 | bpf_get_current_comm(&__data.comm, sizeof(__data.comm)); |
| 80 | |
| 81 | if ( buf != 0) { |
Sumanth Korikkar | 023154c | 2020-04-20 05:54:57 -0500 | [diff] [blame] | 82 | bpf_probe_read_user(&__data.v0, sizeof(__data.v0), buf); |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 83 | } |
| 84 | |
| 85 | perf_SSL_write.perf_submit(ctx, &__data, sizeof(__data)); |
| 86 | return 0; |
| 87 | } |
| 88 | |
| 89 | BPF_PERF_OUTPUT(perf_SSL_read); |
| 90 | |
| 91 | BPF_HASH(bufs, u32, u64); |
| 92 | |
| 93 | int probe_SSL_read_enter(struct pt_regs *ctx, void *ssl, void *buf, int num) { |
Hengqi Chen | 151fe19 | 2021-05-16 17:18:27 +0800 | [diff] [blame^] | 94 | u64 pid_tgid = bpf_get_current_pid_tgid(); |
| 95 | u32 pid = pid_tgid >> 32; |
| 96 | u32 tid = (u32)pid_tgid; |
| 97 | |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 98 | FILTER |
| 99 | |
Hengqi Chen | 151fe19 | 2021-05-16 17:18:27 +0800 | [diff] [blame^] | 100 | bufs.update(&tid, (u64*)&buf); |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 101 | return 0; |
| 102 | } |
| 103 | |
| 104 | int probe_SSL_read_exit(struct pt_regs *ctx, void *ssl, void *buf, int num) { |
Hengqi Chen | 151fe19 | 2021-05-16 17:18:27 +0800 | [diff] [blame^] | 105 | u64 pid_tgid = bpf_get_current_pid_tgid(); |
| 106 | u32 pid = pid_tgid >> 32; |
| 107 | u32 tid = (u32)pid_tgid; |
| 108 | |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 109 | FILTER |
| 110 | |
Hengqi Chen | 151fe19 | 2021-05-16 17:18:27 +0800 | [diff] [blame^] | 111 | u64 *bufp = bufs.lookup(&tid); |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 112 | if (bufp == 0) { |
| 113 | return 0; |
| 114 | } |
| 115 | |
| 116 | struct probe_SSL_data_t __data = {0}; |
| 117 | __data.timestamp_ns = bpf_ktime_get_ns(); |
| 118 | __data.pid = pid; |
| 119 | __data.len = PT_REGS_RC(ctx); |
| 120 | |
| 121 | bpf_get_current_comm(&__data.comm, sizeof(__data.comm)); |
| 122 | |
| 123 | if (bufp != 0) { |
Sumanth Korikkar | 023154c | 2020-04-20 05:54:57 -0500 | [diff] [blame] | 124 | bpf_probe_read_user(&__data.v0, sizeof(__data.v0), (char *)*bufp); |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 125 | } |
| 126 | |
Hengqi Chen | 151fe19 | 2021-05-16 17:18:27 +0800 | [diff] [blame^] | 127 | bufs.delete(&tid); |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 128 | |
| 129 | perf_SSL_read.perf_submit(ctx, &__data, sizeof(__data)); |
| 130 | return 0; |
| 131 | } |
| 132 | """ |
| 133 | |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 134 | if args.pid: |
htbegin | 5ac5d6e | 2017-05-24 22:53:17 +0800 | [diff] [blame] | 135 | prog = prog.replace('FILTER', 'if (pid != %d) { return 0; }' % args.pid) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 136 | else: |
| 137 | prog = prog.replace('FILTER', '') |
| 138 | |
Nathan Scott | cf0792f | 2018-02-02 16:56:50 +1100 | [diff] [blame] | 139 | if args.debug or args.ebpf: |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 140 | print(prog) |
Nathan Scott | cf0792f | 2018-02-02 16:56:50 +1100 | [diff] [blame] | 141 | if args.ebpf: |
| 142 | exit() |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 143 | |
| 144 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 145 | b = BPF(text=prog) |
| 146 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 147 | # It looks like SSL_read's arguments aren't available in a return probe so you |
| 148 | # need to stash the buffer address in a map on the function entry and read it |
| 149 | # on its exit (Mark Drayton) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 150 | # |
| 151 | if args.openssl: |
Paul Chaignon | d73c58f | 2017-01-21 14:25:41 +0100 | [diff] [blame] | 152 | b.attach_uprobe(name="ssl", sym="SSL_write", fn_name="probe_SSL_write", |
| 153 | pid=args.pid or -1) |
| 154 | b.attach_uprobe(name="ssl", sym="SSL_read", fn_name="probe_SSL_read_enter", |
| 155 | pid=args.pid or -1) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 156 | b.attach_uretprobe(name="ssl", sym="SSL_read", |
Paul Chaignon | d73c58f | 2017-01-21 14:25:41 +0100 | [diff] [blame] | 157 | fn_name="probe_SSL_read_exit", pid=args.pid or -1) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 158 | |
| 159 | if args.gnutls: |
| 160 | b.attach_uprobe(name="gnutls", sym="gnutls_record_send", |
Paul Chaignon | d73c58f | 2017-01-21 14:25:41 +0100 | [diff] [blame] | 161 | fn_name="probe_SSL_write", pid=args.pid or -1) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 162 | b.attach_uprobe(name="gnutls", sym="gnutls_record_recv", |
Paul Chaignon | d73c58f | 2017-01-21 14:25:41 +0100 | [diff] [blame] | 163 | fn_name="probe_SSL_read_enter", pid=args.pid or -1) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 164 | b.attach_uretprobe(name="gnutls", sym="gnutls_record_recv", |
Paul Chaignon | d73c58f | 2017-01-21 14:25:41 +0100 | [diff] [blame] | 165 | fn_name="probe_SSL_read_exit", pid=args.pid or -1) |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 166 | |
jeromemarchand | 8b17dc3 | 2018-08-04 07:09:36 +0200 | [diff] [blame] | 167 | if args.nss: |
| 168 | b.attach_uprobe(name="nspr4", sym="PR_Write", fn_name="probe_SSL_write", |
| 169 | pid=args.pid or -1) |
| 170 | b.attach_uprobe(name="nspr4", sym="PR_Send", fn_name="probe_SSL_write", |
| 171 | pid=args.pid or -1) |
| 172 | b.attach_uprobe(name="nspr4", sym="PR_Read", fn_name="probe_SSL_read_enter", |
| 173 | pid=args.pid or -1) |
| 174 | b.attach_uretprobe(name="nspr4", sym="PR_Read", |
| 175 | fn_name="probe_SSL_read_exit", pid=args.pid or -1) |
| 176 | b.attach_uprobe(name="nspr4", sym="PR_Recv", fn_name="probe_SSL_read_enter", |
| 177 | pid=args.pid or -1) |
| 178 | b.attach_uretprobe(name="nspr4", sym="PR_Recv", |
| 179 | fn_name="probe_SSL_read_exit", pid=args.pid or -1) |
| 180 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 181 | # define output data structure in Python |
| 182 | TASK_COMM_LEN = 16 # linux/sched.h |
Brenden Blanco | 71eb177 | 2017-04-20 09:47:28 -0700 | [diff] [blame] | 183 | MAX_BUF_SIZE = 464 # Limited by the BPF stack |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 184 | |
| 185 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 186 | # header |
Hengqi Chen | 151fe19 | 2021-05-16 17:18:27 +0800 | [diff] [blame^] | 187 | print("%-12s %-18s %-16s %-7s %-6s" % ("FUNC", "TIME(s)", "COMM", "PID", |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 188 | "LEN")) |
| 189 | |
| 190 | # process event |
| 191 | start = 0 |
| 192 | |
| 193 | |
| 194 | def print_event_write(cpu, data, size): |
Xiaozhou Liu | 51d62d3 | 2019-02-15 13:03:05 +0800 | [diff] [blame] | 195 | print_event(cpu, data, size, "WRITE/SEND", "perf_SSL_write") |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 196 | |
| 197 | |
| 198 | def print_event_read(cpu, data, size): |
Xiaozhou Liu | 51d62d3 | 2019-02-15 13:03:05 +0800 | [diff] [blame] | 199 | print_event(cpu, data, size, "READ/RECV", "perf_SSL_read") |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 200 | |
| 201 | |
Xiaozhou Liu | 51d62d3 | 2019-02-15 13:03:05 +0800 | [diff] [blame] | 202 | def print_event(cpu, data, size, rw, evt): |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 203 | global start |
Xiaozhou Liu | 51d62d3 | 2019-02-15 13:03:05 +0800 | [diff] [blame] | 204 | event = b[evt].event(data) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 205 | |
| 206 | # Filter events by command |
| 207 | if args.comm: |
keyolk | 49fdec6 | 2020-10-08 05:45:00 +0000 | [diff] [blame] | 208 | if not args.comm == event.comm.decode('utf-8', 'replace'): |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 209 | return |
| 210 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 211 | if start == 0: |
| 212 | start = event.timestamp_ns |
| 213 | time_s = (float(event.timestamp_ns - start)) / 1000000000 |
| 214 | |
| 215 | s_mark = "-" * 5 + " DATA " + "-" * 5 |
| 216 | |
| 217 | e_mark = "-" * 5 + " END DATA " + "-" * 5 |
| 218 | |
| 219 | truncated_bytes = event.len - MAX_BUF_SIZE |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 220 | if truncated_bytes > 0: |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 221 | e_mark = "-" * 5 + " END DATA (TRUNCATED, " + str(truncated_bytes) + \ |
| 222 | " bytes lost) " + "-" * 5 |
| 223 | |
Hengqi Chen | 151fe19 | 2021-05-16 17:18:27 +0800 | [diff] [blame^] | 224 | fmt = "%-12s %-18.9f %-16s %-7d %-6d\n%s\n%s\n%s\n\n" |
Matthias Hörmann | d91b31a | 2020-07-06 09:38:39 +0200 | [diff] [blame] | 225 | if args.hexdump: |
| 226 | unwrapped_data = binascii.hexlify(event.v0) |
| 227 | data = textwrap.fill(unwrapped_data.decode('utf-8', 'replace'),width=32) |
| 228 | else: |
| 229 | data = event.v0.decode('utf-8', 'replace') |
jeromemarchand | b96ebcd | 2018-10-10 01:58:15 +0200 | [diff] [blame] | 230 | print(fmt % (rw, time_s, event.comm.decode('utf-8', 'replace'), |
Matthias Hörmann | d91b31a | 2020-07-06 09:38:39 +0200 | [diff] [blame] | 231 | event.pid, event.len, s_mark, data, e_mark)) |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 232 | |
| 233 | b["perf_SSL_write"].open_perf_buffer(print_event_write) |
| 234 | b["perf_SSL_read"].open_perf_buffer(print_event_read) |
| 235 | while 1: |
Jerome Marchand | 5167127 | 2018-12-19 01:57:24 +0100 | [diff] [blame] | 236 | try: |
| 237 | b.perf_buffer_poll() |
| 238 | except KeyboardInterrupt: |
| 239 | exit() |