Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 1 | #!/usr/bin/python |
| 2 | # |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 3 | # sslsniff Captures data on read/recv or write/send functions of OpenSSL and |
| 4 | # GnuTLS |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 5 | # For Linux, uses BCC, eBPF. |
| 6 | # |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 7 | # USAGE: sslsniff.py [-h] [-p PID] [-c COMM] [-o] [-g] [-d] |
| 8 | # |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 9 | # Licensed under the Apache License, Version 2.0 (the "License") |
| 10 | # |
| 11 | # 12-Aug-2016 Adrian Lopez Created this. |
| 12 | # 13-Aug-2016 Mark Drayton Fix SSL_Read |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 13 | # 17-Aug-2016 Adrian Lopez Capture GnuTLS and add options |
| 14 | # |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 15 | |
| 16 | from __future__ import print_function |
| 17 | import ctypes as ct |
| 18 | from bcc import BPF |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 19 | import argparse |
| 20 | |
| 21 | # arguments |
| 22 | examples = """examples: |
| 23 | ./sslsniff # sniff OpenSSL and GnuTLS functions |
| 24 | ./sslsniff -p 181 # sniff PID 181 only |
| 25 | ./sslsniff -c curl # sniff curl command only |
| 26 | ./sslsniff --no-openssl # don't show OpenSSL calls |
| 27 | ./sslsniff --no-gnutls # don't show GnuTLS calls |
| 28 | """ |
| 29 | parser = argparse.ArgumentParser( |
| 30 | description="Sniff SSL data", |
| 31 | formatter_class=argparse.RawDescriptionHelpFormatter, |
| 32 | epilog=examples) |
htbegin | 5ac5d6e | 2017-05-24 22:53:17 +0800 | [diff] [blame] | 33 | parser.add_argument("-p", "--pid", type=int, help="sniff this PID only.") |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 34 | parser.add_argument("-c", "--comm", |
| 35 | help="sniff only commands matching string.") |
| 36 | parser.add_argument("-o", "--no-openssl", action="store_false", dest="openssl", |
| 37 | help="do not show OpenSSL calls.") |
| 38 | parser.add_argument("-g", "--no-gnutls", action="store_false", dest="gnutls", |
| 39 | help="do not show GnuTLS calls.") |
| 40 | parser.add_argument('-d', '--debug', dest='debug', action='count', default=0, |
| 41 | help='debug mode.') |
Nathan Scott | cf0792f | 2018-02-02 16:56:50 +1100 | [diff] [blame] | 42 | parser.add_argument("--ebpf", action="store_true", |
| 43 | help=argparse.SUPPRESS) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 44 | args = parser.parse_args() |
| 45 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 46 | |
| 47 | prog = """ |
| 48 | #include <linux/ptrace.h> |
| 49 | #include <linux/sched.h> /* For TASK_COMM_LEN */ |
| 50 | |
| 51 | struct probe_SSL_data_t { |
| 52 | u64 timestamp_ns; |
| 53 | u32 pid; |
| 54 | char comm[TASK_COMM_LEN]; |
Brenden Blanco | 71eb177 | 2017-04-20 09:47:28 -0700 | [diff] [blame] | 55 | char v0[464]; |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 56 | u32 len; |
| 57 | }; |
| 58 | |
| 59 | BPF_PERF_OUTPUT(perf_SSL_write); |
| 60 | |
| 61 | int probe_SSL_write(struct pt_regs *ctx, void *ssl, void *buf, int num) { |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 62 | u32 pid = bpf_get_current_pid_tgid(); |
| 63 | FILTER |
| 64 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 65 | struct probe_SSL_data_t __data = {0}; |
| 66 | __data.timestamp_ns = bpf_ktime_get_ns(); |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 67 | __data.pid = pid; |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 68 | __data.len = num; |
| 69 | |
| 70 | bpf_get_current_comm(&__data.comm, sizeof(__data.comm)); |
| 71 | |
| 72 | if ( buf != 0) { |
| 73 | bpf_probe_read(&__data.v0, sizeof(__data.v0), buf); |
| 74 | } |
| 75 | |
| 76 | perf_SSL_write.perf_submit(ctx, &__data, sizeof(__data)); |
| 77 | return 0; |
| 78 | } |
| 79 | |
| 80 | BPF_PERF_OUTPUT(perf_SSL_read); |
| 81 | |
| 82 | BPF_HASH(bufs, u32, u64); |
| 83 | |
| 84 | int probe_SSL_read_enter(struct pt_regs *ctx, void *ssl, void *buf, int num) { |
| 85 | u32 pid = bpf_get_current_pid_tgid(); |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 86 | FILTER |
| 87 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 88 | bufs.update(&pid, (u64*)&buf); |
| 89 | return 0; |
| 90 | } |
| 91 | |
| 92 | int probe_SSL_read_exit(struct pt_regs *ctx, void *ssl, void *buf, int num) { |
| 93 | u32 pid = bpf_get_current_pid_tgid(); |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 94 | FILTER |
| 95 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 96 | u64 *bufp = bufs.lookup(&pid); |
| 97 | if (bufp == 0) { |
| 98 | return 0; |
| 99 | } |
| 100 | |
| 101 | struct probe_SSL_data_t __data = {0}; |
| 102 | __data.timestamp_ns = bpf_ktime_get_ns(); |
| 103 | __data.pid = pid; |
| 104 | __data.len = PT_REGS_RC(ctx); |
| 105 | |
| 106 | bpf_get_current_comm(&__data.comm, sizeof(__data.comm)); |
| 107 | |
| 108 | if (bufp != 0) { |
| 109 | bpf_probe_read(&__data.v0, sizeof(__data.v0), (char *)*bufp); |
| 110 | } |
| 111 | |
| 112 | bufs.delete(&pid); |
| 113 | |
| 114 | perf_SSL_read.perf_submit(ctx, &__data, sizeof(__data)); |
| 115 | return 0; |
| 116 | } |
| 117 | """ |
| 118 | |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 119 | if args.pid: |
htbegin | 5ac5d6e | 2017-05-24 22:53:17 +0800 | [diff] [blame] | 120 | prog = prog.replace('FILTER', 'if (pid != %d) { return 0; }' % args.pid) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 121 | else: |
| 122 | prog = prog.replace('FILTER', '') |
| 123 | |
Nathan Scott | cf0792f | 2018-02-02 16:56:50 +1100 | [diff] [blame] | 124 | if args.debug or args.ebpf: |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 125 | print(prog) |
Nathan Scott | cf0792f | 2018-02-02 16:56:50 +1100 | [diff] [blame] | 126 | if args.ebpf: |
| 127 | exit() |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 128 | |
| 129 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 130 | b = BPF(text=prog) |
| 131 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 132 | # It looks like SSL_read's arguments aren't available in a return probe so you |
| 133 | # need to stash the buffer address in a map on the function entry and read it |
| 134 | # on its exit (Mark Drayton) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 135 | # |
| 136 | if args.openssl: |
Paul Chaignon | d73c58f | 2017-01-21 14:25:41 +0100 | [diff] [blame] | 137 | b.attach_uprobe(name="ssl", sym="SSL_write", fn_name="probe_SSL_write", |
| 138 | pid=args.pid or -1) |
| 139 | b.attach_uprobe(name="ssl", sym="SSL_read", fn_name="probe_SSL_read_enter", |
| 140 | pid=args.pid or -1) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 141 | b.attach_uretprobe(name="ssl", sym="SSL_read", |
Paul Chaignon | d73c58f | 2017-01-21 14:25:41 +0100 | [diff] [blame] | 142 | fn_name="probe_SSL_read_exit", pid=args.pid or -1) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 143 | |
| 144 | if args.gnutls: |
| 145 | b.attach_uprobe(name="gnutls", sym="gnutls_record_send", |
Paul Chaignon | d73c58f | 2017-01-21 14:25:41 +0100 | [diff] [blame] | 146 | fn_name="probe_SSL_write", pid=args.pid or -1) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 147 | b.attach_uprobe(name="gnutls", sym="gnutls_record_recv", |
Paul Chaignon | d73c58f | 2017-01-21 14:25:41 +0100 | [diff] [blame] | 148 | fn_name="probe_SSL_read_enter", pid=args.pid or -1) |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 149 | b.attach_uretprobe(name="gnutls", sym="gnutls_record_recv", |
Paul Chaignon | d73c58f | 2017-01-21 14:25:41 +0100 | [diff] [blame] | 150 | fn_name="probe_SSL_read_exit", pid=args.pid or -1) |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 151 | |
| 152 | # define output data structure in Python |
| 153 | TASK_COMM_LEN = 16 # linux/sched.h |
Brenden Blanco | 71eb177 | 2017-04-20 09:47:28 -0700 | [diff] [blame] | 154 | MAX_BUF_SIZE = 464 # Limited by the BPF stack |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 155 | |
| 156 | |
| 157 | # Max size of the whole struct: 512 bytes |
| 158 | class Data(ct.Structure): |
| 159 | _fields_ = [ |
| 160 | ("timestamp_ns", ct.c_ulonglong), |
| 161 | ("pid", ct.c_uint), |
| 162 | ("comm", ct.c_char * TASK_COMM_LEN), |
| 163 | ("v0", ct.c_char * MAX_BUF_SIZE), |
| 164 | ("len", ct.c_uint) |
| 165 | ] |
| 166 | |
| 167 | |
| 168 | # header |
| 169 | print("%-12s %-18s %-16s %-6s %-6s" % ("FUNC", "TIME(s)", "COMM", "PID", |
| 170 | "LEN")) |
| 171 | |
| 172 | # process event |
| 173 | start = 0 |
| 174 | |
| 175 | |
| 176 | def print_event_write(cpu, data, size): |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 177 | print_event(cpu, data, size, "WRITE/SEND") |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 178 | |
| 179 | |
| 180 | def print_event_read(cpu, data, size): |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 181 | print_event(cpu, data, size, "READ/RECV") |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 182 | |
| 183 | |
| 184 | def print_event(cpu, data, size, rw): |
| 185 | global start |
| 186 | event = ct.cast(data, ct.POINTER(Data)).contents |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 187 | |
| 188 | # Filter events by command |
| 189 | if args.comm: |
| 190 | if not args.comm == event.comm: |
| 191 | return |
| 192 | |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 193 | if start == 0: |
| 194 | start = event.timestamp_ns |
| 195 | time_s = (float(event.timestamp_ns - start)) / 1000000000 |
| 196 | |
| 197 | s_mark = "-" * 5 + " DATA " + "-" * 5 |
| 198 | |
| 199 | e_mark = "-" * 5 + " END DATA " + "-" * 5 |
| 200 | |
| 201 | truncated_bytes = event.len - MAX_BUF_SIZE |
Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 202 | if truncated_bytes > 0: |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 203 | e_mark = "-" * 5 + " END DATA (TRUNCATED, " + str(truncated_bytes) + \ |
| 204 | " bytes lost) " + "-" * 5 |
| 205 | |
Paul Chaignon | 7b911b5 | 2017-10-07 11:52:17 +0200 | [diff] [blame] | 206 | fmt = "%-12s %-18.9f %-16s %-6d %-6d\n%s\n%s\n%s\n\n" |
| 207 | print(fmt % (rw, time_s, event.comm.decode(), event.pid, event.len, s_mark, |
| 208 | event.v0.decode(), e_mark)) |
Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 209 | |
| 210 | b["perf_SSL_write"].open_perf_buffer(print_event_write) |
| 211 | b["perf_SSL_read"].open_perf_buffer(print_event_read) |
| 212 | while 1: |
Teng Qin | dbf0029 | 2018-02-28 21:47:50 -0800 | [diff] [blame] | 213 | b.perf_buffer_poll() |