github.com/gojue/ecapture@v0.8.2/tests/issue_463/readme.md

github.com/gojue/ecapture@v0.8.2/tests/issue_463/readme.md (about)

     1  ## 背景介绍
     2  在eCapture社区的issue 463：[TLS 模式下，对被检测程序的性能影响](https://github.com/gojue/ecapture/issues/463)提到，eCapture启用后，对程序带来较大性能影响。
     3  
     4  
     5  ## 解决思路
     6  选择低频的、有符号表导出的、可取密钥的函数进行HOOK。
     7  参见 [PR 471](https://github.com/gojue/ecapture/pull/471)
     8  
     9  ## 环境搭建
    10  
    11  ### TLS Server
    12  1. 在ubuntu 22.04 上执行sudo apt install nginx
    13  2. 开启SSL 443的服务(这里我以我的博客域名为例)
    14  3. 在本目录，执行make，编译测试的客户端进程
    15  
    16  ## 执行测试
    17  
    18  ### 原生测试
    19  ```shell
    20  time ./openssl_client
    21  
    22  real	0m5.677s
    23  user	0m3.088s
    24  sys	0m2.565s
    25  ```
    26  
    27  #### 启用eCapture后测试
    28  **运行eCapture**
    29  新开一个终端，打开eCapture的`keylog`模式
    30  ```shell
    31  sudo bin/ecapture tls -m keylog
    32  [sudo] password for cfc4n:
    33  tls_2024/01/27 13:42:55 ECAPTURE :: ecapture Version : linux_aarch64:0.7.2-20240104-f368e82:[CORE]
    34  tls_2024/01/27 13:42:55 ECAPTURE :: Pid Info : 124787
    35  tls_2024/01/27 13:42:55 ECAPTURE :: Kernel Info : 5.15.131
    36  tls_2024/01/27 13:42:55 EBPFProbeOPENSSL	module initialization
    37  tls_2024/01/27 13:42:55 EBPFProbeOPENSSL	master key keylogger: ecapture_openssl_key.og
    38  tls_2024/01/27 13:42:55 ECAPTURE ::	Module.Run()
    39  tls_2024/01/27 13:42:55 EBPFProbeOPENSSL	Keylog MODEL
    40  tls_2024/01/27 13:42:55 EBPFProbeOPENSSL	OpenSSL/BoringSSL version not found from shared library file, used default version:linux_default_3_0
    41  tls_2024/01/27 13:42:55 EBPFProbeOPENSSL	HOOK type:2, binrayPath:/usr/lib/aarch64-linux-gnu/libssl.so.3
    42  tls_2024/01/27 13:42:55 EBPFProbeOPENSSL	Hook masterKey function:[SSL_get_wbio SSL_in_before]
    43  tls_2024/01/27 13:42:55 EBPFProbeOPENSSL	target all process.
    44  tls_2024/01/27 13:42:55 EBPFProbeOPENSSL	target all users.
    45  tls_2024/01/27 13:42:55 EBPFProbeOPENSSL	BPF bytecode filename:user/bytecode/openssl_3_0_0_kern.o
    46  tls_2024/01/27 13:42:55 EBPFProbeOPENSSL	perfEventReader created. mapSize:4 MB
    47  tls_2024/01/27 13:42:55 EBPFProbeOPENSSL	module started successfully.
    48  tls_2024/01/27 13:42:55 ECAPTURE :: 	start 1 modules
    49  tls_2024/01/27 13:42:59 EBPFProbeOPENSSL	TLS1_2_VERSION: save CLIENT_RANDOM 8516901707503cfcfb0b63d02adc5deba9f7bc3e64418212f4a9c7b0c4007cca to file success, 176 bytes
    50  ^Ctls_2024/01/27 13:43:15 EBPFProbeOPENSSL	close.
    51  tls_2024/01/27 13:43:15 EBPFProbeOPENSSL	close
    52  ```
    53  
    54  **运行测试程序**
    55  ```shell
    56  time ./openssl_client
    57  
    58  real	0m7.133s
    59  user	0m4.735s
    60  sys	0m2.394s
    61  ```
    62  
    63  ### 结果
    64  可以看到，当使用`keylog`模式后，耗时从30秒下降到7秒。