Fix cant found RET offset in gotls mode. fix #502.

Fix the issue of not being able to fetch the function RET offset in the gotls model when building a Golang binary with pie mode.

Signed-off-by: CFC4N <cfc4n.cs@gmail.com>

Author: cfc4n

builder/Makefile.release

@@ -50,7 +50,9 @@ endif
 
 OUTPUT_DIR = ./bin
 TAR_DIR = ecapture-$(SNAPSHOT_VERSION)-linux-$(UNAME_M)
+TAR_DIR_NOCORE = ecapture-$(SNAPSHOT_VERSION)-linux-nocore
 TAR_DIR_ANDROID = ecapture-$(SNAPSHOT_VERSION)-android-$(UNAME_M)
+TAR_DIR_ANDROID_NOCORE = ecapture-$(SNAPSHOT_VERSION)-android-$(UNAME_M)-nocore
 
 # from CLI args.
 RELEASE_NOTES ?= $(OUTPUT_DIR)/release_notes.txt
@@ -71,7 +73,9 @@ BUILD_DIR = build
 #
 
 OUT_ARCHIVE := $(OUTPUT_DIR)/$(TAR_DIR).tar.gz
-OUT_ARCHIVE_ANDROID := $(OUTPUT_DIR)/$(TAR_DIR_ANDROID)-nocore.tar.gz
+OUT_ARCHIVE_NOCORE := $(OUTPUT_DIR)/$(TAR_DIR_NOCORE).tar.gz
+OUT_ARCHIVE_ANDROID := $(OUTPUT_DIR)/$(TAR_DIR_ANDROID).tar.gz
+OUT_ARCHIVE_ANDROID_NOCORE := $(OUTPUT_DIR)/$(TAR_DIR_ANDROID_NOCORE).tar.gz
 OUT_CHECKSUMS := $(OUTPUT_DIR)/checksum-$(SNAPSHOT_VERSION).txt
 
 
@@ -183,7 +187,7 @@ snapshot: \
 	$(CMD_CP) $(OUTPUT_DIR)/ecapture $(TAR_DIR)/ecapture
 	$(CMD_TAR)  -czf $(OUT_ARCHIVE) $(TAR_DIR)
 	cd $(OUTPUT_DIR)
-	$(CMD_CHECKSUM) $(TAR_DIR).tar.gz > ./../$(OUT_CHECKSUMS)
+	$(CMD_CHECKSUM) $(OUT_ARCHIVE_ANDROID) > ./../$(OUT_CHECKSUMS)
 	cd ../
 
 .PHONY: snapshot_android
@@ -198,29 +202,29 @@ snapshot_android: \
 	$(MAKE) clean
 	ANDROID=1 $(MAKE) nocore RELEASE_TAG=$(SNAPSHOT_VERSION)
 	# create the tar ball and checksum files
-	$(CMD_MKDIR) -p $(TAR_DIR_ANDROID)
-	$(CMD_CP) LICENSE $(TAR_DIR_ANDROID)/LICENSE
-	$(CMD_CP) CHANGELOG.md $(TAR_DIR_ANDROID)/CHANGELOG.md
-	$(CMD_CP) README.md $(TAR_DIR_ANDROID)/README.md
-	$(CMD_CP) README_CN.md $(TAR_DIR_ANDROID)/README_CN.md
-	$(CMD_CP) $(OUTPUT_DIR)/ecapture $(TAR_DIR_ANDROID)/ecapture
-	$(CMD_TAR)  -czf $(OUT_ARCHIVE_ANDROID) $(TAR_DIR_ANDROID)
+	$(CMD_MKDIR) -p $(TAR_DIR_ANDROID_NOCORE)
+	$(CMD_CP) LICENSE $(TAR_DIR_ANDROID_NOCORE)/LICENSE
+	$(CMD_CP) CHANGELOG.md $(TAR_DIR_ANDROID_NOCORE)/CHANGELOG.md
+	$(CMD_CP) README.md $(TAR_DIR_ANDROID_NOCORE)/README.md
+	$(CMD_CP) README_CN.md $(TAR_DIR_ANDROID_NOCORE)/README_CN.md
+	$(CMD_CP) $(OUTPUT_DIR)/ecapture $(TAR_DIR_ANDROID_NOCORE)/ecapture
+	$(CMD_TAR)  -czf $(OUT_ARCHIVE_ANDROID_NOCORE) $(TAR_DIR_ANDROID_NOCORE)
 	cd $(OUTPUT_DIR)
-	$(CMD_CHECKSUM) $(TAR_DIR_ANDROID).tar.gz >> ./../$(OUT_CHECKSUMS)
+	$(CMD_CHECKSUM) $(OUT_ARCHIVE_ANDROID_NOCORE) >> ./../$(OUT_CHECKSUMS)
 	cd ../
 
 .PHONY: publish
 publish: \
 	$(OUTPUT_DIR) \
 	$(OUT_ARCHIVE) \
-	$(OUT_ARCHIVE_ANDROID) \
+	$(OUT_ARCHIVE_ANDROID_NOCORE) \
 	$(OUT_CHECKSUMS) \
 	$(OUT_DEB_FILE) \
 	| .check_tree \
 	.check_$(CMD_GITHUB)
 #
 	# release it!
-	$(CMD_GITHUB) release create $(SNAPSHOT_VERSION) $(OUT_ARCHIVE) $(OUT_ARCHIVE_ANDROID) $(OUT_DEB_FILE) $(OUT_CHECKSUMS) --title "eCapture $(SNAPSHOT_VERSION)"  --notes-file $(RELEASE_NOTES)
+	$(CMD_GITHUB) release create $(SNAPSHOT_VERSION) $(OUT_ARCHIVE) $(OUT_ARCHIVE_ANDROID_NOCORE) $(OUT_DEB_FILE) $(OUT_CHECKSUMS) --title "eCapture $(SNAPSHOT_VERSION)"  --notes-file $(RELEASE_NOTES)
 
 .PHONY: clean
 clean:

user/config/config_gotls.go

@@ -15,41 +15,85 @@
 package config
 
 import (
+	"bytes"
+	"debug/buildinfo"
 	"debug/elf"
+	"debug/gosym"
+	"encoding/binary"
 	"errors"
 	"fmt"
 	"os"
 	"runtime"
-
-	"golang.org/x/arch/arm64/arm64asm"
-	"golang.org/x/arch/x86/x86asm"
+	"strings"
 )
 
 const (
-	// Arm64armInstSize via :  arm64/arm64asm/decode.go:Decode() size = 4
-	Arm64armInstSize = 4
-
+	// 46EE50 - 46EDB0
+	//
 	GoTlsReadFunc = "crypto/tls.(*Conn).Read"
+
+	GoTlsWriteFunc        = "crypto/tls.(*Conn).writeRecordLocked"
+	GoTlsMasterSecretFunc = "crypto/tls.(*Config).writeKeyLog"
+	// crypto_tls._ptr_Conn.Read
+	GoTlsReadFuncArm64 = "crypto_tls._ptr_Conn.Read"
 )
 
 var (
-	ErrorGoBINNotFound  = errors.New("The executable program (compiled by Golang) was not found")
-	ErrorSymbolNotFound = errors.New("symbol not found")
-	ErrorNoRetFound     = errors.New("no RET instructions found")
+	ErrorGoBINNotFound           = errors.New("The executable program (compiled by Golang) was not found")
+	ErrorSymbolEmpty             = errors.New("symbol is empty")
+	ErrorSymbolNotFound          = errors.New("symbol not found")
+	ErrorSymbolNotFoundFromTable = errors.New("symbol not found from table")
+	ErrorNoRetFound              = errors.New("no RET instructions found")
+	ErrorNoRetFoundFromSymTabFun = errors.New("no RET instructions found from golang symbol table with Fun")
 )
 
+// From go/src/debug/gosym/pclntab.go
+const (
+	go12magic  = 0xfffffffb
+	go116magic = 0xfffffffa
+	go118magic = 0xfffffff0
+	go120magic = 0xfffffff1
+)
+
+// Select the magic number based on the Go version
+func magicNumber(goVersion string) []byte {
+	bs := make([]byte, 4)
+	var magic uint32
+	if strings.Compare(goVersion, "go1.20") >= 0 {
+		magic = go120magic
+	} else if strings.Compare(goVersion, "go1.18") >= 0 {
+		magic = go118magic
+	} else if strings.Compare(goVersion, "go1.16") >= 0 {
+		magic = go116magic
+	} else {
+		magic = go12magic
+	}
+	binary.LittleEndian.PutUint32(bs, magic)
+	return bs
+}
+
+type FuncOffsets struct {
+	Start   uint64
+	Returns []uint64
+}
+
 // GoTLSConfig represents configuration for Go SSL probe
 type GoTLSConfig struct {
 	eConfig
-	Path         string    `json:"path"`       // golang application path to binary built with Go toolchain.
-	PcapFile     string    `json:"pcapFile"`   // pcapFile  the  raw  packets  to file rather than parsing and printing them out.
-	KeylogFile   string    `json:"keylogFile"` // keylogFile  The file stores SSL/TLS keys, and eCapture captures these keys during encrypted traffic communication and saves them to the file.
-	Model        string    `json:"model"`      // model  such as : text, pcapng/pcap, key/keylog.
-	Ifname       string    `json:"ifName"`     // (TC Classifier) Interface name on which the probe will be attached.
-	PcapFilter   string    `json:"pcapFilter"` // pcap filter
-	goElfArch    string    //
-	goElf        *elf.File //
-	ReadTlsAddrs []int
+	Path                  string    `json:"path"`       // golang application path to binary built with Go toolchain.
+	PcapFile              string    `json:"pcapFile"`   // pcapFile  the  raw  packets  to file rather than parsing and printing them out.
+	KeylogFile            string    `json:"keylogFile"` // keylogFile  The file stores SSL/TLS keys, and eCapture captures these keys during encrypted traffic communication and saves them to the file.
+	Model                 string    `json:"model"`      // model  such as : text, pcapng/pcap, key/keylog.
+	Ifname                string    `json:"ifName"`     // (TC Classifier) Interface name on which the probe will be attached.
+	PcapFilter            string    `json:"pcapFilter"` // pcap filter
+	goElfArch             string    //
+	goElf                 *elf.File //
+	buildinfo             *buildinfo.BuildInfo
+	ReadTlsAddrs          []int
+	GoTlsWriteAddr        uint64
+	GoTlsMasterSecretAddr uint64
+	IsPieBuildMode        bool
+	goSymTab              *gosym.Table
 }
 
 // NewGoTLSConfig creates a new config for Go SSL
@@ -74,6 +118,12 @@ func (gc *GoTLSConfig) Check() error {
 		return err
 	}
 
+	// Read the build information of the Go application
+	gc.buildinfo, err = buildinfo.ReadFile(gc.Path)
+	if err != nil {
+		return err
+	}
+
 	var goElf *elf.File
 	goElf, err = elf.Open(gc.Path)
 	if err != nil {
@@ -102,10 +152,56 @@ func (gc *GoTLSConfig) Check() error {
 	}
 	gc.goElfArch = goElfArch
 	gc.goElf = goElf
-	gc.ReadTlsAddrs, err = gc.findRetOffsets(GoTlsReadFunc)
+	// If built with PIE and stripped, gopclntab is
+	// unlabeled and nested under .data.rel.ro.
+	for _, bs := range gc.buildinfo.Settings {
+		if bs.Key == "-buildmode" {
+			if bs.Value == "pie" {
+				gc.IsPieBuildMode = true
+			}
+			break
+		}
+	}
+	if gc.IsPieBuildMode {
+		gc.goSymTab, err = gc.ReadTable()
+		if err != nil {
+			return err
+		}
+		fun := gc.goSymTab.LookupFunc(GoTlsWriteFunc)
+		if fun != nil {
+			gc.GoTlsWriteAddr = fun.Entry
+		}
+		fun = gc.goSymTab.LookupFunc(GoTlsMasterSecretFunc)
+		if fun != nil {
+			gc.GoTlsMasterSecretAddr = fun.Entry
+		}
+		gc.ReadTlsAddrs, err = gc.findRetOffsetsPie(GoTlsReadFunc)
+		if err != nil {
+			return err
+		}
+	} else {
+		gc.ReadTlsAddrs, err = gc.findRetOffsets(GoTlsReadFunc)
+		if err != nil {
+			return err
+		}
+	}
 	return err
 }
 
+func (gc *GoTLSConfig) findRetOffsetsPie(symbolName string) ([]int, error) {
+	var offsets []int
+	var err error
+
+	fun := gc.goSymTab.LookupFunc(symbolName)
+	if fun == nil {
+		return nil, ErrorSymbolNotFoundFromTable
+	}
+
+	//fmt.Printf("found in %s, entry:%x, end:%x , end-entry:%x\n", fun.Name, fun.Entry, fun.End, fun.End-fun.Entry)
+	offsets, err = gc.findFuncOffsetBySymfun(fun, gc.goElf)
+	return offsets, err
+}
+
 // FindRetOffsets searches for the addresses of all RET instructions within
 // the instruction set associated with the specified symbol in an ELF program.
 // It is used for mounting uretprobe programs for Golang programs,
@@ -125,7 +221,7 @@ func (gc *GoTLSConfig) findRetOffsets(symbolName string) ([]int, error) {
 	}
 
 	if len(allSymbs) == 0 {
-		return nil, fmt.Errorf("no symbols found")
+		return nil, ErrorSymbolEmpty
 	}
 
 	var found bool
@@ -163,30 +259,6 @@ func (gc *GoTLSConfig) findRetOffsets(symbolName string) ([]int, error) {
 	return offsets, nil
 }
 
-// decodeInstruction Decode into assembly instructions and identify the RET instruction to return the offset.
-func (gc *GoTLSConfig) decodeInstruction(instHex []byte) ([]int, error) {
-	var offsets []int
-	for i := 0; i < len(instHex); {
-		if gc.goElfArch == "amd64" {
-			inst, err := x86asm.Decode(instHex[i:], 64)
-			if err != nil {
-				return nil, err
-			}
-			if inst.Op == x86asm.RET {
-				offsets = append(offsets, i)
-			}
-			i += inst.Len
-		} else {
-			inst, _ := arm64asm.Decode(instHex[i:]) // Why ignore error: https://github.com/gojue/ecapture/pull/506
-			if inst.Op == arm64asm.RET {
-				offsets = append(offsets, i)
-			}
-			i += Arm64armInstSize
-		}
-	}
-	return offsets, nil
-}
-
 func (gc *GoTLSConfig) checkModel() (string, error) {
 	var m string
 	var e error
@@ -204,3 +276,72 @@ func (gc *GoTLSConfig) checkModel() (string, error) {
 	}
 	return m, e
 }
+
+func (gc *GoTLSConfig) ReadTable() (*gosym.Table, error) {
+	sectionLabel := ".data.rel.ro"
+	section := gc.goElf.Section(sectionLabel)
+	if section == nil {
+		// binary may be built with -pie
+		sectionLabel = ".gopclntab"
+		section = gc.goElf.Section(sectionLabel)
+		if section == nil {
+			return nil, fmt.Errorf("could not read section %s from %s ", sectionLabel, gc.Path)
+		}
+	}
+	tableData, err := section.Data()
+	if err != nil {
+		return nil, fmt.Errorf("found section but could not read %s from %s ", sectionLabel, gc.Path)
+	}
+
+	// Find .gopclntab by magic number even if there is no section label
+	magic := magicNumber(gc.buildinfo.GoVersion)
+	pclntabIndex := bytes.Index(tableData, magic)
+	//fmt.Printf("buildinfo :%v, magic:%x, pclntabIndex:%d offset:%x , section:%v \n", gc.buildinfo, magic, pclntabIndex, section.Offset, section)
+	if pclntabIndex < 0 {
+		return nil, fmt.Errorf("could not find magic number in %s ", gc.Path)
+	}
+	tableData = tableData[pclntabIndex:]
+	addr := gc.goElf.Section(".text").Addr
+	lineTable := gosym.NewLineTable(tableData, addr)
+	symTable, err := gosym.NewTable([]byte{}, lineTable)
+	if err != nil {
+		return nil, ErrorSymbolNotFoundFromTable
+	}
+	return symTable, nil
+}
+
+func (gc *GoTLSConfig) findFuncOffsetBySymfun(f *gosym.Func, elfF *elf.File) ([]int, error) {
+	var offsets []int
+	var err error
+
+	for _, prog := range elfF.Progs {
+		if prog.Type != elf.PT_LOAD || (prog.Flags&elf.PF_X) == 0 {
+			continue
+		}
+		// For more info on this calculation: stackoverflow.com/a/40249502
+		/*
+		 ida :  		 start : 46EE50, end : 46F258   , len :0x408
+		 elf info:       start : 46ed30, end :         ,  len: 0x3B0,  0x58
+
+		*/
+		if prog.Vaddr <= f.Value && f.Value < (prog.Vaddr+prog.Memsz) {
+			funcLen := f.End - f.Entry
+			fmt.Printf("name :%s, f.Value:%x, f.Entry:%x, f.End:%x, funcLen:%X \n ", f.Name, f.Value, f.Entry, f.End, funcLen)
+			data := make([]byte, funcLen)
+			_, err = prog.ReadAt(data, int64(f.Value-prog.Vaddr))
+			if err != nil {
+				return offsets, fmt.Errorf("finding function return: %w", err)
+			}
+
+			offsets, err = gc.decodeInstruction(data)
+			if err != nil {
+				return offsets, fmt.Errorf("finding function return: %w", err)
+			}
+			for i, offset := range offsets {
+				offsets[i] = int(f.Entry) + offset
+			}
+			return offsets, nil
+		}
+	}
+	return offsets, ErrorNoRetFoundFromSymTabFun
+}

user/config/go_instructions_amd64.go

@@ -0,0 +1,21 @@
+package config
+
+import (
+	"golang.org/x/arch/x86/x86asm"
+)
+
+// decodeInstruction Decode into assembly instructions and identify the RET instruction to return the offset.
+func (gc *GoTLSConfig) decodeInstruction(instHex []byte) ([]int, error) {
+	var offsets []int
+	for i := 0; i < len(instHex); {
+		inst, err := x86asm.Decode(instHex[i:], 64)
+		if err != nil {
+			return nil, err
+		}
+		if inst.Op == x86asm.RET {
+			offsets = append(offsets, i)
+		}
+		i += inst.Len
+	}
+	return offsets, nil
+}