not work in avd

[niuhuan]

我的安卓环境， 虚拟机 AVD 安卓13带google套件

Linux localhost 5.15.41-android13-8-00055-g4f5025129fe8-ab8949913 #1 SMP PREEMPT Mon Aug 15 18:33:14 UTC 2022 aarch64 Toybox

2. 遇到的问题，无法抓包

3. 操作步骤以及日志

1). 启动AVD进入root模式

$ANDROID_HOME/emulator/emulator @A33 -writable-system
adb -s emulator-5554 root
adb -s emulator-5554 remount
adb -s emulator-5554 shell

2). 上传 且执行 ./ecapture tls 在 /data/local/tmp 下

130|emu64a:/data/local/tmp # ./ecapture tls
2025-02-06T09:58:18Z INF AppName="eCapture(旁观者)"
2025-02-06T09:58:18Z INF HomePage=https://ecapture.cc
2025-02-06T09:58:18Z INF Repository=https://github.com/gojue/ecapture
2025-02-06T09:58:18Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2025-02-06T09:58:18Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-02-06T09:58:18Z INF Version=androidgki_arm64:v0.9.3:6.5.0-1025-azure
2025-02-06T09:58:18Z INF Listen=localhost:28256
2025-02-06T09:58:18Z INF eCapture running logs logger=
2025-02-06T09:58:18Z INF the file handler that receives the captured event eventCollector=
2025-02-06T09:58:18Z INF Kernel Info=5.15.41 Pid=7742
2025-02-06T09:58:18Z INF listen=localhost:28256
2025-02-06T09:58:18Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-02-06T09:58:18Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2025-02-06T09:58:18Z INF BTF bytecode mode: CORE. btfMode=0
2025-02-06T09:58:18Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-02-06T09:58:18Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-02-06T09:58:18Z INF Module.Run()
2025-02-06T09:58:18Z ERR OpenSSL/BoringSSL version not found, used default version.If you want to use the specific version, please set the sslVersion parameter with "--ssl_version='boringssl_a_13'" , "--ssl_version='boringssl_a_14'", or use "ecapture tls --help" for more help.
2025-02-06T09:58:18Z ERR bpfFile=boringssl_a_13_kern.o sslVersion=android_default
2025-02-06T09:58:18Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2025-02-06T09:58:18Z INF target all process.
2025-02-06T09:58:18Z INF target all users.
2025-02-06T09:58:18Z INF setupManagers eBPFProgramType=Text
2025-02-06T09:58:18Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_13_kern_core.o
2025-02-06T09:58:19Z INF perfEventReader created mapSize(MB)=4
2025-02-06T09:58:19Z INF perfEventReader created mapSize(MB)=4
2025-02-06T09:58:19Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
^C2025-02-06T09:58:21Z INF module close.
2025-02-06T09:58:21Z INF Module closed,message recived from Context
2025-02-06T09:58:22Z INF iModule module close
2025-02-06T09:58:22Z INF bye bye.

这时只能抓包HTTP，但是不能抓包HTTPS

我看到
WRN Your environment is like a container. We won't be able to detect the BTF configuration. If eCapture fails to run, try specifying the BTF mode. use -b 2 to specify non-CORE mode.
ERR OpenSSL/BoringSSL version not found
INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_13_kern_core.o

所以改了一下命令

3). /ecapture tls --ssl_version='boringssl_a_13' -b 2 -w /local/data/tmp/save.pcapng

/ecapture tls --ssl_version='boringssl_a_13' -b 2 -w /local/data/tmp/save.pcapng                                                          <
2025-02-06T10:00:05Z INF AppName="eCapture(旁观者)"
2025-02-06T10:00:05Z INF HomePage=https://ecapture.cc
2025-02-06T10:00:05Z INF Repository=https://github.com/gojue/ecapture
2025-02-06T10:00:05Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2025-02-06T10:00:05Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-02-06T10:00:05Z INF Version=androidgki_arm64:v0.9.3:6.5.0-1025-azure
2025-02-06T10:00:05Z INF Listen=localhost:28256
2025-02-06T10:00:05Z INF eCapture running logs logger=
2025-02-06T10:00:05Z INF the file handler that receives the captured event eventCollector=
2025-02-06T10:00:05Z INF Kernel Info=5.15.41 Pid=7788
2025-02-06T10:00:05Z INF BTF bytecode mode: non-CORE. btfMode=2
2025-02-06T10:00:05Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-02-06T10:00:05Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-02-06T10:00:05Z INF Module.Run()
2025-02-06T10:00:05Z INF OpenSSL/BoringSSL version found sslVersion=boringssl_a_13
2025-02-06T10:00:05Z INF listen=localhost:28256
2025-02-06T10:00:05Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-02-06T10:00:05Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2025-02-06T10:00:05Z INF target all process.
2025-02-06T10:00:05Z INF target all users.
2025-02-06T10:00:05Z INF setupManagers eBPFProgramType=Text
2025-02-06T10:00:05Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_13_kern_noncore.o
2025-02-06T10:00:05Z INF perfEventReader created mapSize(MB)=4
2025-02-06T10:00:05Z INF perfEventReader created mapSize(MB)=4
2025-02-06T10:00:05Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
^C2025-02-06T10:00:15Z INF module close.
2025-02-06T10:00:15Z INF Module closed,message recived from Context
2025-02-06T10:00:15Z INF perfEventReader received close signal from context.Done().
2025-02-06T10:00:15Z INF iModule module close
2025-02-06T10:00:15Z INF bye bye.
emu64a:/data/local/tmp #659 

不报错 WRN和ERR，但是虚拟机使用浏览器什么反应都没有了，我想知道使用avd是否能抓包，我哪里操作的不对？同时也没有生成save.pcapng

[dosubot]

@niuhuan 你好！我是Dosu，我是一个可以帮助您解决问题，回答疑问，以及成为贡献者的机器人。我会在这里帮助您，等待人类维护者。

I found a similar discussion regarding issues with eCapture in environments like containers, which might be relevant to your situation. The warning message you encountered, "Your environment is like a container. We won't be able to detect the BTF configuration," suggests that eCapture is detecting the AVD environment as container-like, which can affect its ability to function correctly ^[1].

Here are some steps you can try to resolve the issue:

1. Specify the BTF Mode: You've already tried using -b 2 to specify non-CORE mode, which is a good step. This can help when the environment is detected as container-like.

2. SSL Version Parameter: Ensure that you are specifying the correct SSL version with --ssl_version='boringssl_a_13', as you did in your second attempt. This helps eCapture hook into the correct SSL/TLS library version ^[2].

3. Output File Path: Double-check the path where you are trying to save the output file (save.pcapng). Ensure that the directory /local/data/tmp/ exists and is writable by the process running eCapture.

4. Network Interface: Make sure you are capturing on the correct network interface. You might need to specify the interface using the -i option if it's different from the default.

5. Check Logs for Errors: Since you mentioned there are no errors, ensure that the logs are being checked thoroughly for any subtle warnings or issues that might not be immediately obvious.

If these steps do not resolve the issue, it might be worth considering any specific limitations or dependencies related to running eCapture on Android Virtual Devices, which might not be fully documented.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[cfc4n]

应该是支持在AVD中捕获HTTPS明文流量的。

在你的使用中，有两个问题：

1. 文本模式下，未捕获的问题，需要注意默认情况下，HOOK的tls类库为 binrayPath=/apex/com.android.conscrypt/lib64/libssl.so，你需要确认目标程序使用了这个类库。 如果不是，那么你需要使用--libssl参数指定SO文件的路径。
2. -w /local/data/tmp/save.pcapng参数对pcap模式生效，即ecapture -m pcapng -i ens0 -w xxx.pcapng

[niuhuan]

我确认了 /apex/com.android.conscrypt/lib64/libssl.so 是存在的，将命令行改成了

./ecapture tls -m pcapng -i wlan0 -w xxx.pcapng -b 2 --ssl_version='boringssl_a_13'

成功得到xxx.pcapng，但是拖到wires Shark里面并未得到解密的正文。似乎只得到了原文。

不管是否加参数 -b 2 --ssl_version='boringssl_a_13' 均是如此。

emu64a:/data/local/tmp # ./ecapture tls -m pcapng -i wlan0 -w xxx.pcapng -b 2 --ssl_version='boringssl_a_13' --keylogfile="ecapture_openssl_key.log"
2025-02-07T02:08:44Z INF AppName="eCapture(旁观者)"
2025-02-07T02:08:44Z INF HomePage=https://ecapture.cc
2025-02-07T02:08:44Z INF Repository=https://github.com/gojue/ecapture
2025-02-07T02:08:44Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2025-02-07T02:08:44Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-02-07T02:08:44Z INF Version=androidgki_arm64:v0.9.3:6.5.0-1025-azure
2025-02-07T02:08:44Z INF Listen=localhost:28256
2025-02-07T02:08:44Z INF eCapture running logs logger=
2025-02-07T02:08:44Z INF the file handler that receives the captured event eventCollector=
2025-02-07T02:08:44Z INF listen=localhost:28256
2025-02-07T02:08:44Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-02-07T02:08:44Z INF Kernel Info=5.15.41 Pid=27399
2025-02-07T02:08:44Z INF BTF bytecode mode: non-CORE. btfMode=2
2025-02-07T02:08:44Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-02-07T02:08:44Z INF Module.Run()
2025-02-07T02:08:44Z INF OpenSSL/BoringSSL version found sslVersion=boringssl_a_13
2025-02-07T02:08:44Z INF HOOK type:Openssl elf ElfType=2 IFindex=16 IFname=wlan0 PcapFilter= binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2025-02-07T02:08:44Z INF Hook masterKey function Functions=["SSL_in_init"]
2025-02-07T02:08:44Z INF target all process.
2025-02-07T02:08:44Z INF target all users.
2025-02-07T02:08:44Z INF setupManagers eBPFProgramType=PcapNG
2025-02-07T02:08:44Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_13_kern_noncore.o
2025-02-07T02:08:44Z INF packets saved into pcapng file. pcapng path=/data/local/tmp/xxx.pcapng
2025-02-07T02:08:44Z INF perfEventReader created mapSize(MB)=4
2025-02-07T02:08:44Z INF perfEventReader created mapSize(MB)=4
2025-02-07T02:08:44Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2025-02-07T02:08:46Z INF packets saved into pcapng file. count=30
2025-02-07T02:08:50Z INF packets saved into pcapng file. count=4
2025-02-07T02:08:52Z INF packets saved into pcapng file. count=3
2025-02-07T02:08:54Z INF packets saved into pcapng file. count=114
2025-02-07T02:08:56Z INF packets saved into pcapng file. count=1211
^C2025-02-07T02:08:56Z INF module close.
2025-02-07T02:08:56Z INF Module closed,message recived from Context
2025-02-07T02:08:56Z INF packets saved into pcapng file. count=124
2025-02-07T02:08:56Z INF packets saved into pcapng file. count=1486
2025-02-07T02:08:56Z INF iModule module close
2025-02-07T02:08:56Z INF bye bye.

我曾尝试过增加 --keylogfile="ecapture_openssl_key.log" ，但是没有输出更多的文件，也许我应该尝试物理机或者更换安卓版本。我对抓包和ssl不是很了解，在此感谢您的耐心解答。若有进展我会将进度跟进到issue中以供搜索。

[cfc4n]

我确认了 /apex/com.android.conscrypt/lib64/libssl.so 是存在的，将命令行改成了

我的意思不是“判断这个文件是否存在”，而是“确认你捕获的目标程序确实使用了这个SO文件”，很有可能是他自己打包了一个，或者静态编译了一个。