ebpf 手机环境配置
帮助中心 •
Frinet: reverse-engineering made easier
By combining Frida with an enhanced version of Tenet, Frinet facilitates the study of large programs, vulnerability research and root-cause analysis on iOS, Android, Linux, Windows, and most architectures.
检测 px6 的环境
calleng@hw:~/p9/Mikrom2.0/kanxue/custome2025$ px6 shell zcat /proc/config.gz | grep PROBE
CONFIG_GENERIC_IRQ_PROBE=y
CONFIG_ARCH_SUPPORTS_UPROBES=y
CONFIG_KPROBES=y
CONFIG_UPROBES=y
CONFIG_KRETPROBES=y
CONFIG_HAVE_KPROBES=y
CONFIG_HAVE_KRETPROBES=y
# CONFIG_TEST_ASYNC_DRIVER_PROBE is not set
CONFIG_GENERIC_CPU_AUTOPROBE=y
CONFIG_TIMER_PROBE=y
CONFIG_KPROBE_EVENTS=y
CONFIG_UPROBE_EVENTS=y
CONFIG_PROBE_EVENTS=y
# CONFIG_BPF_KPROBE_OVERRIDE is not set
# CONFIG_KPROBE_EVENT_GEN_TEST is not set
calleng@hw:~/p9/Mikrom2.0/kanxue/custome2025$
eCapture手册
.../local/tmp # ./ecapture100 --help
NAME:
eCapture - Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64.
USAGE:
eCapture [flags]
VERSION:
androidgki_arm64:v1.0.0:6.8.0-1021-azure
COMMANDS:
bash capture bash command
gotls Capturing plaintext communication from Golang programs encrypted with TLS/HTTPS.
help Help about any command
tls Used to capture TLS/SSL text content without the need for a CA certificate. (Supports OpenSSL 1.0.x/1.1.x/3.x or newer).
DESCRIPTION:
eCapture(旁观者) is a tool that can capture plaintext packets
such as HTTPS and TLS without installing a CA certificate.
It can also capture bash commands, which is suitable for
security auditing scenarios, such as database auditing of mysqld, etc (disabled on Android).
Support Linux(Android) X86_64 4.18/aarch64 5.5 or newer.
Repository: https://github.com/gojue/ecapture
HomePage: https://ecapture.cc
Usage:
ecapture tls -h
ecapture bash -h
Docker usage:
docker pull gojue/ecapture:latest
docker run --rm --privileged=true --net=host -v ${HOST_PATH}:${CONTAINER_PATH} gojue/ecapture -h
OPTIONS:
-b, --btf=0 enable BTF mode.(0:auto; 1:core; 2:non-core)
-d, --debug[=false] enable debug logging
--eventaddr="" the server address that receives the captured event. --eventaddr tcp://127.0.0.1:8090, default: same as logaddr
-h, --help[=false] help for eCapture
--hex[=false] print byte strings as hex encoded strings
--listen="localhost:28256" listen on this address for http server, default: 127.0.0.1:28256
-l, --logaddr="" send logs to this server. -l /tmp/ecapture.log or -l tcp://127.0.0.1:8080
--mapsize=1024 eBPF map size per CPU,for events buffer. default:1024 * PAGESIZE. (KB)
-p, --pid=0 if pid is 0 then we target all pids
-t, --tsize=0 the truncate size in text mode, default: 0 (B), no truncate
-u, --uid=0 if uid is 0 then we target all users
-v, --version[=false] version for eCapture
查找进程 pid , 进行抓包
(f1613) calleng@hw:~/p9/Mikrom2.0/kanxue/custome2025$ frida-ps -D 1A041FDF6S00EP
PID Name
----- -------------------------------------------------------------------------------------------------------------------------------------
9363
9384
9361 com.genymobile.scrcpy.Server 3.1 video_bit_rate=2000000 log_level=info max_size=1080 capture_orientation=0 audio=false scid=000003e6
25728 .ShannonImsService
3573 frida-2289375d-037a-4d7a-92b5-43d2e5a48d29
4864 frida-37257e61-51cc-4913-876a-c76f985ec589
10463 frida-4a16913b-79dc-4a2f-abb1-b377cdb2f885
6391 frida-4c2200d3-6d74-43c1-83d0-379c11c848d3
30936 frida-5ccc717d-e776-44fa-8e96-a913d8906e0c
23811 frida-670f0ab8-7ff2-42cf-901d-415de5a24ec9
2368 frida-899bbb64-d483-462d-94e1-a9cd92794274
15924 frida-9d5c9b70-0c78-4b2e-9564-5fc682ddd5f2
7765 frida-b043ec06-d4eb-4c12-985b-78d3b9b7d7dc
10128 frida-bfcd21c0-0677-4d8b-8c1d-eb82c1b24a5e
10914 frida-c798b789-18eb-4417-821b-96a62a4fe721
4727 frida-e3cc5b4d-2f20-44ae-acbc-5e5e693fa359
1521 gatekeeper
11126 zygiskd32-zygisk_shamiko
1152 zygiskd64
13757 zygiskd64-playintegrityfix
10797 zygiskd64-zygisk_shamiko
10637 zygote
10655 zygote64
12059 中国移动
16510 夸克
8682 豌豆荚
.../local/tmp # ps -ef | grep 10086
u0_a273 12059 10655 99 14:26 ? 00:02:53 com.greenpoint.android.mc10086.activity
u0_a273 12429 10655 1 14:26 ? 00:00:03 com.greenpoint.android.mc10086.activity:tools
u0_a273 13038 10655 7 14:26 ? 00:00:11 com.greenpoint.android.mc10086.activity:jsengine
root 13904 10893 0 14:29 pts/10 00:00:00 grep 10086
./ecaptu
.../local/tmp # ./ecapture100 tls -p 12059 --hex
2025-03-30T14:33:49Z INF AppName="eCapture(旁观者)"
2025-03-30T14:33:49Z INF HomePage=https://ecapture.cc
2025-03-30T14:33:49Z INF Repository=https://github.com/gojue/ecapture
2025-03-30T14:33:49Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2025-03-30T14:33:49Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-03-30T14:33:49Z INF Version=androidgki_arm64:v1.0.0:6.8.0-1021-azure
2025-03-30T14:33:49Z INF Listen=localhost:28256
2025-03-30T14:33:49Z INF eCapture running logs logger=
2025-03-30T14:33:49Z INF the file handler that receives the captured event eventCollector=
2025-03-30T14:33:49Z INF Kernel Info=5.10.198 Pid=14316
2025-03-30T14:33:49Z INF listen=localhost:28256
2025-03-30T14:33:49Z INF TruncateSize=0 Unit=bytes
2025-03-30T14:33:49Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-03-30T14:33:49Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2025-03-30T14:33:49Z INF BTF bytecode mode: CORE. btfMode=0
2025-03-30T14:33:49Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-03-30T14:33:49Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-03-30T14:33:49Z INF Module.Run()
2025-03-30T14:33:49Z ERR OpenSSL/BoringSSL version not found, used default version.If you want to use the specific version, please set the sslVersion parameter with "--ssl_version='boringssl_a_13'" , "--ssl_version='boringssl_a_14'", or use "ecapture tls --help" for more help.
2025-03-30T14:33:49Z ERR bpfFile=boringssl_a_14_kern.o sslVersion=android_default
2025-03-30T14:33:49Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2025-03-30T14:33:49Z INF target process. target PID=12059
2025-03-30T14:33:49Z INF target all users.
2025-03-30T14:33:49Z INF setupManagers eBPFProgramType=Text
2025-03-30T14:33:49Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_14_kern_core.o
2025-03-30T14:33:50Z INF perfEventReader created mapSize(MB)=4
2025-03-30T14:33:50Z INF perfEventReader created mapSize(MB)=4
2025-03-30T14:33:50Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2025-03-30T14:34:10Z ??? UUID:12059_14552_oc.10086.cn/..._9_1_0.0.0.0:0-0.0.0.0:0, Name:HTTPRequest, Type:1, Length:7728
00000000 50 4f 53 54 20 2f 62 69 7a 2d 6f 72 61 6e 67 65 |POST /biz-orange|
00000010 2f 4c 4e 2f 6d 6f 62 69 6c 65 54 61 6b 65 6f 75 |/LN/mobileTakeou|
00000020 74 2f 69 73 4d 6f 62 69 6c 65 54 61 6b 65 6f 75 |t/isMobileTakeou|
00000030 74 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 |t HTTP/1.1..Host|
00000040 3a 20 63 6c 69 65 6e 74 2e 61 70 70 2e 63 6f 63 |: client.app.coc|
00000050 2e 31 30 30 38 36 2e 63 6e 0d 0a 41 63 63 65 70 |.10086.cn..Accep|
00000060 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 |t-Encoding: gzip|
00000070 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 |..Connection: Ke|
00000080 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e |ep-Alive..Conten|
00000090 74 2d 4c 65 6e 67 74 68 3a 20 39 38 34 0d 0a 43 |t-Length: 984..C|
000000a0 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 |ontent-Type: app|
000000b0 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 3b 20 63 |lication/json; c|
000000c0 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 55 73 |harset=utf-8..Us|
000000d0 65 72 2d 41 67 65 6e 74 3a 20 6f 6b 68 74 74 70 |er-Agent: okhttp|
000000e0 2f 33 2e 31 34 2e 39 0d 0a 58 2d 4e 6f 6e 63 65 |/3.14.9..X-Nonce|
000000f0 3a 20 37 32 35 32 30 34 38 39 0d 0a 58 2d 51 65 |: 72520489..X-Qe|
00000100 6e 3a 20 32 0d 0a 58 2d 53 69 67 6e 3a 20 39 39 |n: 2..X-Sign: 99|
00000110 38 35 62 37 37 33 31 33 32 35 62 65 32 36 38 62 |85b7731325be268b|
00000120 65 66 65 37 32 35 32 32 39 64 61 33 39 31 0d 0a |efe725229da391..|
00000130 58 2d 54 69 6d 65 3a 20 31 37 34 33 33 34 35 32 |X-Time: 17433452|
00000140 34 38 37 36 30 0d 0a 58 2d 54 6f 6b 65 6e 3a 20 |48760..X-Token: |
00000150 56 71 58 38 6a 42 6b 66 5a 35 7a 58 42 70 6c 4f |VqX8jBkfZ5zXBplO|
00000160 4f 76 34 33 41 6a 68 54 30 4c 68 74 4f 31 48 68 |Ov43AjhT0LhtO1Hh|
00000170 6e 33 63 67 78 41 4b 70 75 6f 6e 7a 68 48 4b 48 |n3cgxAKpuonzhHKH|
00000180 50 32 70 6e 2b 69 63 78 6c 6a 30 50 45 6c 7a 71 |P2pn+icxlj0PElzq|
00000190 4f 2b 55 79 4d 38 78 57 65 30 54 6a 59 31 51 67 |O+UyM8xWe0TjY1Qg|
000001a0 73 70 61 33 6b 46 35 79 56 4c 58 66 79 76 6f 39 |spa3kF5yVLXfyvo9|
000001b0 65 69 31 73 52 54 79 6f 6d 4e 78 34 41 6e 54 78 |ei1sRTyomNx4AnTx|
000001c0 42 2f 79 6a 66 4a 6b 2b 56 6f 66 44 75 4f 67 73 |B/yjfJk+VofDuOgs|
000001d0 79 77 56 76 37 4a 74 30 2f 30 43 38 69 32 4f 2b |ywVv7Jt0/0C8i2O+|
000001e0 4f 59 73 73 42 75 57 37 6f 4b 33 64 69 55 50 66 |OYssBuW7oK3diUPf|
000001f0 39 71 36 2f 63 4d 77 5a 69 2b 2b 4f 64 37 37 6f |9q6/cMwZi++Od77o|
00000200 44 4e 4f 6e 59 6e 2f 6e 67 55 39 31 76 4d 6e 4f |DNOnYn/ngU91vMnO|
00000210 0d 0a 58 73 3a 20 66 66 33 62 33 32 36 38 61 66 |..Xs: ff3b3268af|
00000220 61 37 66 61 63 63 62 32 31 35 31 37 34 37 38 30 |a7faccb215174780|
00000230 36 38 66 31 37 35 0d 0a 0d 0a 75 64 71 2b 63 30 |68f175....udq+c0|
00000240 44 42 79 46 62 69 37 46 69 36 2b 77 69 38 4f 77 |DByFbi7Fi6+wi8Ow|
00000250 6f 62 43 49 73 69 66 67 6a 4b 31 6e 69 53 6c 73 |obCIsifgjK1niSls|
00000260 30 4c 45 37 72 36 56 6b 42 45 78 72 38 69 6d 45 |0LE7r6VkBExr8imE|
00000270 44 79 61 65 74 6f 79 36 71 33 79 41 71 2b 4b 53 |Dyaetoy6q3yAq+KS|
00000280 6d 33 59 6a 6b 64 71 37 64 61 4a 39 6e 5a 4c 78 |m3Yjkdq7daJ9nZLx|
00000290 6f 4a 68 55 68 6f 7a 6e 32 68 68 79 6d 61 66 46 |oJhUhozn2hhymafF|
000002a0 65 6b 6e 43 73 36 33 6a 46 4f 6d 52 35 6d 74 45 |eknCs63jFOmR5mtE|
000002b0 66 72 68 2f 65 31 64 67 52 69 6e 55 54 74 71 35 |frh/e1dgRinUTtq5|
000002c0 44 42 53 6e 44 4d 49 4c 48 58 54 34 34 51 45 34 |DBSnDMILHXT44QE4|
000002d0 66 39 77 77 57 72 74 39 33 36 65 79 61 45 38 48 |f9wwWrt936eyaE8H|
000002e0 35 65 6a 74 2f 36 47 63 4f 50 78 70 56 7a 6a 69 |5ejt/6GcOPxpVzji|
000002f0 79 32 55 7a 72 5a 44 2f 4c 62 31 7a 68 30 6f 31 |y2UzrZD/Lb1zh0o1|
00000300 32 46 7a 6d 4f 30 73 47 5a 51 73 4b 6f 43 42 72 |2FzmO0sGZQsKoCBr|
00000310 58 57 68 51 39 72 53 46 69 48 68 6b 6a 49 6c 61 |XWhQ9rSFiHhkjIla|
00000320 52 75 67 42 53 36 41 56 69 47 32 4d 51 56 74 63 |RugBS6AViG2MQVtc|
00000330 34 6a 42 34 55 63 34 72 73 6f 56 4b 48 49 2f 43 |4jB4Uc4rsoVKHI/C|
00000340 35 32 53 6a 59 4e 72 36 35 4e 61 53 57 6f 45 33 |52SjYNr65NaSWoE3|
00000350 2b 70 49 30 56 36 7a 45 75 44 69 56 43 61 2b 51 |+pI0V6zEuDiVCa+Q|
00000360 59 38 77 47 61 63 59 6f 6d 4f 6c 5a 42 54 70 77 |Y8wGacYomOlZBTpw|
00000370 77 65 6d 51 31 43 36 65 52 53 35 61 6f 30 4b 4f |wemQ1C6eRS5ao0KO|
00000380 6a 6a 34 66 48 4c 6e 43 58 72 43 45 39 71 6f 61 |jj4fHLnCXrCE9qoa|
00000390 51 6f 52 38 59 47 75 46 56 71 70 33 79 6c 2f 4b |QoR8YGuFVqp3yl/K|
000003a0 6f 55 43 36 4c 51 33 35 53 68 42 4f 4a 55 30 64 |oUC6LQ35ShBOJU0d|
000003b0 4e 64 45 32 62 6c 2f 4f 41 51 71 46 59 32 4e 73 |NdE2bl/OAQqFY2Ns|
000003c0 2f 71 4a 54 38 59 48 6c 73 43 42 57 67 6f 47 36 |/qJT8YHlsCBWgoG6|
000003d0 4c 4d 73 70 62 50 59 67 48 55 4a 72 69 45 2f 6c |LMspbPYgHUJriE/l|
000003e0 7a 31 4b 7a 57 77 6c 77 77 72 35 4f 35 76 79 50 |z1KzWwlwwr5O5vyP|
000003f0 73 33 4d 44 6b 62 61 31 78 2f 37 37 30 39 34 39 |s3MDkba1x/770949|
00000400 70 47 39 74 57 78 50 47 55 38 69 2b 77 5a 46 38 |pG9tWxPGU8i+wZF8|
00000410 52 7a 78 6a 6d 55 57 44 44 50 77 76 50 7a 66 69 |RzxjmUWDDPwvPzfi|
00000420 6e 56 39 6d 47 71 66 48 6b 42 5a 55 47 53 35 53 |nV9mGqfHkBZUGS5S|
00000430 44 62 4a 4f 72 54 5a 61 52 44 4e 69 70 48 52 75 |DbJOrTZaRDNipHRu|
00000440 31 4f 57 77 78 74 61 6e 76 33 6e 66 65 51 78 34 |1OWwxtanv3nfeQx4|
00000450 61 43 2b 72 79 35 77 74 43 76 46 34 71 67 66 6e |aC+ry5wtCvF4qgfn|
00000460 4f 48 4b 68 6b 64 41 51 32 39 61 6f 64 6e 50 79 |OHKhkdAQ29aodnPy|
00000470 33 68 47 66 74 48 30 53 61 4a 2f 6d 38 51 47 67 |3hGftH0SaJ/m8QGg|
00000480 30 79 6c 30 50 53 6f 53 67 69 52 2f 54 78 30 39 |0yl0PSoSgiR/Tx09|
00000490 53 76 33 67 51 72 65 74 6f 36 45 55 7a 6c 35 42 |Sv3gQreto6EUzl5B|
000004a0 2f 34 76 37 35 77 4a 33 54 53 42 6c 72 30 79 30 |/4v75wJ3TSBlr0y0|
000004b0 6c 76 69 4e 31 45 4c 79 65 69 2b 4f 5a 36 56 59 |lviN1ELyei+OZ6VY|
000004c0 7a 48 78 79 4a 79 4d 39 37 6a 50 63 78 4d 4b 35 |zHxyJyM97jPcxMK5|
000004d0 70 4b 37 62 6c 4b 6c 30 76 56 4a 65 31 59 31 42 |pK7blKl0vVJe1Y1B|
000004e0 56 4d 71 68 63 75 72 6c 44 54 6e 68 76 79 4d 62 |VMqhcurlDTnhvyMb|
000004f0 76 75 51 33 48 37 77 79 4a 69 61 2f 7a 38 57 72 |vuQ3H7wyJia/z8Wr|
00000500 6a 77 72 54 4e 67 2f 36 51 50 73 47 55 78 31 72 |jwrTNg/6QPsGUx1r|
00000510 6a 7a 6a 4a 54 65 4f 69 33 4b 73 4e 59 4c 65 62 |jzjJTeOi3KsNYLeb|
00000520 35 4f 55 48 2b 37 46 31 36 39 50 51 4a 2b 41 35 |5OUH+7F169PQJ+A5|
00000530 58 61 64 36 6d 63 68 74 62 45 68 6e 38 73 7a 66 |Xad6mchtbEhn8szf|
00000540 6e 79 2f 62 7a 45 6d 56 72 2f 33 6e 53 4c 37 55 |ny/bzEmVr/3nSL7U|
00000550 33 41 6f 50 35 42 55 73 73 54 4c 72 54 33 62 4c |3AoP5BUssTLrT3bL|
00000560 6c 6e 50 33 54 45 4b 7a 45 63 6d 4a 35 50 79 59 |lnP3TEKzEcmJ5PyY|
00000570 30 69 62 55 57 4e 4e 65 58 41 79 63 33 59 2b 68 |0ibUWNNeXAyc3Y+h|
00000580 6a 74 70 31 2b 44 5a 41 79 4d 4c 30 64 57 54 4d |jtp1+DZAyML0dWTM|
00000590 4c 76 4c 4e 6c 6a 34 56 47 70 70 55 2b 62 6f 31 |LvLNlj4VGppU+bo1|
000005a0 7a 6c 77 4a 4f 31 6c 52 56 47 78 50 4c 48 6c 39 |zlwJO1lRVGxPLHl9|
000005b0 33 53 6b 59 36 6d 5a 57 57 63 33 58 38 6a 4e 70 |3SkY6mZWWc3X8jNp|
000005c0 4e 62 6d 6b 53 4a 57 6e 50 50 69 43 48 6d 54 2b |NbmkSJWnPPiCHmT+|
000005d0 74 50 71 65 4a 5a 74 36 57 63 75 49 4f 2b 4b 6f |tPqeJZt6WcuIO+Ko|
000005e0 42 38 7a 67 71 4f 77 59 71 65 64 76 50 58 4a 69 |B8zgqOwYqedvPXJi|
000005f0 72 47 44 49 44 6f 33 41 62 6a 35 5a 49 72 44 57 |rGDIDo3Abj5ZIrDW|
00000600 56 6f 36 4e 67 6b 63 47 6c 45 38 57 41 4d 55 77 |Vo6NgkcGlE8WAMUw|
00000610 3d 3d |==|
estrace, 基于eBPF的syscall追踪工具,适用于安卓平台
.../local/tmp # ./estrace160 --help
syscall调用追踪
Usage:
estrace [flags]
Flags:
-a, --after read arg str after syscall
--bypass try bypass root check
-d, --debug enable debug logging
--getlr try get lr info
--getpc try get pc info
-h, --help help for estrace
-n, --name string must set uid or package name
--no-syscall string add syscall name to blacklist filter
--no-tid string add tid to blacklist filter
--no-uid-filter ignore uid filter
-o, --out string save the log to file
-p, --pid uint add pid to filter
-q, --quiet wont logging to terminal when used
-s, --syscall string add syscall name to whitelist filter
-u, --uid uint must set uid or package name
