nowsecure / fsmon Goto Github PK
View Code? Open in Web Editor NEWmonitor filesystem on iOS / OS X / Android / FirefoxOS / Linux
Home Page: https://www.nowsecure.com
License: MIT License
monitor filesystem on iOS / OS X / Android / FirefoxOS / Linux
Home Page: https://www.nowsecure.com
License: MIT License
When trying to build on iOS, it uses macos method by default
iPhone:~/proj mobile$ cd fsmon/
iPhone:~/proj/fsmon mobile$ make
cc -I. -Wall -DFSMON_VERSION=\"1.8.4\" -g -ggdb -mmacosx-version-min=10.12 -DTARGET_OSX=1 -o fsmon-macos main.c util.c backend/*.c -framework CoreServices
When passing "-mmacosx-version-min" to clang on iOS, it will build for macos but link for iOS, then causes the binary file could not be executed or building failure.
But when attempting make ios
to compile, it will give some errors that tells xcrun
not exist.
iPhone:~/proj/fsmon mobile$ make ios
make: xcrun: Command not found
make: xcrun: Command not found
arch armv7 -arch arm64 -isysroot -fembed-bitcode -flto -target arm64-apple-ios10.0 -miphoneos-version-min=10.0 -O3 -Wall -fembed-bitcode -I. -Wall -DFSMON_VERSION=\"1.8.4\" -g -ggdb -DTARGET_IOS=1 -o fsmon-ios main.c util.c backend/*.c \
-framework CoreFoundation \
-weak_framework MobileCoreServices \
-weak_framework CoreServices
arch: Can't find armv7 in PATH
make: [Makefile:80: ios] Error 1 (ignored)
xcrun --sdk iphoneos strip fsmon-ios
make: xcrun: Command not found
make: *** [Makefile:81: ios] Error 127
Unless we can simulate xcrun
's behavior, we should swap sysroot to /
(or some specific path that stores iphoneos sdk, I poured it in to my system paths so I will no need to specify sysroot path when compiling other source codes) and use native toolchain.
> sudo fsmon
fanotify_mark: Bad file descriptor
Whats wrong? How can i use it?
Hi!
First of all I think that fsmon is a great tool.
I compiled it on iPad Mini 2 with iOS 12.5.5 and jailbroken with odysseyra1n. I tested fsmon with Telegram sudo fsmon -P Telegram /
. However, if I add a new contact from Telegram I can't capture writing on Contacts app because fsmon monitors only Telegram, but not ABDatabaseDoctor process. To workaround this problem I can use sudo fsmon /
. However, with this command I capture noise from other process.
I know that apps on iOS can communicate with IPC. So can I use fsmon or other tool/project (e.g. Frida) to monitor an app (e.g. Telegram) and its IPC?
Thanks in advance.
Kind regards, Lorenzo.
Does this monitor all files & directories recursively or only the one given directory or file?
In the latest checkout of fsmon.h
#include <signal.h>
is missing which is yielding compilation errors in linux build.
Hi,
I wanted to use fsmon-osx
to monitor a long, Finder file move operation, something I estimated would take about 20 minutes. In case it matters, I was copying between two mounted .dmg "Case-sensitive HFS+" filesystems. Let's call these /Volumes/Source and /Volumes/Target.
In Finder, I selected the files to copy in /Volumes/Source, then did a paste operation into /Volumes/Target.
Meanwhile, because of issue #44 I downloaded and compiled fsmon-osx
from source. No errors during make
. I then launched it with:
$ sudo ./fsmon-osx /Volumes/Target
Unfortunately, in the time it took me to download, compile and launch fsmon-osx
, the Finder paste operation completed sooner than I expected; fsmon-osx
didn't show any activity. Not a big deal as I had more files to move so I just left fsmon-osx
running.
With the Finder paste operation successfully completed, I made the Finder window for /Volumes/Source active. It still had the files selected, so I proceeded to have Finder move them to Trash.
This is where it gets weird. Even though fsmon-osx
was pointed to /Volumes/Target, as soon as Finder started moving files to Trash, fsmon-osx
started showing hundreds of lines like this:
Invalid length in fsevents data packet (14, 14)
Invalid length in fsevents data packet (14, 14)
Invalid length in fsevents data packet (14, 142)
ERROR unknown type 12147
ERROR unknown type 11825
ERROR unknown type 2304
ERROR unknown type 64768
ERROR unknown type 2048
ERROR unknown type 5120
ERROR unknown type 30060
ERROR unknown type 29268
ERROR unknown type 25454
ERROR unknown type 28461
ERROR unknown type 41343
Overflow detected and corrected (310, 306)
Invalid length in fsevents data packet (14, 14)
Invalid length in fsevents data packet (14, 281)
ERROR unknown type 12147
ERROR unknown type 11825
ERROR unknown type 2304
ERROR unknown type 26368
ERROR unknown type 2048
ERROR unknown type 5120
ERROR unknown type 30060
ERROR unknown type 29268
ERROR unknown type 25454
(snip)
My questions:
Why would fsmon-osx
start showing activity on the move to trash action for /Volumes/Source, when I told it to monitor /Volumes/Target?
What do the errors above mean? "Error unknown type...", "Invalid length..." and "Overflow detected..." ?
some letters are a bit confusing, let's rethink them
Usage: fsmon [-jc] [-a sec] [-b dir] [-B name] [-p pid] [-P proc] [path]
-a [sec] stop monitoring after N seconds (alarm)
-b [dir] backup files to DIR folder (EXPERIMENTAL)
-B [name] specify an alternative backend
-c follow children of -p PID
-f show only filename (no path)
-h show this help
-j output in JSON format
-L list all filemonitor backends
-p [pid] only show events from this pid
-P [proc] events only from process name
-v show version
[path] only get events from this path
Interesting to find files created with rwxrwxrwx perms and such
The idea behind this backend is that it should be checking all the time for changes in a specific directory and luanch events when it detects a new file, changed file or deleted ones.
this will be very cpu intensive but it will work everywhere. we can tune that usleep between probes with an env var to avoid abusing the filesystem
While running latest version 1.8.2 on iOS 12.5.1 (iPhone 5s)
, this error appears:
iPhone: ~ root# ./fsmon-ios_1.8.2
dyld: Symbol not found: ___chkstk_darwin
Referenced from: /private/var/root/./fsmon-ios_1.8.2 (which was built for iOS 14.1)
Expected in: dyld shared cache
in /private/var/root/./fsmon-ios_1.8.2
Abort trap: 6
Reviewing #43, checked that an earlier version 1.6.1 is running fine with the adjustments mentioned there:
iPhone: ~ root# ldid -e `which bash` > ent.xml
iPhone: ~ root# ldid -Sent.xml ./fsmon-ios_1.6.1
iPhone: ~ root# ./fsmon-ios_1.6.1 -h
Usage: ./fsmon-ios_1.6.1 [-Jjc] [-a sec] [-b dir] [-B name] [-p pid] [-P proc] [path]
(...)
Hi,
I was trying to compile the code in my linux machine in order to check FS of my android emulator. So I run make and this is what I've got some problem:
mex@hope fsmon]$ make android NDK_ARCH=x86 ANDROID_API=25
for a in x86 ; do
make aagt21compile ANDROID_API=25 NDK_ARCH=$a ;
done
make[1]: Entering directory '/home/mex/prj/simAndroidUser/fsmon'
./ndk-gcc 25 -DHAVE_FANOTIFY=1 -DHAVE_SYS_FANOTIFY=0 -I. -Wall -o fsmon-and25-x86 main.c util.c backend/*.c
Using /home/mex/Downloads/android-ndk-r10e as NDK path.
Invalid path in NDK environment, please change me.
make[1]: *** [Makefile:141: aagt21compile] Error 1
make[1]: Leaving directory '/home/mex/prj/simAndroidUser/fsmon'
make: *** [Makefile:136: android] Error 2
How can I fix it, please?
M
cc @trufae
Hi,
I downloaded v1.7.0 from https://github.com/nowsecure/fsmon/releases but when I run it I get:
$ sudo ./fsmon-osx
dyld: lazy symbol binding failed: Symbol not found: ____chkstk_darwin
Referenced from: /Users/taa/./fsmon-osx
Expected in: /usr/lib/libSystem.B.dylib
dyld: Symbol not found: ____chkstk_darwin
Referenced from: /Users/taa/./fsmon-osx
Expected in: /usr/lib/libSystem.B.dylib
I would like to point out that identifiers like "_FSMON_H_
" and "_INCLUDE_UTIL_H_
" do eventually not fit to the expected naming convention of the C++ language standard.
Would you like to adjust your selection for unique names?
https://msdn.microsoft.com/en-us/library/aa365261%28VS.85%29.aspx
FindFirstChangeNotification
, FindNextChangeNotification
, ReadDirectoryChangesW
can do the required tasks.
both in arm or x86, the android version seems like not work.it just output this info:
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
?[33mFSE_CONTENT_MODIFIED?[0m 0 "?[35m?[0m" 0
the make command i use:
make android NDK_ARCH=x86 ANDROID_API=21
make android NDK_ARCH=arm ANDROID_API=21
Hey,
i downloaded and installed the 'fsmon_1.4_iphoneos-arm.deb' to my iPhone with iOS 11.1.2.
However, no matter what I try, I always get the same error:
root# fsmon -h
Killed: 9
Is there any way to get this tool working on iOS 11 or any replacement for it?
I would like to monitor the FS on my Galaxy S8 phone. I am using Ubuntu 18.04.2 LTS with adb to connect to my samsung. In my Ubuntu environment, i entered the following command:
make android NDK_ARCH=arm64 ANDROID_API=26
I then received the following response:
for a in arm84; do \
if [ -z ""]; then \
./android-shell.sh $a \
make aagt21compile ANDROID_API=26 NDK_ARCH=$a ; \
else \
make aagt21compile ANDROID_API=26 NDK_ARCH=$a ; \
fi ; \
done
Building android locally with NDK instead of dockcross......
Invalid path in NDK environment, please change me.
Makefile:166: recipe for target 'android' failed
make: *** [android] Error 1
I am unable to take a screenshot of the error as my ubuntu computer doesn't have internet and I am quite restricted at my workplace in terms of transferring stuff from development to internet laptop.
Please help!
this is.. root json objects for each event, not waiting for the ^C to print the whole json array
Looks like the current implementation doesn't works in all Android devices
The new release fails to build for me on Arch, 4.5.1-1 kernel. It fails on
util.c:106:19: error: ‘PATH_MAX’ undeclared (first use in this function) static char path[PATH_MAX] = {0}; ^
If I set it to 1024, like it was before, It builds just fine, tho mine is supposed to be 4096. Should I declare my path_max somewhere?
Hello,
Does the make for android should be done in android environemnt ?
Can you please provide the binary or apk for this application ?
Thanks!
I suggest to reuse a higher level build system than your current small make file so that powerful checks for software features will become easier.
The function "printf" does not belong to the list of async-signal-safe functions.
How do you think about to delete its call from your function "control_c"?
on Mac 10.11.6, i cannot compile fsmon. is this so broken?
$ make
xcrun: error: SDK "iphoneos" cannot be located
xcrun: error: SDK "iphoneos" cannot be located
xcrun: error: SDK "iphoneos" cannot be located
xcrun: error: unable to lookup item 'Path' in SDK 'iphoneos'
/Library/Developer/CommandLineTools/usr/bin/clang -arch armv7 -arch arm64 -isysroot -fembed-bitcode -flto -O3 -Wall -fembed-bitcode -I. -Wall -g -ggdb -DTARGET_IOS=1 -o fsmon-ios main.c util.c backend/*.c \
-framework CoreFoundation \
-framework MobileCoreServices
clang: warning: no such sysroot directory: '-fembed-bitcode'
clang: warning: no such sysroot directory: '-fembed-bitcode'
main.c:3:10: fatal error: 'stdio.h' file not found
#include <stdio.h>
^
1 error generated.
util.c:3:10: fatal error: 'ctype.h' file not found
#include <ctype.h>
^
1 error generated.
backend/devfsev.c:4:10: fatal error: 'stdio.h' file not found
#include <stdio.h>
^
1 error generated.
backend/fsevapi.c:4:10: fatal error: 'stdio.h' file not found
#include <stdio.h>
^
1 error generated.
backend/kdebug.c:4:10: fatal error: 'stdio.h' file not found
#include <stdio.h>
^
1 error generated.
backend/kqueue.c:4:10: fatal error: 'stdio.h' file not found
#include <stdio.h>
^
1 error generated.
make: *** [ios] Error 1
gmake: Entering directory '/github/home/.ppkg/run/166/linux-musl-x86_64/fsmon/src'
/github/home/.ppkg/core/wrapper-target-cc -o fsmon -Os -I. -Wall -DFSMON_VERSION=\"1.8.6\" -DHAVE_FANOTIFY=1 -DHAVE_SYS_FANOTIFY=1 -static --static -ffunction-sections -fdata-sections -Wl,--gc-sections -Wl,--no-dynamic-linker -L/github/home/.ppkg/run/166/linux-musl-x86_64/fsmon/lib -Wl,--as-needed -Wl,-z,muldefs -Wl,--allow-multiple-definition -flto -Wl,-s main.c util.c backend/*.c
In file included from backend/fanotify.c:49:
/usr/include/linux/fanotify.h:130:8: error: redefinition of 'struct fanotify_event_metadata'
130 | struct fanotify_event_metadata {
| ^~~~~~~~~~~~~~~~~~~~~~~
In file included from backend/fanotify.c:34:
/usr/include/sys/fanotify.h:10:8: note: originally defined here
10 | struct fanotify_event_metadata {
| ^~~~~~~~~~~~~~~~~~~~~~~
/usr/include/linux/fanotify.h:[153](https://github.com/leleliu008/ppkg-formula-repository-official-core/actions/runs/9831066976/job/27137993068#step:10:154):8: error: redefinition of 'struct fanotify_event_info_header'
153 | struct fanotify_event_info_header {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/sys/fanotify.h:24:8: note: originally defined here
24 | struct fanotify_event_info_header {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/linux/fanotify.h:166:8: error: redefinition of 'struct fanotify_event_info_fid'
166 | struct fanotify_event_info_fid {
| ^~~~~~~~~~~~~~~~~~~~~~~
/usr/include/sys/fanotify.h:30:8: note: originally defined here
30 | struct fanotify_event_info_fid {
| ^~~~~~~~~~~~~~~~~~~~~~~
/usr/include/linux/fanotify.h:205:8: error: redefinition of 'struct fanotify_response'
205 | struct fanotify_response {
| ^~~~~~~~~~~~~~~~~
/usr/include/sys/fanotify.h:36:8: note: originally defined here
36 | struct fanotify_response {
| ^~~~~~~~~~~~~~~~~
backend/fanotify.c: In function 'parseFaEvent':
backend/fanotify.c:86:44: warning: passing argument 2 to 'restrict'-qualified parameter aliases with argument 1 [-Wrestrict]
86 | path_len = readlink (path, path, sizeof(path)-1);
| ~~~~ ^~~~
backend/inotify.c: In function 'pidofuid':
backend/inotify.c:198:32: warning: unused variable 'entry2' [-Wunused-variable]
198 | struct dirent *entry, *entry2;
| ^~~~~~
backend/inotify.c: At top level:
backend/inotify.c:98:13: warning: 'lsof' defined but not used [-Wunused-function]
98 | static void lsof(const char *filename) {
| ^~~~
gmake: *** [Makefile:40: fsmon] Error 1
gmake: Leaving directory '/github/home/.ppkg/run/[166](https://github.com/leleliu008/ppkg-formula-repository-official-core/actions/runs/9831066976/job/27137993068#step:10:167)/linux-musl-x86_64/fsmon/src'
filesystem monitoring in FreeBSD needs to be done using the kqueue
api
I am trying to run fsmon on iOS 12.1.2 (iPhone 6S)
jailbroken using Unc0ver. When running fsmon it returns error message Killed:9
.
What I have already tried:
lipo and ldid (Source: https://medium.com/@felipejfc/the-ultimate-guide-for-live-debugging-apps-on-jailbroken-ios-12-4c5b48adf2fb)
On Mac: lipo -thin arm64 fsmon-ios -output fsmon-ios-arm64
On iOS: ldid -Sentity.xml fsmon-ios-arm64
util.c:106:19: error: ‘PATH_MAX’ undeclared (first use in this function)
I guess a
#include <linux/limits.h>
is missing - should probably be #ifdef-ed, if it is not there on Android, etc.
Hello pancake,
We are currently considering fsmon for high-throughput DNA sequencing @umccr but after trying other inotify-based systems, we found a common drawback: they all break since we have >200.000 directories being created on a regular basis (yes, the sad reality of DNA sequencer software we cannot easily circumvent, unfortunately).
Would it be much hassle to implement monitors that only go up to one level in the directory hierarchy so that the monitoring of new files goes faster? Pretty much all the other file monitoring systems either run out of memory or they just take a painfully long time to watch all the hierarchy (unnecessary in our use case).
Cheers!
/cc @reisingerf
cc @ekristen can you please help to rename this repo xnu-fsmon.
fanotify_init: Function not implemented
Commit 6e64950 changed OS X compilation to no longer generate a binary named fsmon-fat
, rather just fsmon
. The make install
command is still looking for fsmon-fat
though and will error:
Updating Makefile
to remove -fat
from the install command resolves this:
Thank you for an absolutely fantastic tool! Absolutely love fsmon 👍
https://github.com/nowsecure/fsmon/archive/1.8.4.tar.gz
I suggest you using following code to test if is Android target:
TARGET_MACHINE := $(shell $(CC) -dumpmachine 2>/dev/null)
ifneq ($(findstring -android,$(TARGET_MACHINE)),)
No events when trying out the fsevapi:
$ ./fsmon-osx -B fsevapi .
$ touch foo
[no events shown]
The default backend (devfsev?) works but requires root for local non-root-owned paths.
It's true that the output from fsmon is nicer than fs_usage but it doesn't lose any event.
$ sudo fs_usage 43
18:28:12.852614 write F=14 B=0x4f 0.000005 syslogd.2809400
18:28:12.852748 write F=14 B=0x78 0.000009 syslogd.2808983
18:28:12.852838 write F=14 B=0x59 0.000009 syslogd.2808983
18:28:12.854518 write F=14 B=0x63 0.000011 syslogd.2809400
18:28:22.015680 lseek F=7 O=0x00000000 <UNKNOWN> 0.000002 syslogd.2809428
18:28:22.017050 write F=7 B=0x8 0.001370 syslogd.2809428
18:28:22.017079 lseek F=12 O=0x000aecfc <UNKNOWN> 0.000003 syslogd.2809428
18:28:22.018387 write F=12 B=0x9a 0.001307 syslogd.2809428
18:28:22.018390 lseek F=12 O=0x000aec68 <UNKNOWN> 0.000001 syslogd.2809428
18:28:22.018393 write F=12 B=0x8 0.000003 syslogd.2809428
18:28:22.018394 lseek F=12 O=0x00000025 <UNKNOWN> 0.000001 syslogd.2809428
18:28:22.019752 write F=12 B=0x8 0.001359 syslogd.2809428
18:28:22.019756 lseek F=12 O=0x000aed96 <UNKNOWN> 0.000002 syslogd.2809428
18:28:22.021179 write F=8 B=0x84
From fsmon I had to change different backends any of them were working except fsevapi
but is giving the following output, quite hard to make head or tails from it.
The process that I am monitoring with the purpose to explore the tool is syslogd. I wouldn't mind to look at this issue and working on the output, but busy these days. Will try in the following weeks
Here is what I did:
Downloaded the zip from: [https://github.com/nowsecure/fsmon/]
expand zip and run make iOS
on your Mac Book
Use a tool to copy file over to Jailbroken device.
chmod 755 fsmon-ios
to enable execution.
./fsmon-ios -L
list the systems fs-mon can observe. WORKS.
./fsmon-ios -v
smoktest it displays the version. WORKS.
./fsmon-ios -p [pid]
FAILS.
fsmon-ios is not able to run from /var/tmp on iOS devices jailbroken with checkra1n. The binary is able to run with the following additional entitlement:
<key>com.apple.private.security.container-required</key>
<false/>
Tested on iPhone X running iOS 13.7 and iPhone SE (1st Gen) running iOS 14.1. I've not been able to test on lower iOS versions with other jailbreaks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.