malware – How to identify the app/process which re-mounts partitions R/W, creates files and changes file permissions?

Note: Following solution requires a rooted device. Kernel must be built with AUDIT_WATCH, preferably AUDIT_TREE.

The only good thing Google did was to choose the flexible and configurable Linux kernel for Android, not going for something like a crippled kernel and trying to handle everything from userspace, including running a Linux kernel (1).

Linux kernel’s Audit System makes it possible to log any system calls or filesystem changes made by a process. In our case we need to identify the process(es) which are writing to /sdcard or /system and making syscalls mount and chmod.

Linux distributions have a service auditd which communicates with kernel to get information about security-related events. On Android we have already logd, not as configurable as auditd but enough for basic monitoring. logd mainly covers the functionality of its desktop counterpart syslogd, but also includes klogd and partially auditd to get logs from SELinux subsystem of kernel.

We can add a few more rules using auditctl to also report events we are interested in. You can use auditctl from a minimal Linux environment on your Android device, or compile the binary from source code (should be built with –with-arm / –with-aarch64 whatever your devices’ architecture is), or get one pre-compiled here.

Now create rules files in /etc or wherever you want to:

# /etc/audit-start.rules

# enable auditing, won't work in PID namespace
# won't work if permanently disabled with kernel parameter "audit=0"
-e 1

# delete previous rules (though there are none on Android)
-D

# increase the buffers to avoid failure
# no. of event to be queued, waiting for logd to read them
-b 10000

# disable rate limit (msgs/sec) to avoid failure
-r 0

# this determines how long to wait in burst of events
--backlog_wait_time 0

# set failure mode to dmesg
-f 1

# define filesystem rules, whatever file/directory you want to watch
-w /system -p wa -k FILESYSTEM_AUDIT

# define syscall rules, see all syscalls with 'ausyscall --dump' or
# here: github.com/linux-audit/audit-userspace/blob/master/lib/aarch64_table.h
-a always,exit -S fchmod -S fchmodat -k CHMOD_AUDIT
-a always,exit -S mount -k MOUNT_AUDIT
# /etc/audit-stop.rules

# clear on exit, restore Android default values
-e 0
-D
-b 64
-r 5
--backlog_wait_time 18000

Apply rules:

~# auditctl -R /etc/audit-start.rules

Now make changes; mount /system R/W, write/delete something there and change file permissions.

Depending on logd configuration, you can get audit log in one or more of different logs (2) including events buffer (3) of logcat and main buffer (4):

~# logcat -d -b events,main | grep _AUDIT

Or in kernel’s printk buffer (5) and logact‘s kernel buffer (6):

~# dmesg | grep _AUDIT
~# logcat -d -b kernel | grep _AUDIT
audit(0.0:16122): arch=c00000b7 syscall=40 success=yes exit=0 a0=7fcec5db38 a1=7fcec5db3f a2=0 a3=8021 items=1 ppid=761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="busybox" exe="/data/data/com.mixplorer/files/busybox/busybox" subj=u:r:magisk:s0 key="MOUNT_AUDIT"
audit(0.0:16126): arch=c00000b7 syscall=53 success=yes exit=0 a0=ffffff9c a1=7b839180c0 a2=81a4 a3=0 items=1 ppid=11687 auid=4294967295 uid=10135 gid=10135 euid=10135 suid=10135 fsuid=10135 egid=10135 sgid=10135 fsgid=10135 tty=(none) ses=4294967295 comm="Thread-7" exe="/system/bin/app_process64" subj=u:r:untrusted_app:s0:c135,c256,c512,c768 key="CHMOD_AUDIT"
audit(0.0:16141): arch=c00000b7 syscall=35 success=yes exit=0 a0=ffffff9c a1=7bc22a3c40 a2=0 a3=7bdfbd3098 items=2 ppid=11687 auid=4294967295 uid=10135 gid=10135 euid=10135 suid=10135 fsuid=10135 egid=10135 sgid=10135 fsgid=10135 tty=(none) ses=4294967295 comm="pool-2-thread-1" exe="/system/bin/app_process64" subj=u:r:untrusted_app:s0:c135,c256,c512,c768 key="FILESYSTEM_AUDIT"

First line shows that some process running as root with Magisk’s SELinux context has made syscall 40 (mount) and the command shows it’s MiXplorer app (just as example, I did that myself).
Second line indicates that the app running with UID 10135 has chmoded something.
Third line shows the same app (by making syscall 35) deleted something in /system partition.

This is a simple use case. More recursive rules can be defined to deal with complex situations, interpreting other fields of log as well, as explained here.

To clear rules:

~# auditctl -R /etc/audit-stop.rules

NOTE:

  • For simple cases where the objective is just to get notified of some filesystem changes (and not to trace the originator), inotify API can be used instead as explained in this answer.
  • In order to mark all the processes that run before the audit starts auditable by kernel, pass audit=1 boot parameter to kernel, either by editing cmdline in boot.img or use fastboot -c option.
  • To save audit log to a file, run logcat in background:

    logcat -s auditd -b events -f /data/media/0/auditd.log &
    

malware – How I can read and handle MS Office documents, such as doc/ppt files, securely?

I’ve heard of too many horror stories of people opening a seemingly innocent docx or pptx file that they’ve got from a business partner, only to find out that it had embedded malware inside. What should a security conscious person do if they receive a doc or a ppt file that they wish to see the contents of, but cannot guarantee the reliability of its source? Is there any recommended practice to handle this, besides ‘don’t do it’?

open source – How to launch .img files from Android in Qemu

I just compiled GrapheneOS (Android 11 based OS) and I got all of these images and files:

lz@vm:/mnt/android-dev-1/aosp/grapheneos-RQ1A.210105.003.2021.01.05.03/out/target/product/generic_x86_64$ ls
advancedFeatures.ini     fake_packages                              module-info.json          system-qemu.img
android-info.txt         gen                                        module-info.json.rsp      testcases
apex                     hardware-qemu.ini                          multiinstance.lock        tmpAdbCmds
appcompat                hardware-qemu.ini.lock                     obj                       userdata.img
build.avd                installed-files.json                       obj_x86                   userdata-qemu.img
build_fingerprint.txt    installed-files-ramdisk-debug.json         previous_build_config.mk  userdata-qemu.img.qcow2
build_thumbprint.txt     installed-files-ramdisk-debug.txt          ramdisk                   vbmeta.img
cache                    installed-files-ramdisk.json               ramdisk-debug.img         vendor
cache.img                installed-files-ramdisk.txt                ramdisk.img               vendor_boot-debug.img
cache.img.qcow2          installed-files-root.json                  ramdisk-qemu.img          vendor_boot.img
clean_steps.mk           installed-files-root.txt                   recovery                  vendor_debug_ramdisk
config.ini               installed-files.txt                        root                      vendor.img
data                     installed-files-vendor.json                super_empty.img           vendor-qemu.img
debug_ramdisk            installed-files-vendor-ramdisk-debug.json  super.img                 vendor-ramdisk
dtb.img                  installed-files-vendor-ramdisk-debug.txt   symbols                   vendor-ramdisk-debug.cpio.gz
emu-launch-params.txt    installed-files-vendor.txt                 system                    VerifiedBootParams.textproto
encryptionkey.img        kernel-ranchu                              system.img                version_num.cache
encryptionkey.img.qcow2  misc_info.txt                              system-qemu-config.txt

Ive read a lot about AOSP and ROM images. I ve inspected some Xiaomi ROMS and I know that android has a lot of partitions. Most of these are read only, and one is mounted into /data which is writeable. The most important one is system.img, but Android cant boot with only this one.

If I simply run emulator after compiling the OS (where emulator is defined by build/envsetup.h and it s simply a binary in /mnt/android-dev-1/aosp/grapheneos-RQ1A.210105.003.2021.01.05.03/prebuilts/android-emulator/linux-x86_64), the Android Emulator, that looks like the one that comes with Android Studio, launches the image I just built.

I think this emulator binary reads some ENV variable about where the current selected android OS is located and then knows how to mount all the .img files and launch in Qemu. Where Qemu is located in the qemu folder in the same folder as emulator

I know this is not the same as upstream Qemu, but I would like to know how to launch these images in the Google patched Qemu.

9 – Why does the upload progress bar reset at 40% when uploading large files?

I’m uploading a 5 GB file and the upload progress bar resets at 40%.

When it gets to 40% it starts counting again from 0%.

Eventually the file does upload completely but this is not good UX.

I was wondering if any knows how I can make the progress bar reach 100% like it should.

EDIT:

Here are some configuration settings requested in the comments:

post_max_size = 6G
upload_max_filesize = 6G
default_socket_timeout = 60
max_execution_time = 7200
max_input_time = 7200

This doesn’t happen for smaller sized files. The file upload does end. It doesn’t get to 40% again. I think it gets stuck at 19% then.

All this time the file is being correctly uploaded to the temporary directory like it should. Like when the bar reaches 40% the file will continue to upload the temp file until it reaches the full 5G.

Upload Progress Image

c++ – can winsock write to files and sockets using the write call like linux?

Compiling code in gcc on windows under msys2.

Working code in linux called:

write(fd, buf, len)

for a file descriptor that wrote to a socket, or a file.

In windows, this code on a socket gives a runtime warning and crashes

invalid parameter passed to c runtime function

The documentation we found shows using the send call, but I still want to be able to use the same code to either write to a socket or a file. Is this possible under windows?

database – How to migrate PDF files to specific node

I have a directory with PDF files and I have 45 nodes of content type Download. I have to migrate each PDF file to specific node. All PDF file names I read from a CSV. Before these PDF files, I had to migrate title (drupal default field) , external title and a checkbox field to each node. I did it successfully, but migrating PDF files is I guess different and a lot more difficult.

Here is my code for migrating PDF files

id: program_files
label: Migrating files for Download content type.
migration_tags:
  - file
source:
  plugin: csv
  path: 'modules/custom/csv_migration/sources/downloads.csv'
  header_row_count: 1
  ids: (constants/file_source_uri)
  keys:
    - PLACEMENTPATH
  fields:
    0:
      name: field_document_file
      label: 'Download file'
  constants:
    file_source_uri: (public://import/program)
    file_dest_uri: ('public://download/files')
destination:
  plugin: 'entity:file'
process:
  file_source:
    -
      plugin: concat
      delimiter: /
      source: (constants/file_source_uri, PLACEMENTPATH)
  file_dest:
    -
      plugin: concat
      delimiter: /
      source: (constants/file_dest_uri, PLACEMENTPATH)
  filename: PLACEMENTPATH
  uri:
    -
      plugin: file_copy
      source:
        - '@file_source'
        - '@file_dest'

Once I run command drush ms it displays me migration id (program_files), but after that when I run drush mim program_files, it throws the error like this.

In Connection.php line 744:
                                                                                            
  Placeholders must have a trailing () if they are to be expanded with an array of values.  

The thing I notice once I start drush mim program_files is that directory download is created in sites/default/files, since I defined that in YML, but no files are transfered.

What am I doing wrong? Please, help.

How to play sound files in a folder(1.mp3, 2.mp3, 3.mp3,,,,) using variables not explicit file names in python?

This question is too easy and a little bit weird to experts but so curious to me a beginner. Actually I have tried to search the solution on Internet, but couldn’t find and get any solution.
On the result of searching there is just explicit file name on the command like “playsound(‘1.mp3’)”

Please let me know how I can use variables instead of explicit filenames as below.
There are about 50000 files on folders.
How can do this without variables?
playsound(‘1.mp3’)
playsound(‘2.mp3’)
.
.
How can do like this?(even though it doesn’t work)
for num in range(1, 5):
playsound(‘num.mp3’) —> however it doesn’t work

I would really appreciate if you let me know this.

python – Cannot assign to function call when looping through and converting excel files

With this code:


xls = pd.ExcelFile('test.xlsx')
sn = xls.sheet_names
for i,snlist in list(zip(range(1,13),sn)):
    'df{}'.format(str(i)) =  pd.read_excel('test.xlsx',sheet_name=snlist, skiprows=range(6))

I get this error:

‘df{}’.format(str(i)) = pd.read_excel(‘test.xlsx’,sheet_name=snlist,
skiprows=range(6))
^ SyntaxError: cannot assign to function call

df+str(i) also return error

i want to make result as:
df1 = pd.read_excel.. list1…
df2 = pd.read_excel… list2….

Can’t find cause of malware in WordPress site – adding html files with redirects

I’m helping a non-profit and they have had malware on their WordPress site. I installed Sucuri and it quickly finds some strangely named HTML files in the base directory. I removed those files. Because of the malware found, the non-profit was blacklisted on 3 different spam sites (mxlookup search). I had updated all of their plugins, WordPress software, themes. I had removed unused themes and removed other users. They finally got off of the blacklists, but then today Sucuri found another malware file.

The file is always in the base wordpress directory and named with random characters (e.g., QPez2ejsEdss.html) and the contents is this:

<meta http-equiv="refresh" content="0;http://SOME_STRANGE_WEBSITE/">

Where SOME_STRANGE_WEBSITE is clearly a bad website.

What tools can I use to find the dropper of the malware?