3

I have an Android app that will create a file and immediately delete it. I want to know how can I catch this file or create a copy or even disable user permissions to delete a file. I have root access to the device.

Amin
  • 49
  • 4
  • I'm pretty sure there's a way to monitor a directory for changes, at least sometimes... I'd start by searching for that – Xen2050 Mar 26 '19 at 01:20
  • @Xen2050 i find the answer i can do it with inotify but because the linux is on android i can't install it easily im trying to install it – Amin Mar 26 '19 at 01:21
  • I think inotify's right, no idea how to get it working with android either. Possibly a program/script that just reads a directory every second & immediately copies new files might work too, but might be resource intensive & slow things down – Xen2050 Mar 26 '19 at 01:24
  • @Xen2050 its on an emulator so i don't care about performance – Amin Mar 26 '19 at 01:25
  • Could just loop some find/ls & sleep 0.25 commands then, maybe with an array of found files, then when it changes do something? – Xen2050 Mar 26 '19 at 01:27
  • @Xen2050 there is a great app named busy-box and the app have all the important packages including inotify and its super easy to use and install too – Amin Mar 26 '19 at 01:31

1 Answers1

4

You can achieve this using inotifywait from inotify-tools. Your kernel must be built with CONFIG_INOTIFY_USER=y for this to work. You can confirm with:

~# zcat /proc/config.gz | grep INOTIFY

Or the existence of /proc/sys/fs/inotify directory. /proc/config.gz may not exist on all devices depending on kernel build configuration.

Let's say /data/data/com.xyz/files/ is the directory you want to watch. 

~$ mkdir -p /sdcard/backup/
~# inotifywait -rm --format '%w%f' -e create /data/data/com.xyz/files/ |
while read file
do
    [ -f "$file" ] && cp -av "$file" /sdcard/backup/
done

-e create is the event that reports that a file/directory is created in watched directory, --format is to get filename with complete path, -m is to watch continuously and -r establishes watches recursively. -d can daemonize the process i.e. run in background.

All newly created files in watched directory or in any sub-directory will be copied to /sdcard/backup.

You can also use busybox inotifyd for simple use case as explained here. For more options see inotifywait(1).

RELATED: How to identify the app/process which re-mounts partitions R/W, creates files and changes file permissions?

Irfan Latif
  • 20,353
  • 3
  • 70
  • 213
  • hi link the easiest way is to work with this c library – Amin Mar 26 '19 at 13:35
  • I could not make this way to work but the c script is worked just fine and a lot easier but maybe the problem was with my execution. – Amin Mar 26 '19 at 13:47
  • hi im steel stuck can you please help me a little bit? im really confused i can't execute this c script either – Amin Mar 26 '19 at 23:25
  • Well, there is no reason fo both of my methods I mentioned here and the other one to not work. They are very straightforward. And C is not a scripting language. What you have written is a program in C language, which needs to be compiled into an executable binary using some compiler. – Irfan Latif Mar 27 '19 at 06:13
  • hi, I got the file with termux inotify but its a .so file not dex – Amin Mar 28 '19 at 00:27
  • 1
    @Amin Looks like you only got the library (libinotify), not the command-line tools (inotify-tools). Anyway you never get dex file, dex is Java code, and is not executed on command-line level. Command-line tools are native executables. – Robert Mar 28 '19 at 14:47
  • 1
    All Android kernels should support inotify tools because Android API contains FileObserver which bases on inotify. Hence any official kernel have to support it otherwise it could not pass the Google compatibility test. – Robert May 07 '20 at 10:31
  • is there a way to replace the file immediately after its creation? – ddddavidee Sep 07 '20 at 14:33
  • @ddddavidee replace with what? inotify informs you as soon as the file is created (or modified, or deleted). Now it's up to you what you do with the file (or with something else). – Irfan Latif Sep 07 '20 at 14:57
  • I have an app creating a file and loading it in memory. I would like to replace it before being loaded... – ddddavidee Sep 13 '20 at 18:39