sexta-feira, 21 de outubro de 2011

Linux: getting flash videos from almost deleted files


#!/bin/sh

DATE=$(date +%Y.%m.%d-%H:%M:%S)

lsof | grep Flash | while read LINE; do
PID=$(echo "${LINE}" | awk '{ print $2 }')
FD=$(echo "${LINE}" | awk '{ print $4 }' | sed s/[a-zA-Z]//)
cat /proc/${PID}/fd/${FD} > ~/"${DATE}"-${FD}.flv
done

exit 0


It used to be easy: if you wanted to save a video played using Flash plugin, it was as easy as copying a file from browser's cache. Why use special webpages or plugins, when you could just:

cp /tmp/Flash* ~/video.flv

In other words: you already had that file downloaded by the flash plugin! But it seems Adobe changed this in one of recent updates, and there is no /tmp/Flash* file anymore... or maybe it is?

The cached movie is still written to the filesystem. It is quickly unlinked (a filesystem term for deleting a file) by the plugin, but the plugin still keeps a handle to the file. The result is that the cache file is no longer visible in the directory, but it occupies space on disk and can be read by that handle. This is how filesystems on Linux operate: as long as there is at least one handle to a file, such file won't be deleted from the filesystem.

Now we need to use two tools. First is lsof, which shows all opened handles by all processes. The key knowledge is that the deleted file is still created as /tmp/Flash*. Lets find the handle:

liori% lsof|grep Flash
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firefox-b 23220 liori 83u REG 254,0 10565348 929 /tmp/FlashXXQCq4K0 (deleted)
I added lsof's header to make it clearer. Note that funny (deleted) remark—when you check the contents of /tmp, you won't see that file! We're interested in the PID and the FD number. FD is the opened handle's number, and PID is an identifier used to distinguish different programs.

Second tool is the /proc filesystem. This is a special directory existing on all commonly used Linux installations. It contains data about running system: driver settings, process list, diagnostic information. What's most interesting is that it contains files representing all opened file handles. In our case (PID=23220 and FD=83) the handle representing our deleted file is /proc/23220/fd/83. Again, if you just try to list that directory, you will only see a broken symlink. But what if you do this?

liori% cat /proc/23220/fd/83 >video.flv
...you'll get the contents of the deleted file!

This technique is of course not only useful to grab videos downloaded by your flash plugin. Any time you delete a file, but realize that it is still opened by some program, you can recover it.

http://liori.jogger.pl/2010/11/08/getting-flash-videos-from-almost-deleted-files/

Drunk Penguins

Drunk Penguins
Drunk Penguins