npm - @chainlesschain/personal-data-hub - Versions diffs - 0.4.31 → 0.4.33 - Mend

@chainlesschain/personal-data-hub 0.4.31 → 0.4.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/lib/forensics/plaintext-db-collect.js +99 -0
package/lib/forensics/wechat-collect.js +134 -0
package/package.json +4 -2

package/lib/forensics/plaintext-db-collect.js ADDED Viewed

@@ -0,0 +1,99 @@
+'use strict';
+/**
+ * plaintext-db-collect — generic ingester for an app's PLAINTEXT SQLite dbs.
+ *
+ * Many app dbs aren't encrypted (browse/read/history/content/config). The Magisk
+ * daemon (root) can read them directly on MIUI; this turns any such db into vault
+ * events by pulling readable text records from each table — comprehensive coverage
+ * of the "明文库" personal data without per-db schema work. Encrypted IM dbs
+ * (QQNT/WeChat/WCDB2) have their own decrypt collectors; this is for the rest.
+ *
+ * Heuristics: skip system/Room-internal tables; per table, take TEXT-ish columns;
+ * keep a row only if it has a meaningful readable value (CJK, or ≥6 letters, not a
+ * uuid/hash/base64 blob); derive a time from any *time/*date/created/_at column.
+ * Pure Node + a caller-provided better-sqlite3 ctor.
+ */
+const crypto = require('crypto');
+const SKIP_TABLE = /^(android_metadata|sqlite_|room_master_table|_room|.*_fts(_.*)?$|.*_log$|.*_index$)/i;
+const TEXT_TYPE = /text|char|clob|json|varchar|string/i;
+const TIME_COL = /(^|_)(time|date|created|updated|_at|timestamp|ctime|mtime)($|_)/i;
+const NOISE_VAL = /^(([0-9a-f]{16,})|([A-Za-z0-9+/=_-]{24,})|(\d{6,})|(https?:\/\/\S+)|(\{.{0,3}\})|(\[\]))$/;
+function normTime(v) {
+  const n = Number(v);
+  if (!Number.isFinite(n) || n <= 0) return 0;
+  if (n > 1e16) return Math.floor(n / 1e6); // ns? → ms
+  if (n > 1e14) return Math.floor(n / 1e3); // µs → ms
+  if (n > 1e12) return n; // ms
+  if (n > 1e9) return n * 1000; // s → ms
+  return 0;
+}
+function readable(v) {
+  if (typeof v !== 'string') return false;
+  const s = v.trim();
+  if (s.length < 4 || s.length > 2000) return false;
+  if (NOISE_VAL.test(s)) return false;
+  if (/[一-鿿]/.test(s)) return true; // any CJK
+  return (s.match(/[A-Za-z]/g) || []).length >= 6; // or enough letters
+}
+/**
+ * @param Database better-sqlite3 ctor (injected)
+ * @param dbPath   path to a plaintext SQLite db
+ * @param app      app key (→ source.adapter `local-<app>`)
+ * @returns {Array} vault events (subtype:"record")
+ */
+function ingestPlaintextDb(Database, dbPath, app) {
+  const db = new Database(dbPath, { readonly: true });
+  const events = [];
+  const dbName = String(dbPath).split(/[\\/]/).pop();
+  try {
+    const tables = db.prepare("SELECT name FROM sqlite_master WHERE type='table'").all()
+      .map((r) => r.name).filter((t) => !SKIP_TABLE.test(t));
+    for (const t of tables) {
+      let cols, rows;
+      try {
+        cols = db.prepare(`PRAGMA table_info("${t}")`).all();
+        rows = db.prepare(`SELECT * FROM "${t}" LIMIT 2000`).all();
+      } catch { continue; }
+      const textCols = cols.filter((c) => TEXT_TYPE.test(c.type || '')).map((c) => c.name);
+      if (!textCols.length || !rows.length) continue;
+      const timeCol = (cols.find((c) => TIME_COL.test(c.name)) || {}).name;
+      for (const row of rows) {
+        const parts = textCols.map((c) => row[c]).filter(readable);
+        if (!parts.length) continue;
+        const text = [...new Set(parts)].join(' · ').slice(0, 800);
+        const occurredAt = timeCol ? normTime(row[timeCol]) : 0;
+        // Per-row hash → unique id AND unique source.originalId. A per-table
+        // originalId would collide on the vault's UNIQUE(source_adapter,
+        // source_original_id) and collapse every row of a table into one event.
+        const rowHash = crypto
+          .createHash('md5')
+          .update(JSON.stringify(row))
+          .digest('hex')
+          .slice(0, 12);
+        const id = `${app}:${dbName}:${t}:${rowHash}`;
+        events.push({
+          // subtype must be a schema enum value; generic plaintext records →
+          // 'other' (the vault schema has no 'record' subtype).
+          type: 'event', subtype: 'other',
+          id, occurredAt: occurredAt || Date.now(),
+          content: { text },
+          source: {
+            adapter: `local-${app}`, adapterVersion: '0.1.0',
+            originalId: `${dbName}:${t}:${rowHash}`,
+            capturedAt: occurredAt || Date.now(), capturedBy: 'sqlite',
+          },
+          topics: [`local-${app}`, `db-${dbName}`],
+          ingestedAt: Date.now(),
+        });
+      }
+    }
+  } finally {
+    db.close();
+  }
+  return events;
+}
+module.exports = { ingestPlaintextDb, readable, normTime };

package/lib/forensics/wechat-collect.js ADDED Viewed

@@ -0,0 +1,134 @@
+'use strict';
+/**
+ * wechat-collect — on-device-ready WeChat (EnMicroMsg.db) decrypt + parse.
+ *
+ * Pure Node (crypto + a caller-provided better-sqlite3 ctor) — NO frida. Same
+ * model as qq-nt-collect.js: derived key (`MD5(IMEI+uin)[:7]`) → SQLCipher
+ * (page-level AES-256-CBC) → parse message/rcontact/chatroom → vault events.
+ * The bundle-shipped core behind `cc hub collect-wechat`; the Magisk daemon
+ * stages EnMicroMsg.db + uins (+ IMEI candidates) and this decrypts on-device.
+ * Extracted from scripts/android/pdh-wechat-decrypt.mjs (byte-identical crypto;
+ * verified WeChat 8.0.74 on chopin).
+ *
+ * IMEI on Android 13 is often unreadable → pass a SAVED 7-char key (once found
+ * it never changes for an account) or a frida raw key as a fallback candidate.
+ */
+const crypto = require('crypto');
+const md5 = (s) => crypto.createHash('md5').update(s).digest('hex');
+const CONFIGS = [
+  { name: 'sc1', pageSize: 1024, reserve: 16, hmac: 0, kdf: 4000, algo: 'sha1' },
+  { name: 'sc2', pageSize: 1024, reserve: 48, hmac: 20, kdf: 4000, algo: 'sha1' },
+  { name: 'sc3', pageSize: 1024, reserve: 48, hmac: 20, kdf: 64000, algo: 'sha1' },
+  { name: 'sc4', pageSize: 4096, reserve: 80, hmac: 64, kdf: 256000, algo: 'sha512' },
+];
+function decPage(page, key, cfg, isP1) {
+  const reserveOff = cfg.pageSize - cfg.reserve;
+  const ct = page.subarray(isP1 ? 16 : 0, reserveOff);
+  const reserved = page.subarray(reserveOff, cfg.pageSize);
+  const iv = cfg.hmac ? reserved.subarray(cfg.hmac, cfg.hmac + 16) : reserved.subarray(0, 16);
+  if (iv.length < 16) return null;
+  try {
+    const d = crypto.createDecipheriv('aes-256-cbc', key, iv);
+    d.setAutoPadding(false);
+    return Buffer.concat([d.update(ct), d.final()]);
+  } catch {
+    return null;
+  }
+}
+const validP1 = (pt) => pt && pt.length > 8 && pt[5] === 64 && pt[6] === 32 && pt[7] === 32;
+/** key = MD5(IMEI+uin)[:7] over candidate imeis × uins, plus any saved/raw keys. */
+function computeKeyCandidates(imeis, uins, savedKeys) {
+  const set = new Set((savedKeys || []).filter(Boolean));
+  for (const im of imeis || []) for (const u of uins || []) set.add(md5(String(im) + String(u)).slice(0, 7));
+  return [...set];
+}
+/**
+ * Brute passphrases × configs (+ raw 32-byte keys), then decrypt all pages.
+ * @returns {{decrypted: Buffer, cfg: string, pass?: string}|null}
+ */
+function deriveAndDecrypt(raw, passphrases, rawKeys) {
+  if (!raw || raw.length < 1024) return null;
+  const salt = raw.subarray(0, 16);
+  let hit = null;
+  for (const cfg of CONFIGS) {
+    for (const p of passphrases || []) {
+      const k = crypto.pbkdf2Sync(Buffer.from(p, 'utf8'), salt, cfg.kdf, 32, cfg.algo === 'sha512' ? 'sha512' : 'sha1');
+      if (validP1(decPage(raw.subarray(0, cfg.pageSize), k, cfg, true))) { hit = { key: k, cfg, pass: p }; break; }
+    }
+    if (hit) break;
+    for (const rk of rawKeys || []) {
+      const kb = Buffer.isBuffer(rk) ? rk : Buffer.from(rk, 'hex');
+      if (kb.length === 32 && validP1(decPage(raw.subarray(0, cfg.pageSize), kb, cfg, true))) { hit = { key: kb, cfg }; break; }
+    }
+    if (hit) break;
+  }
+  if (!hit) return null;
+  const { key, cfg } = hit;
+  const n = Math.floor(raw.length / cfg.pageSize);
+  const out = [];
+  for (let i = 0; i < n; i++) {
+    const page = raw.subarray(i * cfg.pageSize, (i + 1) * cfg.pageSize);
+    const pt = decPage(page, key, cfg, i === 0);
+    const full = Buffer.alloc(cfg.pageSize);
+    if (i === 0) { Buffer.from('SQLite format 3\0').copy(full, 0); if (pt) pt.copy(full, 16); } else if (pt) pt.copy(full, 0);
+    out.push(full);
+  }
+  return { decrypted: Buffer.concat(out), cfg: cfg.name, pass: hit.pass };
+}
+/**
+ * Parse a DECRYPTED EnMicroMsg.db → vault events (wechat adapter shape).
+ * @param Database better-sqlite3 ctor (injected). @param self the user's wxid.
+ */
+function parseEvents(Database, dbPath, self) {
+  const src = new Database(dbPath, { readonly: true });
+  const events = [];
+  try {
+    const nameOf = new Map();
+    try {
+      for (const r of src.prepare('SELECT username,nickname,conRemark FROM rcontact').all()) {
+        nameOf.set(r.username, (r.conRemark && r.conRemark.trim()) || r.nickname || r.username);
+      }
+    } catch { /* contacts optional */ }
+    const rows = src.prepare(
+      'SELECT msgId,type,isSend,createTime,talker,content FROM message ' +
+      "WHERE type=1 ORDER BY createTime DESC LIMIT 5000",
+    ).all();
+    for (const r of rows) {
+      const isGroup = /@chatroom$/.test(r.talker || '');
+      let text = r.content || '';
+      let senderWxid = r.isSend ? self : r.talker;
+      if (isGroup && !r.isSend) {
+        const c = text.indexOf(':');
+        if (c > 0) { senderWxid = text.slice(0, c); text = text.slice(c + 1).replace(/^\n/, '').trim(); }
+      }
+      if (!text || !/[一-鿿A-Za-z0-9]/.test(text)) continue;
+      const occurredAt = Number(r.createTime) || 0; // already ms in WeChat
+      if (!occurredAt) continue;
+      const peer = String(r.talker || '');
+      const actor = `person-wechat-${senderWxid || self}`;
+      const participants = [actor];
+      participants.push(isGroup ? `group-wechat-${peer}` : `person-wechat-${peer}`);
+      events.push({
+        type: 'event', subtype: 'message', id: `wechat:${r.msgId}`,
+        occurredAt, actor, participants,
+        content: { text: isGroup ? `[群${nameOf.get(peer) || peer}] ${text}` : text },
+        topics: isGroup ? [`group-wechat-${peer}`] : undefined,
+        source: {
+          adapter: 'wechat', adapterVersion: '0.1.0', originalId: String(r.msgId),
+          capturedAt: occurredAt, capturedBy: 'sqlite',
+        },
+        ingestedAt: Date.now(),
+      });
+    }
+  } finally {
+    src.close();
+  }
+  return events;
+}
+module.exports = { computeKeyCandidates, deriveAndDecrypt, parseEvents };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@chainlesschain/personal-data-hub",
-  "version": "0.4.31",
+  "version": "0.4.33",
   "description": "Personal Data Hub — UnifiedSchema + validators + KG ingest helpers for the data-back-to-the-individual middleware",
   "type": "commonjs",
   "main": "lib/index.js",
@@ -74,7 +74,9 @@
     "./sidecar": "./lib/sidecar/index.js",
     "./forensics/leaf-salvage": "./lib/forensics/leaf-salvage.js",
     "./forensics/salvage-ingest": "./lib/forensics/salvage-ingest.js",
-    "./forensics/qq-nt-collect": "./lib/forensics/qq-nt-collect.js"
+    "./forensics/qq-nt-collect": "./lib/forensics/qq-nt-collect.js",
+    "./forensics/wechat-collect": "./lib/forensics/wechat-collect.js",
+    "./forensics/plaintext-db-collect": "./lib/forensics/plaintext-db-collect.js"
   },
   "scripts": {
     "test": "vitest run",