crt0mega/mvt
1
0
Fork 0
mirror of https://github.com/mvt-project/mvt.git synced 2024-06-26 14:28:54 +00:00
Code Issues Projects Releases Wiki Activity

Fixes format changes in locationd file in iOS 17

Browse Source
This commit is contained in:
tek 2023-09-26 13:58:25 +02:00
parent da6116ee20
commit 4bdb97ebcc
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
mvt/ios/modules/mixed/locationd.py
View File

@ -3,6 +3,7 @@
# Use of this software is governed by the MVT License 1.1 that can be found at
# https://license.mvt.re/1.1/
import base64
import logging
import plistlib
from typing import Optional, Union
@ -86,6 +87,15 @@ class LocationdClients(IOSExtraction):
self.detected.append(result)
continue
if "BundleId" in result:
ioc = self.indicators.check_process(result["BundleId"])
if ioc:
self.log.warning(
"Found a suspicious process name in LocationD entry %s",
result["package"],
)
result["matched_indicator"] = ioc
if "BundlePath" in result:
ioc = self.indicators.check_file_path(result["BundlePath"])
if ioc:
@ -109,6 +119,9 @@ class LocationdClients(IOSExtraction):
continue
if "Registered" in result:
# Sometimes registered is a bool
if isinstance(result["Registered"], bool):
continue
ioc = self.indicators.check_file_path(result["Registered"])
if ioc:
self.log.warning(
@ -124,12 +137,23 @@ class LocationdClients(IOSExtraction):
file_plist = plistlib.load(handle)
for key, _ in file_plist.items():
# Some migration information are int and not dicts
if not isinstance(file_plist[key], dict):
continue
# FIXME: unclear key format in iOS 17
key = key.rstrip(":")
result = file_plist[key]
result["package"] = key
for timestamp in self.timestamps:
if timestamp in result.keys():
result[timestamp] = convert_mactime_to_iso(result[timestamp])
if "ClientStorageToken" in result:
result["ClientStorageToken"] = base64.b64encode(
result["ClientStorageToken"]
)
self.results.append(result)
def run(self) -> None: