mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-29 07:39:00 +00:00
Fixes format changes in locationd file in iOS 17
This commit is contained in:
parent
da6116ee20
commit
4bdb97ebcc
|
@ -3,6 +3,7 @@
|
||||||
# Use of this software is governed by the MVT License 1.1 that can be found at
|
# Use of this software is governed by the MVT License 1.1 that can be found at
|
||||||
# https://license.mvt.re/1.1/
|
# https://license.mvt.re/1.1/
|
||||||
|
|
||||||
|
import base64
|
||||||
import logging
|
import logging
|
||||||
import plistlib
|
import plistlib
|
||||||
from typing import Optional, Union
|
from typing import Optional, Union
|
||||||
|
@ -86,6 +87,15 @@ class LocationdClients(IOSExtraction):
|
||||||
self.detected.append(result)
|
self.detected.append(result)
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
if "BundleId" in result:
|
||||||
|
ioc = self.indicators.check_process(result["BundleId"])
|
||||||
|
if ioc:
|
||||||
|
self.log.warning(
|
||||||
|
"Found a suspicious process name in LocationD entry %s",
|
||||||
|
result["package"],
|
||||||
|
)
|
||||||
|
result["matched_indicator"] = ioc
|
||||||
|
|
||||||
if "BundlePath" in result:
|
if "BundlePath" in result:
|
||||||
ioc = self.indicators.check_file_path(result["BundlePath"])
|
ioc = self.indicators.check_file_path(result["BundlePath"])
|
||||||
if ioc:
|
if ioc:
|
||||||
|
@ -109,6 +119,9 @@ class LocationdClients(IOSExtraction):
|
||||||
continue
|
continue
|
||||||
|
|
||||||
if "Registered" in result:
|
if "Registered" in result:
|
||||||
|
# Sometimes registered is a bool
|
||||||
|
if isinstance(result["Registered"], bool):
|
||||||
|
continue
|
||||||
ioc = self.indicators.check_file_path(result["Registered"])
|
ioc = self.indicators.check_file_path(result["Registered"])
|
||||||
if ioc:
|
if ioc:
|
||||||
self.log.warning(
|
self.log.warning(
|
||||||
|
@ -124,12 +137,23 @@ class LocationdClients(IOSExtraction):
|
||||||
file_plist = plistlib.load(handle)
|
file_plist = plistlib.load(handle)
|
||||||
|
|
||||||
for key, _ in file_plist.items():
|
for key, _ in file_plist.items():
|
||||||
|
# Some migration information are int and not dicts
|
||||||
|
if not isinstance(file_plist[key], dict):
|
||||||
|
continue
|
||||||
|
# FIXME: unclear key format in iOS 17
|
||||||
|
key = key.rstrip(":")
|
||||||
|
|
||||||
result = file_plist[key]
|
result = file_plist[key]
|
||||||
result["package"] = key
|
result["package"] = key
|
||||||
for timestamp in self.timestamps:
|
for timestamp in self.timestamps:
|
||||||
if timestamp in result.keys():
|
if timestamp in result.keys():
|
||||||
result[timestamp] = convert_mactime_to_iso(result[timestamp])
|
result[timestamp] = convert_mactime_to_iso(result[timestamp])
|
||||||
|
|
||||||
|
if "ClientStorageToken" in result:
|
||||||
|
result["ClientStorageToken"] = base64.b64encode(
|
||||||
|
result["ClientStorageToken"]
|
||||||
|
)
|
||||||
|
|
||||||
self.results.append(result)
|
self.results.append(result)
|
||||||
|
|
||||||
def run(self) -> None:
|
def run(self) -> None:
|
||||||
|
|
Loading…
Reference in New Issue
Block a user