Added check for indicators to dumpsys modules

2022-01-30 04:08:48 +01:00 · 2022-01-30 04:08:48 +01:00 · 5e7c5727af
parent 883fbaeb88
commit 5e7c5727af
3 changed files with 31 additions and 5 deletions
--- a/mvt/android/modules/adb/dumpsys_accessibility.py
+++ b/mvt/android/modules/adb/dumpsys_accessibility.py
@ -20,6 +20,14 @@ class DumpsysAccessibility(AndroidExtraction):
                         output_folder=output_folder, fast_mode=fast_mode,
                         log=log, results=results)

+    def check_indicators(self):
+        for result in self.results:
+            ioc = self.indicators.check_app_id(result["package"])
+            if ioc:
+                result["matched_indicators"] = ioc
+                self.detected.append(result)
+                continue
+
    def run(self):
        self._adb_connect()

@ -40,7 +48,10 @@ class DumpsysAccessibility(AndroidExtraction):
            service = line.split(":")[1].strip()
            log.info("Found installed accessibility service \"%s\"", service)

-            self.results.append(service)
+            self.results.append({
+                "package": service.split("/")[0],
+                "service": service,
+            })

        log.info("Identified a total of %d accessibility services", len(self.results))

--- a/mvt/android/modules/adb/dumpsys_activities.py
+++ b/mvt/android/modules/adb/dumpsys_activities.py
@ -21,6 +21,15 @@ class DumpsysActivities(AndroidExtraction):

        self.results = results if results else {}

+    def check_indicators(self):
+        for intent, activities in self.results.items():
+            for activity in activities:
+                ioc = self.indicators.check_app_id(activity["package"])
+                if ioc:
+                    activity["matched_indicators"] = ioc
+                    self.detected.append({intent: activity})
+                    continue
+
    def parse_activity_resolver_table(self, data):
        """Parse output of dumpsys package.

@ -72,10 +81,10 @@ class DumpsysActivities(AndroidExtraction):
            # If we got this far, we are processing receivers for the
            # activities we are interested in.
            activity = line.strip().split(" ")[1]
-            package_name = activity.split("/")[0]
+            package = activity.split("/")[0]

            self.results[intent].append({
-                "package_name": package_name,
+                "package": package,
                "activity": activity,
            })

--- a/mvt/android/modules/adb/dumpsys_receivers.py
+++ b/mvt/android/modules/adb/dumpsys_receivers.py
@ -46,6 +46,12 @@ class DumpsysReceivers(AndroidExtraction):
                    self.log.info("Found a receiver monitoring outgoing calls: \"%s\"",
                                  receiver["receiver"])

+            ioc = self.indicators.check_app_id(receiver["package"])
+            if ioc:
+                receiver["matched_indicators"] = ioc
+                self.detected.append({intent: receiver})
+                continue
+
    def parse_receiver_resolver_table(self, data):
        """Parse output of dumpsys package.

@ -96,10 +102,10 @@ class DumpsysReceivers(AndroidExtraction):
            # If we got this far, we are processing receivers for the
            # activities we are interested in.
            receiver = line.strip().split(" ")[1]
-            package_name = receiver.split("/")[0]
+            package = receiver.split("/")[0]

            self.results[intent].append({
-                "package_name": package_name,
+                "package": package,
                "receiver": receiver,
            })