From 95205d8e1773073bfa3952f9279b92973d2a07d0 Mon Sep 17 00:00:00 2001 From: tek Date: Tue, 18 Jan 2022 17:12:20 +0100 Subject: [PATCH] Adds indicators check to iOS TCC module --- mvt/ios/modules/mixed/tcc.py | 9 +++++++++ .../64d0019cb3d46bfc8cce545a8ba54b93e7ea9347 | Bin 57344 -> 57344 bytes tests/ios/test_tcc.py | 17 +++++++++++------ 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/mvt/ios/modules/mixed/tcc.py b/mvt/ios/modules/mixed/tcc.py index 747ffcf..cd626d0 100644 --- a/mvt/ios/modules/mixed/tcc.py +++ b/mvt/ios/modules/mixed/tcc.py @@ -66,6 +66,15 @@ class TCC(IOSExtraction): "data": msg } + def check_indicators(self): + if not self.indicators: + return + + for result in self.results: + if self.indicators.check_process(result["client"]): + self.log.warning("Found malicious process in TCC database: %s", result["client"]) + self.detected.append(result) + def process_db(self, file_path): conn = sqlite3.connect(file_path) cur = conn.cursor() diff --git a/tests/artifacts/ios_backup/64/64d0019cb3d46bfc8cce545a8ba54b93e7ea9347 b/tests/artifacts/ios_backup/64/64d0019cb3d46bfc8cce545a8ba54b93e7ea9347 index 3a1a64cce7421e510ea7cf88f36b581a02766e72..c7af1e87c8a1007b278a9dd3ccbbdf4b9658993f 100644 GIT binary patch delta 149 zcmZoTz}#?vc>~)9iR}#hd-<#QCHZ#pmGN2f{^Xs-Ys&MMXZvPBfi@lq9|jCyV!~%C zIeGqGvB?2@IoW&?OY@R5Hb2~>z|6}Z#=y;M$-tk(e~y33X1)U+{IWpZVi+bcsI!?$ Sa!4{x-nd5uW~)9iG>XOd-<#QCHZ#pmGN2f{^Xs-Ys&MMXW?c+fo2|7FB3jf*U9tu zicJpKD=d`hoReRg;+J2NnU