Fixes issue with Manifest format

2024-06-25 22:08:55 +00:00 · 2021-07-27 01:23:22 +02:00 · 2021-07-27 01:23:22 +02:00 · 9e33ece3e9
commit 9e33ece3e9
parent 32aeaaf91c
2 changed files with 19 additions and 12 deletions
--- a/mvt/common/module.py
+++ b/mvt/common/module.py
@ -109,17 +109,19 @@ class MVTModule(object):
        """
        for result in self.results:
            record = self.serialize(result)
-            if type(record) == list:
-                self.timeline.extend(record)
-            else:
-                self.timeline.append(record)
+            if record:
+                if type(record) == list:
+                    self.timeline.extend(record)
+                else:
+                    self.timeline.append(record)

        for detected in self.detected:
            record = self.serialize(detected)
-            if type(record) == list:
-                self.timeline_detected.extend(record)
-            else:
-                self.timeline_detected.append(record)
+            if record:
+                if type(record) == list:
+                    self.timeline_detected.extend(record)
+                else:
+                    self.timeline_detected.append(record)

        # De-duplicate timeline entries
        self.timeline = self.timeline_deduplicate(self.timeline)
--- a/mvt/ios/modules/fs/manifest.py
+++ b/mvt/ios/modules/fs/manifest.py
@ -40,6 +40,8 @@ class Manifest(IOSExtraction):

    def serialize(self, record):
        records = []
+        if "modified" not in record or "statusChanged" not in record:
+            return
        for ts in set([record["created"], record["modified"], record["statusChanged"]]):
            macb = ""
            macb += "M" if ts == record["modified"] else "-"
@ -63,12 +65,15 @@ class Manifest(IOSExtraction):
        for result in self.results:
            if not "relativePath" in result:
                continue
-
-            if os.path.basename(result["relativePath"]) == "com.apple.CrashReporter.plist" and result["domain"] == "RootDomain":
-                self.log.warning("Found a potentially suspicious \"com.apple.CrashReporter.plist\" file created in RootDomain")
-                self.detected.append(result)
+            if not result["relativePath"]:
                continue

+            if result["domain"]:
+                if os.path.basename(result["relativePath"]) == "com.apple.CrashReporter.plist" and result["domain"] == "RootDomain":
+                    self.log.warning("Found a potentially suspicious \"com.apple.CrashReporter.plist\" file created in RootDomain")
+                    self.detected.append(result)
+                    continue
+
            if self.indicators.check_file(result["relativePath"]):
                self.log.warning("Found a known malicious file at path: %s", result["relativePath"])
                self.detected.append(result)