mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-28 15:18:55 +00:00
Fixes issue with Manifest format
This commit is contained in:
parent
32aeaaf91c
commit
9e33ece3e9
|
@ -109,17 +109,19 @@ class MVTModule(object):
|
||||||
"""
|
"""
|
||||||
for result in self.results:
|
for result in self.results:
|
||||||
record = self.serialize(result)
|
record = self.serialize(result)
|
||||||
if type(record) == list:
|
if record:
|
||||||
self.timeline.extend(record)
|
if type(record) == list:
|
||||||
else:
|
self.timeline.extend(record)
|
||||||
self.timeline.append(record)
|
else:
|
||||||
|
self.timeline.append(record)
|
||||||
|
|
||||||
for detected in self.detected:
|
for detected in self.detected:
|
||||||
record = self.serialize(detected)
|
record = self.serialize(detected)
|
||||||
if type(record) == list:
|
if record:
|
||||||
self.timeline_detected.extend(record)
|
if type(record) == list:
|
||||||
else:
|
self.timeline_detected.extend(record)
|
||||||
self.timeline_detected.append(record)
|
else:
|
||||||
|
self.timeline_detected.append(record)
|
||||||
|
|
||||||
# De-duplicate timeline entries
|
# De-duplicate timeline entries
|
||||||
self.timeline = self.timeline_deduplicate(self.timeline)
|
self.timeline = self.timeline_deduplicate(self.timeline)
|
||||||
|
|
|
@ -40,6 +40,8 @@ class Manifest(IOSExtraction):
|
||||||
|
|
||||||
def serialize(self, record):
|
def serialize(self, record):
|
||||||
records = []
|
records = []
|
||||||
|
if "modified" not in record or "statusChanged" not in record:
|
||||||
|
return
|
||||||
for ts in set([record["created"], record["modified"], record["statusChanged"]]):
|
for ts in set([record["created"], record["modified"], record["statusChanged"]]):
|
||||||
macb = ""
|
macb = ""
|
||||||
macb += "M" if ts == record["modified"] else "-"
|
macb += "M" if ts == record["modified"] else "-"
|
||||||
|
@ -63,12 +65,15 @@ class Manifest(IOSExtraction):
|
||||||
for result in self.results:
|
for result in self.results:
|
||||||
if not "relativePath" in result:
|
if not "relativePath" in result:
|
||||||
continue
|
continue
|
||||||
|
if not result["relativePath"]:
|
||||||
if os.path.basename(result["relativePath"]) == "com.apple.CrashReporter.plist" and result["domain"] == "RootDomain":
|
|
||||||
self.log.warning("Found a potentially suspicious \"com.apple.CrashReporter.plist\" file created in RootDomain")
|
|
||||||
self.detected.append(result)
|
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
if result["domain"]:
|
||||||
|
if os.path.basename(result["relativePath"]) == "com.apple.CrashReporter.plist" and result["domain"] == "RootDomain":
|
||||||
|
self.log.warning("Found a potentially suspicious \"com.apple.CrashReporter.plist\" file created in RootDomain")
|
||||||
|
self.detected.append(result)
|
||||||
|
continue
|
||||||
|
|
||||||
if self.indicators.check_file(result["relativePath"]):
|
if self.indicators.check_file(result["relativePath"]):
|
||||||
self.log.warning("Found a known malicious file at path: %s", result["relativePath"])
|
self.log.warning("Found a known malicious file at path: %s", result["relativePath"])
|
||||||
self.detected.append(result)
|
self.detected.append(result)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user