mirror of
https://github.com/mvt-project/mvt.git
synced 2024-06-23 12:58:58 +00:00
Fixed WebkitSessionResourceLog module, still needs testing
This commit is contained in:
parent
fda621672d
commit
fdaf2fc760
|
@ -66,13 +66,6 @@ class MVTModule(object):
|
|||
sub = re.sub("(.)([A-Z][a-z]+)", r"\1_\2", self.__class__.__name__)
|
||||
return re.sub("([a-z0-9])([A-Z])", r"\1_\2", sub).lower()
|
||||
|
||||
def _find_paths(self, root_paths):
|
||||
for root_path in root_paths:
|
||||
for found_path in glob.glob(os.path.join(self.base_folder, root_path)):
|
||||
if not os.path.exists(found_path):
|
||||
continue
|
||||
yield found_path
|
||||
|
||||
def load_indicators(self, file_path):
|
||||
self.indicators = Indicators(file_path, self.log)
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ class ConfigurationProfiles(IOSExtraction):
|
|||
log=log, results=results)
|
||||
|
||||
def run(self):
|
||||
for conf_file in self._get_files_from_manifest(domain=CONF_PROFILES_DOMAIN):
|
||||
for conf_file in self._get_backup_files_from_manifest(domain=CONF_PROFILES_DOMAIN):
|
||||
conf_file_path = self._get_backup_file_from_id(conf_file["file_id"])
|
||||
if not conf_file_path:
|
||||
continue
|
||||
|
|
|
@ -32,7 +32,7 @@ class ProfileEvents(IOSExtraction):
|
|||
}
|
||||
|
||||
def run(self):
|
||||
for events_file in self._get_files_from_manifest(relative_path=CONF_PROFILES_EVENTS_RELPATH):
|
||||
for events_file in self._get_backup_files_from_manifest(relative_path=CONF_PROFILES_EVENTS_RELPATH):
|
||||
events_file_path = self._get_backup_file_from_id(events_file["file_id"])
|
||||
if not events_file_path:
|
||||
continue
|
||||
|
|
|
@ -68,7 +68,7 @@ class IOSExtraction(MVTModule):
|
|||
|
||||
self.log.info("Database at path %s recovered successfully!", file_path)
|
||||
|
||||
def _get_files_from_manifest(self, relative_path=None, domain=None):
|
||||
def _get_backup_files_from_manifest(self, relative_path=None, domain=None):
|
||||
"""Locate files from Manifest.db.
|
||||
:param relative_path: Relative path to use as filter from Manifest.db.
|
||||
:param domain: Domain to use as filter from Manifest.db.
|
||||
|
@ -107,6 +107,14 @@ class IOSExtraction(MVTModule):
|
|||
|
||||
return None
|
||||
|
||||
def _find_fs_files_from_pattern(self, root_paths):
|
||||
for root_path in root_paths:
|
||||
for found_path in glob.glob(os.path.join(self.base_folder, root_path)):
|
||||
if not os.path.exists(found_path):
|
||||
continue
|
||||
|
||||
yield found_path
|
||||
|
||||
def _find_ios_database(self, backup_ids=None, root_paths=[]):
|
||||
"""Try to locate the module's database file from either an iTunes
|
||||
backup or a full filesystem dump.
|
||||
|
|
|
@ -32,7 +32,7 @@ class IOSVersionHistory(IOSExtraction):
|
|||
}
|
||||
|
||||
def run(self):
|
||||
for found_path in self._find_paths(IOS_ANALYTICS_JOURNAL_PATHS):
|
||||
for found_path in self._find_fs_files_from_pattern(IOS_ANALYTICS_JOURNAL_PATHS):
|
||||
with open(found_path, "r") as analytics_log:
|
||||
log_line = json.loads(analytics_log.readline().strip())
|
||||
|
||||
|
|
|
@ -23,7 +23,7 @@ class WebkitBase(IOSExtraction):
|
|||
self.detected.append(item)
|
||||
|
||||
def _process_webkit_folder(self, root_paths):
|
||||
for found_path in self._find_paths(root_paths):
|
||||
for found_path in self._find_fs_files_from_pattern(root_paths):
|
||||
key = os.path.relpath(found_path, self.base_folder)
|
||||
|
||||
for name in os.listdir(found_path):
|
||||
|
|
|
@ -76,12 +76,12 @@ class WebkitResourceLoadStatistics(IOSExtraction):
|
|||
def run(self):
|
||||
if self.is_backup:
|
||||
try:
|
||||
for backup_file in self._get_files_from_manifest(relative_path=WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH):
|
||||
for backup_file in self._get_backup_files_from_manifest(relative_path=WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH):
|
||||
db_path = os.path.join(self.base_folder, backup_file["file_id"][0:2], backup_file["file_id"])
|
||||
key = f"{backup_file['domain']}/{WEBKIT_RESOURCELOADSTATICS_BACKUP_RELPATH}"
|
||||
self._process_observations_db(db_path=db_path, key=key)
|
||||
except Exception as e:
|
||||
self.log.info("Unable to search for WebKit observations.db: %s", e)
|
||||
elif self.is_fs_dump:
|
||||
for db_path in self._find_paths(WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS):
|
||||
for db_path in self._find_fs_files_from_pattern(WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS):
|
||||
self._process_observations_db(db_path=db_path, key=os.path.relpath(db_path, self.base_folder))
|
||||
|
|
|
@ -14,7 +14,6 @@ from ..base import IOSExtraction
|
|||
WEBKIT_SESSION_RESOURCE_LOG_BACKUP_IDS = [
|
||||
"a500ee38053454a02e990957be8a251935e28d3f",
|
||||
]
|
||||
|
||||
WEBKIT_SESSION_RESOURCE_LOG_ROOT_PATHS = [
|
||||
"private/var/mobile/Containers/Data/Application/*/SystemData/com.apple.SafariViewService/Library/WebKit/WebsiteData/full_browsing_session_resourceLog.plist",
|
||||
"private/var/mobile/Containers/Data/Application/*/Library/WebKit/WebsiteData/ResourceLoadStatistics/full_browsing_session_resourceLog.plist",
|
||||
|
@ -32,6 +31,8 @@ class WebkitSessionResourceLog(IOSExtraction):
|
|||
output_folder=output_folder, fast_mode=fast_mode,
|
||||
log=log, results=results)
|
||||
|
||||
self.results = {}
|
||||
|
||||
def _extract_browsing_stats(self, file_path):
|
||||
items = []
|
||||
|
||||
|
@ -110,32 +111,13 @@ class WebkitSessionResourceLog(IOSExtraction):
|
|||
|
||||
self.log.warning("Found HTTP redirect between suspicious domains: %s", redirect_path)
|
||||
|
||||
def _find_paths(self, root_paths):
|
||||
results = {}
|
||||
for root_path in root_paths:
|
||||
for found_path in glob.glob(os.path.join(self.base_folder, root_path)):
|
||||
if not os.path.exists(found_path):
|
||||
continue
|
||||
|
||||
key = os.path.relpath(found_path, self.base_folder)
|
||||
if key not in results:
|
||||
results[key] = []
|
||||
|
||||
return results
|
||||
|
||||
def run(self):
|
||||
self.results = {}
|
||||
|
||||
try:
|
||||
if self.is_backup:
|
||||
self._find_ios_database(backup_ids=WEBKIT_SESSION_RESOURCE_LOG_BACKUP_IDS)
|
||||
except FileNotFoundError:
|
||||
pass
|
||||
else:
|
||||
if self.file_path:
|
||||
self.results[self.file_path] = self._extract_browsing_stats(self.file_path)
|
||||
return
|
||||
self.results[self.file_path] = self._extract_browsing_stats(self.file_path)
|
||||
return
|
||||
|
||||
self.results = self._find_paths(root_paths=WEBKIT_SESSION_RESOURCE_LOG_ROOT_PATHS)
|
||||
for log_file in self.results.keys():
|
||||
for log_file in self._find_fs_files_from_pattern(WEBKIT_RESOURCELOADSTATICS_ROOT_PATHS):
|
||||
self.log.info("Found Safari browsing session resource log at path: %s", log_file)
|
||||
self.results[log_file] = self._extract_browsing_stats(os.path.join(self.base_folder, log_file))
|
||||
key = os.path.relpath(log_file, self.base_folder)
|
||||
self.results[key] = self._extract_browsing_stats(log_file)
|
||||
|
|
Loading…
Reference in New Issue
Block a user